G

Approval Center

Approval Center

Overview#

The Approval Center is the human authorization gateway within Gao Workspace.

It ensures that high-risk operations initiated by AI agents or automated workflows require explicit human authorization before execution proceeds.

The Approval Center is a core component of the Gao AI OS policy enforcement model. It acts as the boundary between automated execution and human governance, preserving organizational control over consequential actions.

Workspace principle: Agents cannot perform high-risk actions autonomously. Human authority is preserved at all times.

Role in the Execution Model#

Within the Gao AI OS execution pipeline, the Approval Center sits between the Policy Gate and final execution.

User Request
↓
Planner
↓
Policy Gate
↓
┌─────────────────────────┐
│  Require Approval?      │
│  YES → Approval Center  │
│  NO  → Execution        │
└─────────────────────────┘
↓
Human Decision
↓
Execution (if approved)
↓
Audit Record

The Approval Center does not execute actions. It captures authorization decisions and passes them back to GAR for final execution.

When Approval Is Required#

The Policy Gate may route an action to the Approval Center based on risk tier classification.

Actions that may require approval

Financial operations

  • Payment intents above configured thresholds

  • Budget overrides

  • New payment connector authorization

Infrastructure operations

  • Application deployment

  • DePIN node configuration changes

  • Network routing changes

Identity and authority operations

  • Domain authority delegation

  • Agent capability expansion

  • New connector authorization

Data operations

  • Bulk data export

  • External data sharing

  • Sensitive knowledge object access

Automation operations

  • High-frequency automation activation

  • Cross-domain workflow triggers

  • Irreversible batch operations

Approval requirements are configured through policy profiles in the Admin module. Thresholds and scope are defined by workspace administrators.

Approval Request Lifecycle#

Each approval request follows a defined lifecycle.

Action Initiated
↓
Policy Gate Evaluation
↓
Approval Request Created
↓
Notification Sent to Approver(s)
↓
Approver Reviews Request
↓
Decision: Approve / Reject / Defer
↓
Decision Recorded
↓
GAR Executes (if approved) or Blocks (if rejected)
↓
Audit Event Created

Lifecycle states

State

Description

pending

Awaiting approver action

approved

Authorized, execution may proceed

rejected

Denied, execution blocked

deferred

Held for later review

expired

Approval window elapsed without decision

cancelled

Revoked by the requesting agent or user

Approval Request Structure#

Each approval request contains the following information for the approver.

Field

Description

request_id

Unique identifier

requesting_agent

Agent or workflow that initiated the action

action_type

Category of the requested operation

action_detail

Structured description of the specific action

risk_tier

Risk classification assigned by the Policy Gate

domain

Owning Gao Domain

timestamp

Time of request creation

expiry

Time at which the request expires

context

Relevant execution context for the approver

Approvers receive sufficient context to make an informed decision without needing to query external systems.

Approver Roles#

Approval authority is governed by role assignment within the workspace.

Role

Approval Scope

Administrator

All action types

Operator

Execution and automation approvals

Developer

Infrastructure and deployment approvals

Domain Owner

Domain authority approvals

Approver roles are configured through the Admin module.

Multi-approver workflows may be configured for high-risk action categories, requiring agreement from more than one approver before execution proceeds.

Policy Integration#

The Approval Center operates as an enforcement output of the Policy Gate.

Policy profiles define:

  • which action categories require approval

  • approval thresholds (e.g. payment amount)

  • approver role requirements

  • expiry windows

  • escalation rules

Policy profiles are created and managed in the Admin module.

Workspace administrators may configure:

  • Always approve — certain action categories always require manual authorization regardless of other conditions

  • Threshold-based — approval required above a defined quantity or frequency

  • Context-based — approval required based on connector, domain, or environment scope

Audit and Trace#

Every approval event produces an audit record.

Audit records include:

  • request details

  • approver identity

  • decision

  • decision timestamp

  • resulting execution trace

Audit records are:

  • immutable

  • domain-bound

  • accessible through the Admin module

Approval audit records support compliance, governance reporting, and operational transparency.

Notifications#

When an approval request is created, the Approval Center notifies designated approvers.

Notification channels may include:

  • Workspace inbox

  • Meshii messaging

  • Email connector

  • External webhook

Notification configuration is managed through the Admin module.

Safe Mode#

Workspace supports a Safe Mode configuration that routes all agent actions through the Approval Center regardless of risk tier.

Safe Mode may be activated by:

  • workspace administrators

  • domain owners

  • users for their own agent configurations

Safe Mode ensures zero autonomous execution during sensitive operational periods.

Security Guarantees#

The Approval Center provides the following guarantees:

No execution without decision GAR will not execute a pending-approval action until an explicit approve or reject decision is recorded.

Expiry enforcement Approval requests that reach their expiry window without a decision are automatically rejected and logged.

Immutable decision record Approval decisions cannot be modified after being recorded.

Identity-bound authority All approval decisions are linked to the Gao Domain identity of the approver.

Audit completeness Every approval event, including expired and cancelled requests, produces an audit record.

Integration Points#

The Approval Center integrates with:

System

Integration

Policy Gate

Receives approval-required routing decisions

GAR Runtime

Releases or blocks execution based on decisions

Admin

Policy configuration and role management

Audit System

Produces immutable decision records

Messaging

Delivers approver notifications

Billing

Flags financial operation approvals

Agent Builder

Defines per-agent approval requirements

Summary#

The Approval Center ensures that consequential AI agent operations remain under human governance.

By acting as the mandatory checkpoint between automated systems and high-risk execution, it preserves organizational authority while allowing AI agents to operate efficiently within defined boundaries.

All approval decisions are auditable, identity-bound, and enforced at the runtime level by the Gao AI OS Policy Gate.

Gao Workspace — Approval Center | GW-AC/1.0 | 2026-03-08 | Public – Functional Documentation