Internet-Draft                                                     anima
Intended status: standards-track                              March 2026
Expires: September 05, 2026


         Human-in-the-Loop (HITL) Primitives for AI Agent Systems
         draft-agent-ecosystem-primitives-for-00

Abstract

   As AI agents become increasingly autonomous in network operations
   and other critical domains, the need for standardized human
   oversight mechanisms becomes paramount. This document defines a
   framework of Human-in-the-Loop (HITL) primitives that enable
   structured human intervention, approval, and oversight in AI agent
   decision-making processes. The framework provides three core
   primitives: approval workflows that require explicit human consent
   before action execution, override mechanisms that allow humans to
   modify or halt agent decisions, and explainability interfaces that
   provide transparency into agent reasoning. These primitives are
   designed to be protocol-agnostic and can be integrated with
   existing agent architectures to ensure human control over
   autonomous systems. The specification addresses the critical gap
   between fully autonomous AI operation and human accountability
   requirements, particularly in regulated environments where human
   oversight is mandatory. By standardizing these HITL mechanisms,
   organizations can deploy AI agents with appropriate human
   safeguards while maintaining operational efficiency and regulatory
   compliance.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.

   This document is intended to have standards-track status.
   Distribution of this memo is unlimited.

Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
   NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
   "MAY", and "OPTIONAL" in this document are to be interpreted as
   described in BCP 14 [RFC2119] [RFC8174] when, and only when, they
   appear in all capitals, as shown here.

   HITL Primitive
      A standardized mechanism that enables human oversight and
      intervention in AI agent decision-making processes

   Approval Workflow
      A structured process that requires explicit human consent
      before an agent action is executed

   Override Mechanism
      A capability that allows humans to modify, halt, or redirect
      agent decisions in real-time

   Explainability Interface
      A standardized method for agents to provide transparency into
      their reasoning and decision-making processes

   Human Oversight
      The structured involvement of human operators in monitoring,
      approving, or modifying AI agent actions

   Decision Point
      A moment in agent execution where human intervention may be
      required or beneficial

   Intervention Trigger
      A condition or threshold that activates human-in-the-loop
      mechanisms


Table of Contents

   1.  Introduction  ................................................  3
   2.  Terminology  .................................................  4
   3.  Problem Statement  ...........................................  5
   4.  HITL Primitive Framework  ....................................  6
   5.  Approval Workflow Primitives  ................................  7
   6.  Override and Intervention Primitives  ........................  8
   7.  Explainability and Transparency Primitives  ..................  9
   8.  Integration with Agent Architectures  ........................  10
   9.  Security Considerations  .....................................  11
   10.  IANA Considerations  .........................................  12
   11.  References  ..................................................  13

1.  Introduction

   The rapid advancement and deployment of AI agents in critical
   network operations and infrastructure management has created an
   urgent need for standardized human oversight mechanisms. As
   documented in [draft-cui-nmrg-llm-nm] and [draft-irtf-nmrg-llm-
   nm], AI agents are increasingly being deployed for network
   management tasks that were traditionally performed by human
   operators. However, the current landscape of AI agent systems
   lacks consistent and interoperable Human-in-the-Loop (HITL)
   mechanisms, creating significant risks for organizations that
   require human accountability and oversight in their autonomous
   systems.

   Current AI agent deployments typically implement ad-hoc or
   proprietary mechanisms for human oversight, if any oversight
   mechanisms exist at all. This inconsistency creates several
   critical problems: organizations cannot easily integrate HITL
   capabilities across different agent systems, human operators lack
   standardized interfaces for agent oversight, and regulatory
   compliance becomes difficult to achieve and demonstrate. The
   absence of standardized HITL primitives means that each agent
   implementation must create its own oversight mechanisms, leading
   to fragmented approaches that cannot interoperate and may have
   significant security or reliability gaps.

   The risks of uncontrolled autonomous operation are particularly
   acute in regulated environments such as financial services,
   healthcare, and critical infrastructure, where human oversight is
   often legally mandated. When AI agents operate without appropriate
   human safeguards, organizations face potential regulatory
   violations, liability issues, and operational failures that could
   have been prevented through proper human oversight. Furthermore,
   the lack of standardized explainability interfaces means that
   human operators often cannot understand or validate agent
   decisions, undermining the effectiveness of any oversight
   mechanisms that do exist.

   This document addresses these challenges by defining a
   comprehensive framework of HITL primitives that can be integrated
   with existing agent architectures in a protocol-agnostic manner.
   The framework builds upon established patterns from OAuth 2.0
   [RFC6749] and JSON Web Tokens [RFC7519] to provide standardized
   mechanisms for approval workflows, override capabilities, and
   explainability interfaces. These primitives are designed to ensure
   that human oversight can be consistently implemented and enforced
   across different AI agent systems while maintaining the
   operational efficiency benefits of autonomous operation.

   The HITL primitive framework specified in this document enables
   organizations to deploy AI agents with appropriate human
   safeguards that meet regulatory requirements and organizational
   policies. By standardizing these mechanisms, the framework
   facilitates interoperability between different agent systems and
   provides a foundation for secure, accountable autonomous
   operations. The primitives are designed to be composable and
   configurable, allowing organizations to implement the level of
   human oversight appropriate for their specific use cases and risk
   tolerance.

2.  Terminology

   This document uses terminology consistent with [RFC2119] and
   [RFC8174] when describing requirement levels. The key words
   "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
   "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   HITL Primitive refers to a standardized, composable mechanism that
   enables structured human oversight and intervention in AI agent
   decision-making processes. These primitives serve as the
   fundamental building blocks for implementing human control over
   autonomous systems and can be combined to create comprehensive
   oversight frameworks tailored to specific operational
   requirements.

   Approval Workflow defines a structured process that requires
   explicit human consent before an agent action is executed. As
   described in [draft-cui-nmrg-llm-nm] and [draft-irtf-nmrg-llm-nm],
   these workflows enforce human control over automated actions by
   creating mandatory checkpoints where agent decisions must receive
   human validation. Approval workflows include mechanisms for
   request formatting, response handling, timeout management, and
   escalation procedures.

   Override Mechanism encompasses capabilities that allow humans to
   modify, halt, or redirect agent decisions in real-time, both
   during the decision-making process and after initial action has
   begun. These mechanisms provide emergency intervention
   capabilities and enable humans to maintain ultimate control over
   agent behavior, even when agents are operating with significant
   autonomy.

   Explainability Interface represents a standardized method for
   agents to provide transparency into their reasoning and decision-
   making processes. These interfaces enable informed human oversight
   by presenting agent logic, data sources, confidence levels, and
   decision rationale in human-comprehensible formats. The
   explainability interface is essential for meaningful human
   participation in approval workflows and override decisions.

   Human Oversight denotes the structured involvement of human
   operators in monitoring, approving, or modifying AI agent actions.
   This encompasses both proactive oversight through approval
   workflows and reactive oversight through monitoring and
   intervention capabilities. Human oversight requirements may be
   specified through structured claims and validation patterns as
   referenced in authorization frameworks [RFC6749] [RFC7519].

   Decision Point identifies a specific moment in agent execution
   where human intervention may be required, beneficial, or
   optionally available. Decision points are defined based on action
   criticality, risk assessment, regulatory requirements, or
   organizational policy. Each decision point specifies the type of
   human involvement required and the mechanisms through which such
   involvement occurs.

   Intervention Trigger describes a condition, threshold, or event
   that automatically activates human-in-the-loop mechanisms.
   Triggers may be based on risk scores, confidence levels,
   environmental changes, error conditions, or explicit policy rules.
   When activated, intervention triggers initiate appropriate HITL
   primitives to ensure human involvement in agent decision-making
   processes.

3.  Problem Statement

   As AI agents become increasingly prevalent in critical network
   infrastructure and operational environments, they are often
   deployed with varying degrees of autonomy and inconsistent
   mechanisms for human oversight. Current agent implementations
   typically rely on ad-hoc or proprietary methods for human
   intervention, ranging from simple logging systems to custom
   approval interfaces that lack standardization across platforms and
   vendors. This fragmentation creates significant challenges for
   organizations attempting to maintain consistent oversight policies
   across heterogeneous agent deployments, particularly in regulated
   environments where human accountability is not merely preferred
   but legally mandated.

   The absence of standardized Human-in-the-Loop (HITL) mechanisms
   leads to several critical problems in autonomous agent deployment.
   Without consistent approval workflows, agents may execute high-
   impact actions without appropriate human review, potentially
   causing unintended consequences in production systems. The lack of
   standardized override mechanisms means that human operators cannot
   reliably intervene when agents begin executing problematic
   decisions, creating situations where autonomous systems continue
   operating beyond safe parameters. Furthermore, the absence of
   explainability interfaces prevents operators from understanding
   agent reasoning, making it impossible to provide informed
   oversight or learn from agent behavior patterns. These gaps are
   particularly problematic in network management contexts, as
   highlighted in [DRAFT-CUI-NMRG-LLM-NM] and [DRAFT-IRTF-NMRG-LLM-
   NM], where LLM-generated network decisions require structured
   human validation before execution.

   The consequences of uncontrolled autonomous operation extend
   beyond immediate operational risks to encompass regulatory
   compliance and accountability challenges. In many jurisdictions,
   regulations require that critical decisions affecting network
   infrastructure, user data, or service availability maintain clear
   chains of human responsibility. Current agent systems often
   operate as "black boxes" where the decision-making process is
   opaque to human oversight, making it difficult or impossible to
   demonstrate compliance with regulatory requirements. This opacity
   also hinders incident response and post-mortem analysis, as
   operators cannot determine why an agent made specific decisions or
   identify patterns that might prevent future issues.

   The need for human accountability in AI agent systems is further
   complicated by the temporal aspects of autonomous operation.
   Unlike traditional software systems that execute predetermined
   logic, AI agents make dynamic decisions based on environmental
   conditions and learned behaviors that may not be fully predictable
   at deployment time. This unpredictability necessitates real-time
   human oversight capabilities that can adapt to emerging
   situations. However, without standardized primitives for human
   intervention, organizations resort to crude mechanisms such as
   complete system shutdown or manual takeover, which eliminate the
   benefits of autonomous operation while failing to provide granular
   control over agent behavior.

   The lack of interoperability between different HITL
   implementations creates additional operational burden and security
   risks. Organizations deploying multiple agent systems must
   maintain separate oversight interfaces and procedures for each
   platform, increasing complexity and the likelihood of human error.
   This fragmentation also prevents the development of unified
   oversight dashboards and centralized approval workflows that could
   improve operational efficiency while maintaining appropriate human
   control. The security implications are equally concerning, as non-
   standardized override mechanisms may lack proper authentication,
   authorization, and audit capabilities, potentially enabling
   unauthorized intervention in autonomous systems.

4.  HITL Primitive Framework

   This document defines a framework of Human-in-the-Loop (HITL)
   primitives that provide standardized mechanisms for human
   oversight of AI agent systems. The framework establishes three
   core primitive categories that work together to ensure appropriate
   human control over autonomous operations while maintaining
   operational efficiency. These primitives are designed to be
   protocol-agnostic and can be integrated with existing agent
   architectures regardless of the underlying communication protocols
   or decision-making systems.

   The HITL primitive framework operates on the principle that human
   oversight requirements vary based on context, risk level, and
   regulatory constraints. Each primitive category addresses a
   specific aspect of human-agent interaction: approval workflows
   ensure human consent for critical actions, override mechanisms
   provide real-time intervention capabilities, and explainability
   interfaces enable informed human decision-making. The framework
   defines standardized interfaces and message formats that allow
   these primitives to be composed into comprehensive oversight
   systems tailored to specific operational requirements.

   +-----------------------+
   |  AI Agent Decision    |
   |       Loop            |
   +-----------+-----------+
               |
               v
   +-----------+-----------+
   |   Decision Point      |
   |    Evaluator          |
   +-----------+-----------+
          /    |    \
         /     |     \
        v      v      v
   +------+ +------+ +---------+
   |Appro-| |Over- | |Explain- |
   | val  | |ride  | |ability  |
   +--+---+ +--+---+ +----+----+
      |        |           |
      v        v           v
   +--+--------+-----+  +-+--------+
   | Human Operator   |  | Audit   |
   | Interface        |  | Log     |
   +------------------+  +---------+

   Figure 1: HITL Primitive Framework Overview

   At the architectural level, HITL primitives integrate with agent
   systems through well-defined decision points where human
   intervention may be required. These decision points are identified
   during agent operation based on configurable triggers such as risk
   thresholds, regulatory requirements, or operational policies. When
   a decision point is reached, the appropriate HITL primitive is
   activated, temporarily suspending autonomous operation until human
   oversight is satisfied. This approach ensures that human oversight
   requirements, as referenced in [draft-cui-nmrg-llm-nm] for network
   management scenarios, can be consistently enforced across diverse
   agent deployments.

   The framework establishes a common message structure for all HITL
   primitives that includes essential metadata such as agent
   identity, decision context, timestamp, and urgency level. This
   standardized approach enables interoperability between different
   agent systems and human oversight tools while providing the
   flexibility to extend primitives for domain-specific requirements.
   The message structure follows JSON formatting conventions per
   [RFC8259] and incorporates security considerations including
   authentication tokens and integrity protection mechanisms as
   specified in [RFC7519] and [RFC8446].

   Implementation of HITL primitives MUST ensure that human oversight
   mechanisms cannot be bypassed or manipulated by agent systems. The
   framework requires that primitive activation be deterministic and
   based on verifiable conditions, preventing agents from selectively
   avoiding human oversight. Additionally, all HITL interactions MUST
   be logged with sufficient detail to support audit requirements and
   accountability frameworks. This logging requirement supports the
   human oversight validation patterns needed for authorization
   systems and ensures compliance with regulatory oversight mandates.

5.  Approval Workflow Primitives

   Approval workflow primitives provide standardized mechanisms for
   requiring explicit human consent before AI agents execute specific
   actions. These primitives establish a structured framework where
   agents identify decision points that require human oversight,
   format approval requests with sufficient context for human
   evaluation, and await explicit authorization before proceeding.
   The approval workflow primitive ensures that critical or high-risk
   agent actions cannot be executed without human validation,
   maintaining human authority over autonomous systems while
   preserving operational efficiency through selective intervention
   points.

   Agent       HITL Middleware     Human Operator
     |              |                   |
     |--action----->|                   |
     |  request     |--approval req---->|
     |              |  +context, risk   |
     |              |                   |
     |              |<---approve/deny---|
     |              |  +auth token      |
     |<--result-----|                   |
     |  proceed     |                   |
     |  or halt     |                   |
     |              |                   |
     |  [timeout]   |                   |
     |<--fallback---|                   |
     |              |                   |

    Figure 2: Approval Workflow Sequence

   The core approval request structure MUST include the proposed
   action description, associated risk assessment, relevant context
   for human evaluation, and expected execution timeline. Each
   approval request MUST be uniquely identified and include
   sufficient information for a human operator to make an informed
   decision. The request format SHOULD follow structured data
   conventions as defined in [RFC8259] to ensure consistent parsing
   and presentation across different human interface systems. Agents
   MUST provide clear rationale for why the action requires approval
   and include any relevant alternative options that humans may
   consider during the evaluation process.

   Human responses to approval requests MUST use standardized
   response codes that clearly indicate approval, denial, or
   modification instructions. Approved actions receive an explicit
   authorization token that agents MUST validate before execution,
   ensuring that only genuinely authorized actions proceed. Denied
   requests MUST include human feedback when possible to enable agent
   learning and improved future decision-making. The response format
   SHOULD accommodate conditional approvals where humans specify
   constraints or modifications to the proposed action while still
   granting execution authority.

   Timeout handling mechanisms are critical components of approval
   workflow primitives to prevent system deadlock when human
   operators are unavailable. Agents MUST implement configurable
   timeout periods appropriate to the urgency and criticality of the
   requested action, with default behavior clearly specified for
   timeout scenarios. When approval requests exceed timeout
   thresholds, agents SHOULD implement fallback strategies such as
   escalation to alternate human operators, execution of safe default
   actions, or graceful degradation of service. The timeout
   configuration SHOULD be contextually aware, allowing shorter
   timeouts for routine operations and longer timeouts for complex
   decisions requiring thorough human evaluation.

   Integration with authentication and authorization systems ensures
   that approval responses originate from authorized human operators
   with appropriate privileges for the requested action type. The
   approval workflow primitive SHOULD leverage existing identity
   frameworks such as those defined in [RFC6749] and [RFC7519] to
   validate human operator credentials and maintain audit trails of
   approval decisions. This integration enables fine-grained access
   control where different categories of actions require approval
   from operators with specific roles or clearance levels, supporting
   organizational hierarchy and responsibility structures within
   human-agent collaborative systems.

6.  Override and Intervention Primitives

   Override and intervention primitives provide real-time mechanisms
   that allow human operators to modify, halt, or redirect agent
   decisions during execution. These primitives are essential for
   maintaining human control over autonomous systems, particularly in
   situations where agent decisions may lead to undesirable outcomes
   or where dynamic conditions require human judgment. The override
   mechanisms MUST be designed to operate with minimal latency to
   ensure timely human intervention when required.

   The core override primitive consists of three fundamental
   operations: halt, modify, and redirect. The halt operation
   immediately stops agent execution and places the system in a safe
   state, while the modify operation allows humans to adjust specific
   parameters or constraints of the current agent decision. The
   redirect operation enables complete substitution of the agent's
   proposed action with a human-specified alternative. Each override
   operation MUST include authentication credentials as defined in
   [RFC6749] and SHOULD provide a reason code indicating the basis
   for intervention. Override requests MUST be processed
   synchronously when possible, with acknowledgment timeouts not
   exceeding implementation-defined thresholds.

   Emergency stop procedures represent a specialized category of
   override primitives designed for critical situations requiring
   immediate agent termination. These procedures MUST bypass normal
   approval workflows and provide direct, low-latency mechanisms for
   halting agent operations. Emergency stops SHOULD be implemented
   through multiple redundant channels to ensure reliability, and
   MUST trigger immediate notification to designated human
   supervisors. The emergency stop primitive MUST include safeguards
   to prevent accidental activation while ensuring accessibility
   during genuine emergencies.

   Decision modification interfaces enable fine-grained human
   adjustment of agent decisions without complete override. These
   interfaces MUST provide structured formats for specifying
   modifications to agent parameters, constraints, or objectives
   using JSON [RFC8259] or equivalent structured data formats.
   Modification requests SHOULD include validation mechanisms to
   ensure proposed changes are within acceptable operational bounds.
   The agent MUST acknowledge modification requests and indicate
   whether the requested changes can be accommodated within current
   operational constraints.

   Real-time intervention capabilities require agents to expose
   decision points where human oversight can be effectively applied.
   Decision points MUST be clearly identified in agent execution
   flows, with appropriate pause mechanisms that allow human
   evaluation without timeout penalties. Agents SHOULD provide
   context information at each decision point, including current
   state, proposed actions, and confidence levels. The intervention
   interface MUST support both synchronous and asynchronous human
   responses, with clear timeout behaviors defined for each
   interaction mode.

   Integration with agent architectures requires override primitives
   to maintain compatibility with existing agent communication
   protocols while providing standardized intervention interfaces.
   Override mechanisms SHOULD be implemented as middleware components
   that can intercept agent communications without requiring
   modification to core agent logic. The primitive framework MUST
   support distributed scenarios where human operators may be remote
   from agent execution environments, utilizing secure communication
   channels as specified in [RFC8446] for all override operations.

7.  Explainability and Transparency Primitives

   This section defines standardized interfaces that enable AI agents
   to provide transparency into their reasoning and decision-making
   processes. Explainability primitives are essential for enabling
   informed human oversight, as humans cannot effectively supervise
   agent actions without understanding the underlying rationale.
   These interfaces MUST provide structured information about agent
   reasoning in formats that support human comprehension and
   decision-making.

   The core explainability primitive is the Reasoning Trace, which
   captures the agent's decision-making process in a structured
   format. A Reasoning Trace MUST include the following elements: the
   initial problem or goal statement, key inputs and data sources
   consulted, reasoning steps taken, alternative options considered,
   confidence levels for decisions, and any uncertainty or
   limitations acknowledged by the agent. This trace SHOULD be
   generated in JSON format [RFC8259] to ensure machine-readable
   structure while remaining human-interpretable. The trace MUST be
   available before any approval workflow is initiated, allowing
   humans to make informed decisions about proposed agent actions.

   Agents MUST implement a Context Explanation interface that
   provides on-demand details about specific aspects of their
   reasoning. This interface allows human operators to query
   particular decision points, request elaboration on confidence
   levels, or explore alternative approaches that were considered but
   rejected. The interface SHOULD support structured queries using
   predefined categories such as "data-sources", "assumptions",
   "risk-factors", and "alternatives". Responses MUST be provided in
   a consistent format that enables both human review and automated
   analysis for audit purposes.

   The Uncertainty Declaration primitive requires agents to
   explicitly communicate their confidence levels and known
   limitations regarding proposed actions. Agents MUST provide
   quantitative confidence scores where applicable and qualitative
   uncertainty statements for aspects that cannot be numerically
   assessed. This primitive is particularly critical in regulated
   environments where human operators need to understand the
   reliability of agent recommendations before granting approval, as
   specified in human oversight requirements frameworks [draft-cui-
   nmrg-llm-nm].

   To support audit and compliance requirements, explainability
   interfaces MUST generate persistent explanation records that can
   be stored and retrieved for later review. These records SHOULD
   include timestamps, version information for the agent making
   decisions, and cryptographic signatures to ensure integrity. The
   explanation data MUST be structured to support automated analysis
   and pattern detection, enabling organizations to identify trends
   in agent decision-making and improve oversight processes over
   time.

8.  Integration with Agent Architectures

   The integration of HITL primitives with existing agent
   architectures requires careful consideration of both the agent's
   internal decision-making processes and the external communication
   protocols used for human interaction. Agent systems MUST implement
   HITL primitives as composable components that can be inserted into
   the agent's execution pipeline without requiring fundamental
   architectural changes. This approach ensures that existing agent
   deployments can adopt human oversight mechanisms incrementally,
   maintaining backward compatibility while enhancing human control
   capabilities.

   Agent architectures SHOULD implement HITL primitives through a
   middleware layer that intercepts agent decisions at configurable
   decision points. This middleware approach allows the same HITL
   mechanisms to be applied across different agent types and
   execution environments. The middleware MUST support protocol-
   agnostic communication, enabling human oversight through various
   channels including HTTP-based APIs [RFC9110], WebSocket
   connections for real-time interaction, or message-oriented
   protocols. The choice of communication protocol SHOULD be
   configurable to accommodate different operational environments and
   human interface requirements.

   Integration with authorization frameworks presents a critical
   opportunity to enforce human oversight requirements at the system
   level. Agent architectures SHOULD leverage OAuth 2.0 [RFC6749]
   scopes and claims to specify when human approval is required for
   specific actions, building upon human oversight requirement
   patterns that embed HITL constraints directly into authorization
   tokens [draft-aap-oauth-profile]. This integration ensures that
   human oversight requirements are enforced consistently across
   distributed agent systems and cannot be bypassed by individual
   agent implementations.

   For network management applications, HITL primitives MUST
   integrate with existing network management protocols and
   frameworks while preserving the human-in-the-loop workflows
   defined for LLM-generated network management decisions [draft-cui-
   nmrg-llm-nm]. Agent architectures in network domains SHOULD
   implement decision checkpoints that align with critical network
   operations, ensuring that configuration changes, policy updates,
   and topology modifications trigger appropriate human oversight
   mechanisms. The integration MUST preserve existing network
   management interfaces while adding human oversight capabilities as
   an additional validation layer.

   The implementation of HITL primitives SHOULD support both
   synchronous and asynchronous interaction patterns to accommodate
   different operational requirements and human availability
   constraints. Synchronous patterns are appropriate for real-time
   decision approval, while asynchronous patterns enable human
   oversight in environments where immediate human response is not
   feasible. Agent architectures MUST implement timeout mechanisms
   and fallback behaviors for both interaction patterns, ensuring
   system stability when human oversight is delayed or unavailable.

   Configuration and policy management for HITL primitives SHOULD be
   externalized from agent implementations to enable dynamic
   adjustment of human oversight requirements without agent
   redeployment. This externalization allows organizations to adjust
   human oversight policies based on operational conditions,
   regulatory requirements, or agent performance metrics. The
   configuration mechanism MUST support fine-grained control over
   which agent decisions require human oversight, the type of
   oversight required, and the specific human operators authorized to
   provide oversight for different decision categories.

9.  Security Considerations

   The security of HITL primitives is paramount, as these mechanisms
   represent critical control points where human authority intersects
   with autonomous agent operation. Authentication and authorization
   of human operators MUST be implemented using strong cryptographic
   methods, with multi-factor authentication RECOMMENDED for high-
   impact decision points. Human operator credentials SHOULD be
   managed through established identity frameworks such as OAuth 2.0
   [RFC6749] or equivalent, with token-based authentication providing
   both security and auditability. Organizations MUST implement role-
   based access controls that ensure only authorized personnel can
   approve specific types of agent actions, with the principle of
   least privilege applied to limit human operator permissions to
   necessary functions only.

   Protection against manipulation and spoofing attacks requires
   robust integrity mechanisms throughout the HITL workflow. All
   approval requests, human responses, and override commands MUST be
   cryptographically signed to prevent tampering and ensure non-
   repudiation. The system MUST validate that approval workflows
   cannot be bypassed through direct agent-to-agent communication or
   through exploitation of timing vulnerabilities. Particular
   attention MUST be paid to preventing replay attacks where
   previously valid human approvals could be reused inappropriately.
   Human operators MUST be provided with sufficient context and
   verification mechanisms to detect potentially malicious approval
   requests that might be designed to trick humans into approving
   harmful actions.

   Secure communication channels are essential for protecting HITL
   interactions from eavesdropping and man-in-the-middle attacks. All
   communication between agents, HITL interfaces, and human operators
   MUST use transport-layer security equivalent to TLS 1.3 [RFC8446]
   or stronger. The system MUST implement proper certificate
   validation and SHOULD use mutual TLS authentication where
   feasible. Session management for human operators MUST include
   appropriate timeout mechanisms to prevent unauthorized use of
   abandoned sessions, with sensitive approval workflows requiring
   fresh authentication for extended operations.

   The explainability interfaces present unique security challenges,
   as they must balance transparency with protection of sensitive
   algorithmic details and operational information. Explanations
   provided to human operators MUST be sanitized to prevent
   information disclosure that could be exploited by attackers to
   reverse-engineer agent decision patterns or identify system
   vulnerabilities. The system MUST implement access controls that
   ensure explainability information is only provided to operators
   with appropriate clearance levels for the specific operational
   context. Additionally, all HITL interactions MUST be logged with
   tamper-evident audit trails that include cryptographic checksums
   and timestamps to ensure accountability and enable post-incident
   analysis while protecting sensitive operational details from
   unauthorized disclosure.

10.  IANA Considerations

   This document introduces several new protocol elements and
   identifiers that require standardized registration to ensure
   interoperability across implementations. IANA is requested to
   establish and maintain registries for HITL primitive types,
   approval workflow identifiers, and standardized response codes as
   specified in this section. These registries will enable consistent
   implementation of human-in-the-loop mechanisms across different
   agent systems and organizational boundaries.

   IANA SHALL establish a new registry titled "Human-in-the-Loop
   (HITL) Primitive Types" to maintain standardized identifiers for
   the core HITL mechanisms defined in this specification. The
   registry MUST include entries for "approval-workflow", "override-
   mechanism", and "explainability-interface" as the initial
   primitive types, with additional types to be registered through
   the Specification Required policy as defined in [RFC8126]. Each
   registry entry MUST include the primitive type identifier, a brief
   description of its function, and a reference to the defining
   specification. Registration requests MUST specify how the proposed
   primitive type differs from existing entries and demonstrate clear
   utility for human oversight scenarios.

   A second registry titled "HITL Approval Workflow Identifiers"
   SHALL be established to maintain standardized workflow patterns
   for approval primitives. This registry MUST include initial
   entries for common workflow types such as "single-approver",
   "multi-stage-approval", "consensus-required", and "emergency-
   bypass", with new workflow identifiers registered under the
   Specification Required policy. Each workflow identifier entry MUST
   specify the approval pattern, required participant roles, decision
   criteria, and timeout handling mechanisms. This registry enables
   organizations to reference standardized approval patterns while
   maintaining consistency across different agent deployments.

   IANA SHALL create a "HITL Response Codes" registry to standardize
   the status and error codes used in human-in-the-loop
   communications as defined in Section 5 and Section 6 of this
   specification. The registry MUST include standard response codes
   for approval granted (200), approval denied (403), timeout
   exceeded (408), override initiated (300), and explanation
   requested (250), following the pattern established by HTTP status
   codes in [RFC9110]. Additional response codes MAY be registered
   using the Expert Review policy, with registration requests
   requiring demonstration of unique semantic meaning not covered by
   existing codes. The registry MUST specify the numeric code,
   textual description, applicable primitive types, and any special
   handling requirements for each response code to ensure consistent
   interpretation across implementations.

11.  References

11.1.  Normative References

   [RFC 2119]
         RFC 2119

   [RFC 8174]
         RFC 8174

   [RFC 8446]
         RFC 8446

   [RFC 9110]
         RFC 9110

   [RFC 8259]
         RFC 8259

   [draft-rosenberg-cheq]
         draft-rosenberg-cheq

11.2.  Informative References

   [RFC 6749]
         RFC 6749

   [RFC 7519]
         RFC 7519

   [draft-cui-nmrg-llm-nm]
         draft-cui-nmrg-llm-nm

   [draft-irtf-nmrg-llm-nm]
         draft-irtf-nmrg-llm-nm

   [draft-rosenberg-aiproto-cheq]
         draft-rosenberg-aiproto-cheq

   [draft-aap-oauth-profile]
         draft-aap-oauth-profile

   [draft-cowles-volt]
         draft-cowles-volt

   [draft-aylward-daap-v2]
         draft-aylward-daap-v2


Author's Address

   Generated by IETF Draft Analyzer
   Family: agent-ecosystem
   2026-03-04
