Guardrails & sensitive actions
The Safety page (titled AI Governance) is the workspace floor — the default policy every agent inherits unless it's pinned in its own Permissions tab. It's enforced server-side on every action, and its blocks can never be loosened downstream.
Open it from the sidebar under Permissions & Governance. The page opens with the promise it keeps: "these defaults apply to every agent unless pinned in its Permissions tab, and they're enforced server-side on every action. Block never loosens."
This is the base of the three-plane cascade: Workspace floor → Agent mode → Tool pin. Everything here is the floor. An agent can be made stricter than the floor, never looser. Changes hot-sync to running agents within a minute.
Global AI Independence (presets)#
At the top, three one-click presets set the whole policy bundle at once. Picking one writes the approval rules and sensitive-action policies below and changes how every agent behaves:
| Preset | Philosophy | Highlights |
|---|---|---|
| Strict | Ask before every external action | Every outgoing message needs approval; CRM changes gated; payments blocked; deletions and user changes need approval |
| Balanced (default) | Act on routine, ask on risk | New contacts and new tools ask once then run; destructive ops and exports need approval; payments and reset links blocked |
| Autonomous | Act unless genuinely dangerous | Routine messages and CRM updates run automatically; new tools/contacts run without asking; password-reset links stay blocked — always |
Fine-tune anything after choosing a preset and the level becomes Custom (shown as a badge) — you're no longer on a named preset, you're on your own tuned policy.
Even the Autonomous preset keeps a safety floor: security links stay blocked, and payments stay gated. The presets are curated so "maximum independence" never means "no brakes."
The four tabs#
Below the presets, four tabs expose the policy in detail.
1. Approval Rules#
Toggle "Require approval when:" — gated actions land in your Approvals feed and run automatically once approved.
| Rule | Asks before… |
|---|---|
| Messaging someone new | Messaging a never-seen recipient — asked once, then remembered |
| Any external message | Every outgoing message (strictest setting) |
| Changing CRM / customer data | Creating or updating CRM records |
| First use of a new tool | The first action on a newly connected tool — asked once per tool |
2. Sensitive Actions#
This is the heart of the floor: six high-risk categories, each set to Allow, Require Approval, or Block. Allow lets it run, Require Approval gates it behind your review, and Block physically refuses the action.
| Category | Covers |
|---|---|
| Payments & financial actions | Transfers, charges, refunds |
| Destructive operations | Deleting records, channels, or files |
| Data export | Bulk exports of workspace or customer data |
| User management | Inviting, removing, or changing member roles |
| External messaging | Outbound email, chat, and DMs |
| Security links | Outgoing messages containing password-reset links |
These six categories are exactly what an agent's supervision mode reads. Balanced applies them as-is; Autonomous acts on the "approval" ones without asking but still honors "block"; Strict gates every write regardless. See Supervision & modes.
3. Learning Behavior#
Control how your workforce improves over time:
| Toggle | Effect |
|---|---|
| Learn from my decisions | Agents remember your approve/reject patterns |
| Learn tool skills automatically | Agents teach themselves how to use connected tools |
| Remember chat guidance | Substantive chat replies become durable memory |
| Adapt its own schedule | Agents may change their timing — every change is approval-gated |
See Memory & learning for how this feeds each agent's Knowledge.
4. Automatic Safeguards#
Circuit breakers that pause an agent when something looks wrong. An auto-pause stops the agent, drops a high-priority card in your Inbox, and pings you — the agent's Start button un-pauses it.
- Pause after consecutive failures — set a threshold (2–20 failures) to stop a failure loop before it burns the queue.
- Pause on unusual activity spike — set a ceiling (10–500 tasks/hour) as a circuit-breaker for runaway loops.
- Alert when an agent stalls — notifies you when work stops moving.
- Auto-merge duplicate work — collapses duplicate tasks before they run twice.
Two protections are always on and can't be toggled off: agents never react to their own messages, and audit logging is always enabled.
Who can change it#
Editing guardrails requires an Owner or Admin role. Everyone else sees the page View only with a note to ask an owner or admin. Because policy editing is itself a governance permission, Operators live inside these rules but can't rewrite them. See Team & roles.
Changes save instantly (a Saved flash confirms), apply to every agent within a minute, and are optimistic — if a save fails, the setting reverts to server truth. Another admin editing the floor, or an agent-pin cascade, updates this page live.
What happens to blocked and gated attempts#
Blocked and gated attempts don't vanish — they appear in the agent's activity with a human-readable reason, and gated ones become cards in your Approvals queue. Every decision is recorded with provenance in the Audit log.
What's next#
- The three planes — how this floor combines with agent modes and tool pins.
- Supervision & modes — pin an individual agent stricter than the floor.
- Approvals — resolve the actions the floor gates.

