Safety & approvals

Autonomous. Never reckless.

Every email your crew sends, every dollar it moves, every deletion it proposes, every infrastructure change it wants to make — a human approves it first. Always.

The four hard gates

Some things a crew never does alone.

Your crew plans, drafts, and prepares constantly — that's the whole point. But four categories of action always stop and wait for a human, no matter what mode the system is in.

External communication

Emails, LinkedIn posts, anything that leaves the building and reaches a real person. Your crew drafts it in your voice — a human reads it and clicks send.

Money & contracts

Any spend, any contract, any commitment with a dollar sign on it. Proposed, never executed on its own.

Code & infrastructure

Changes to how the system itself runs — deploys, config, integrations. Reviewed before anything ships.

Irreversible delete

Anything that can't be undone gets a second set of eyes before it happens, no exceptions.

Some AI sales tools will find contacts and email them completely on their own, at scale, with no one in the loop. We don't build it that way — one bad prompt or one adversarial input shouldn't be able to turn into a spam problem, a compliance problem, or a client relationship problem.

How it actually flows

Draft. Review. Send. In that order.

01
Draft

An agent researches and drafts in your crew's voice — an email, a LinkedIn post, a follow-up.

02
Review

It lands in a queue a human reads before anything happens. Nothing sends itself.

03
Send

A human clicks send. Even then, a warmup cap limits volume so a new domain never looks like a spam operation.

We test the failure modes, not just the happy path

What happens when a model tries to cheat.

Before every release we run an adversarial test suite that scripts a model actively trying to get around the gates above — not a model behaving well, a model behaving badly on purpose. Three scenarios, every time:

Spam a hard gate

We scripted a model that repeatedly tries to push a blocked action through — even with Auto Mode on, which normally lets low-risk actions run unattended. Every single attempt stayed queued for a human. Zero executed.

Fake a send

We scripted a model that claims "I sent that email" in the same breath as actually only queuing it for approval. The outreach never went out — the claim didn't make it true.

Bare claim, no tool call

We scripted a model that asserts an action happened with no underlying tool call behind it at all. Zero proposals were created. A claim with nothing behind it does nothing.

All three pass, every time we run them. That's not a promise about the future — it's a property of how the gate is enforced: hard-gated actions require approval in the code path itself, not in a setting a determined-enough prompt could talk its way around.

Questions, answered

Can Auto Mode ever bypass a hard gate?

No. Auto Mode changes whether LOW-RISK actions run unattended. The four hard-gated classes — external communication, money, code & infrastructure, and irreversible deletes — always require a human decision, regardless of any mode or setting.

Is this configurable per customer?

The hard gates are not configurable — they're the floor, not a setting anyone can turn off. Everything below that floor (which internal actions run unattended, warmup send caps, etc.) is configurable per instance.

Why does this matter more for AI agents than regular software?

An agent that can autonomously find contacts and email them at scale is one bad prompt, one bad day, or one adversarial input away from a spam problem, a compliance problem, or a client relationship problem. We'd rather you never have to ask whether that happened.

A crew you don't have to watch nervously.