What You Are Building

You are building the part of an autonomous agent that decides, on its own, when it is no longer fit to act, and then hands the decision to a human instead of guessing or crashing.

This is the problem behind the search query. You have an agent that calls tools, commits transactions, sends messages, or changes external state. Most of the time it is fine. The danger is the narrow band where conditions have quietly degraded: a required capability turned out to be missing, information is incomplete, a deadline is squeezing the margin for error, or the agent simply has no plan that reaches a good outcome. In that band you want the agent to stop itself and escalate, cleanly, to a person.

Who needs this: anyone shipping an agent with real side effects. A support agent that can issue refunds. A DevOps agent that can push config. A financial or clinical assistant. The blast radius of a wrong action is what makes escalation architecture worth building rather than bolting on.

The approach here is drawn from the Confidence Governance inventive step disclosed in United States Patent Application 19/647,395. You implement it yourself; there is no package to install.

Why the Obvious Approaches Fall Short

The usual ways of adding a human to the loop each leave a structural gap.

Confirmation prompts on named tools. You mark certain actions "requires approval" and pop a confirmation. This is real and useful, but it is a static list decided at design time. It fires on the tools you predicted are dangerous, and it stays silent when a normally safe action becomes dangerous because conditions changed mid-task. The decision to involve a human is made once, up front, and assumed thereafter.

Try/catch and retry with a fallback to human. Runtime environments that offer pause and resume, and most error-handling patterns, react to something that already went wrong: an exception, a resource exhaustion, an operator command. That is recovery after damage, not prevention before it. By the time the exception fires, the irreversible action may already be committed.

A confidence score in the prompt or a post-hoc filter. Asking the model to rate its own confidence, or filtering outputs after generation, produces an advisory number the agent can talk itself past. If confidence is just a value the reasoning loop reads, urgency or a persuasive intermediate step can override it. There is no hard gate.

The common gap: in each case the agent's permission to act is either evaluated once, evaluated too late, or merely advisory. None of them treats "am I still fit to execute this, right now" as a continuously recomputed, non-overridable precondition for action, with a defined destination when the answer is no.

The Architecture

The disclosed architecture treats execution as a revocable permission rather than a default state. Execution is not what the agent does unless interrupted; it is a conditional privilege the agent must continuously earn. The mechanism that grants and revokes it is a confidence governor.

A hard gate, not advice. The confidence governor is described as a structural subsystem that continuously evaluates whether the conditions for execution remain satisfied and withdraws authorization when they do not. It is explicitly not an advisory module, a dashboard, or a soft constraint the agent can override through urgency, affective escalation, or reinterpreting policy. When it withdraws authorization, execution ceases, and no alternative pathway to execution bypasses the gate. In the disclosure this is enforced by structurally decoupling the execution subsystem's output pathway, so the execution subsystem cannot produce effects regardless of its internal state, rather than by setting a flag the subsystem may choose to honor.

Confidence is a computed state variable. Confidence here is not a heuristic score or a model self-report. It is a continuously computed scalar, spanning complete assessed insufficiency to complete assessed sufficiency, produced by a deterministic evaluation function over structured inputs. The disclosed inputs include, on the agent side: capability sufficiency (the agent's capabilities versus the task's requirements), resource availability, internal integrity state, affective modulation state, and memory of prior similar tasks; and on the task side: the task's requirements specification, temporal constraints, uncertainty magnitude, and forecasted execution cost. Crucially, the disclosure keeps this confidence field distinct from the agent's intent (what it wants to do) and from its planning outputs (what it could do). An eager agent does not thereby become an authorized one.

Trajectory, not just level. The evaluation function emits both a confidence value and a rate of change. The governor performs differential rate analysis, comparing the decay rate against the recovery rate, and projects a time-to-threshold. If confidence is falling fast enough that it will cross the authorization threshold before an orderly suspension can complete, the governor suspends preemptively, even while the absolute value is still above threshold. This is what stops the pathological case of an agent committing an irreversible action during a period of collapsing confidence.

Three authorization states. Gating operates in one of three states. Authorized: value above threshold, no alarm conditions, execution permitted. Suspended: value below threshold or a trajectory alarm fired; execution prohibited but cognition continues. Locked: a severe integrity violation, catastrophic resource failure, or governance-mandated halt; both execution and certain cognitive processes are restricted pending external review, and the agent cannot leave this state on its own. This is the sharpest handoff point: locked-state recovery requires external authorization.

The non-executing cognitive mode is where the handoff happens. The disclosure enforces a structural separation between the execution subsystem and the cognitive subsystems, so suspension of execution is not suspension of thought. A suspended agent keeps forecasting, planning, and self-assessing. In this non-executing cognitive mode it runs three activities relevant to escalation: speculative evaluation (constructing plans to recover authorization), inquiry generation, and delegation evaluation. Inquiry generation is explicitly described as formulating information requests that may be directed to external sources including human supervisors. Condition monitoring within the inquiry mode decides whether to wait for transient conditions to clear or to take a more active response such as escalating to a human supervisor.

Task class shapes the handoff. The governor classifies the interrupted task before choosing how to pause. Terminal tasks (irreversible, costly to partially execute) get state preservation: the agent halts at the earliest safe point and writes a durable, governance-tagged checkpoint of uncommitted results, locks, and context, rather than improvising. Exploratory tasks get redirected toward broader search. Generative tasks drop to lower-commitment prototyping. This is why the escalation to a human is clean: for the dangerous class, the agent has already frozen safe partial progress that a person can inspect and resume.

An explicit agency taxonomy for the human's role. Separately, the disclosure defines four agency levels per objective. Fully autonomous: generate, evaluate, and commit without external confirmation. Guided: generate and evaluate a candidate but present it to the human operator or supervising agent and receive explicit confirmation before committing. Constrained: suggest and analyze only, no executable mutations. Observer: monitor and record, take no action until the level is elevated by external authorization. This taxonomy is the vocabulary of the handoff: an escalation is, in effect, a move to a lower agency level pending a human's decision.

Recovery is deliberate. Returning from suspended to authorized requires the confidence value to exceed the threshold by a configurable hysteresis margin, held throughout a verification period, so the agent does not flap across the threshold. The disclosure ties larger hysteresis margins to longer suspensions. For a terminal task, recovery restores from the checkpoint.

How to Approach the Build

These steps translate the architecture into an implementation order. The interface sketches below are illustrative and faithful to the disclosure; they are not a library.

  1. Decouple your action pathway from your reasoning loop. Before anything else, route every externally observable effect (tool calls, writes, sends) through a single execution gate that a separate governor can hard-disable. If your reasoning code can still call a tool when the gate is off, you have built an advisory flag, not the disclosed gate. The whole approach depends on the execution pathway being structurally unable to emit effects when suspended.

  2. Define confidence as a computed field, not a prompt output. Write an evaluation function over structured inputs you actually have. Start with the ones you can measure: capability sufficiency (does the task need a tool, scope, or datum the agent lacks), resource/budget availability, task uncertainty, temporal pressure, and forecasted cost. Emit two numbers.

    # illustrative, not a package
    ConfidenceResult = { value: float, rate_of_change: float }
    
    def evaluate_confidence(agent_state, task_state) -> ConfidenceResult:
        # deterministic function over structured inputs;
        # NOT a model self-rating
        ...
    
  3. Make the governor a hard gate with three states. Recompute on a cadence (per step and on adverse events). Implement authorized / suspended / locked and the transition rules. Reserve locked for cases where continued autonomous cognition could itself cause harm; make locked recoverable only by an external actor.

  4. Add trajectory-based preemption. Compare decay against recovery and project time-to-threshold. Suspend preemptively when projected time-to-threshold is shorter than the time your agent needs to stop cleanly. Pick a safety margin per task class.

  5. Classify the task before you pause. Tag each action as terminal, exploratory, or generative (default unknowns to terminal, the most conservative). For terminal actions, implement the checkpoint: capture uncommitted results, held locks, and context in durable, auditable storage at the safe halt point.

  6. Build the non-executing cognitive mode as an active state. On suspension, do not just block and wait. Run inquiry generation that produces a concrete, structured escalation payload for the human: what dropped confidence, which inputs are deficient, the checkpointed state, and the specific decision or information you need. This is your handoff artifact.

  7. Wire the human in through the agency levels. Model the escalation as a drop to guided (human confirms the pending candidate) or observer (human takes over) for that objective. Do not let the agent re-elevate its own agency level; elevation is external authorization by design.

  8. Implement recovery with hysteresis. Require confidence to hold above threshold plus a margin for a verification period before resuming. For terminal tasks, resume from the checkpoint so no partial progress is lost or double-applied.

  9. Log every confidence mutation to an audit trail. The disclosure records each confidence change in the agent's lineage, which lets you later verify that no execution occurred while confidence was below threshold, and gives an operator the trajectory that explains why the agent escalated.

What This Does Not Give You

This is an architecture, not a drop-in library, and not a runnable SDK. There is nothing here to npm install. You write the evaluation function, the gate, the classifier, and the human-facing escalation surface yourself, against your own agent runtime.

It has not been benchmarked or productized here, and no performance, latency, or safety numbers are claimed; the disclosure describes the mechanism, not measured results. Do not present it to your stakeholders as proven.

The hard part it does not do for you is picking the actual inputs and thresholds. The quality of the gate is only as good as your confidence evaluation function and the authorization threshold you set. A poorly calibrated function will either escalate constantly (crying wolf) or too rarely (the failure you were trying to prevent). The architecture gives you the structure for a trustworthy gate; the calibration is domain work you own.

It also does not fit every agent. If your agent has no irreversible side effects, or a human is already confirming every action, the machinery is overhead. The value scales with blast radius. And it presumes you can genuinely decouple execution from cognition in your runtime; if you cannot enforce that separation, you will have a soft constraint, which is the thing this approach exists to avoid.

Disclosure Scope

The approach described in this guide is disclosed in United States Patent Application 19/647,395. This guide is educational: it explains an architecture so that a developer can understand and build it themselves. It is not a warranty, not a specification you are entitled to rely on, and not an offer of software, a library, or an implementation. Every mechanism described above traces to the filed disclosure; where the disclosure is silent, this guide makes no claim.