c/ietf-draft-analyzer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Generate 5-draft ecosystem family, fix formatter markdown stripping

Browse Source 
Pipeline output:
- ABVP: Agent Behavior Verification Protocol (quality 3.0/5)
- AEM: Privacy-Preserving Agent Learning Protocol (quality 2.1/5)
- ATD: Agent Task DAG Framework (quality 2.5/5)
- HITL: Human-in-the-Loop Primitives (quality 2.4/5)
- AEPB: Real-Time Agent Rollback Protocol (quality 2.5/5)
- APAE: Agent Provenance Assurance Ecosystem (quality 2.5/5)

Quality gates: all pass novelty + references, format gate improved
with markdown stripping (_strip_markdown) and dynamic header padding.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Christian Nennemann
2026-03-04 01:42:30 +01:00
parent 7a1aa346b9
commit 404092b938
9 changed files with 5122 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

757
data/reports/generated-drafts/draft-ai-primitives-for-00.txt Normal file
View File

@@ -0,0 +1,757 @@
Internet-Draft anima
Intended status: standards-track March 2026
Expires: September 05, 2026
Human-in-the-Loop (HITL) Primitives for AI Agent Systems
draft-agent-ecosystem-primitives-for-00
Abstract
As AI agents become increasingly autonomous in network operations
and other critical domains, the need for standardized human
oversight mechanisms becomes paramount. This document defines a
framework of Human-in-the-Loop (HITL) primitives that enable
structured human intervention, approval, and oversight in AI agent
decision-making processes. The framework provides three core
primitives: approval workflows that require explicit human consent
before action execution, override mechanisms that allow humans to
modify or halt agent decisions, and explainability interfaces that
provide transparency into agent reasoning. These primitives are
designed to be protocol-agnostic and can be integrated with
existing agent architectures to ensure human control over
autonomous systems. The specification addresses the critical gap
between fully autonomous AI operation and human accountability
requirements, particularly in regulated environments where human
oversight is mandatory. By standardizing these HITL mechanisms,
organizations can deploy AI agents with appropriate human
safeguards while maintaining operational efficiency and regulatory
compliance.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
This document is intended to have standards-track status.
Distribution of this memo is unlimited.
Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED",
"MAY", and "OPTIONAL" in this document are to be interpreted as
described in BCP 14 [RFC2119] [RFC8174] when, and only when, they
appear in all capitals, as shown here.
HITL Primitive
A standardized mechanism that enables human oversight and
intervention in AI agent decision-making processes
Approval Workflow
A structured process that requires explicit human consent
before an agent action is executed
Override Mechanism
A capability that allows humans to modify, halt, or redirect
agent decisions in real-time
Explainability Interface
A standardized method for agents to provide transparency into
their reasoning and decision-making processes
Human Oversight
The structured involvement of human operators in monitoring,
approving, or modifying AI agent actions
Decision Point
A moment in agent execution where human intervention may be
required or beneficial
Intervention Trigger
A condition or threshold that activates human-in-the-loop
mechanisms
Table of Contents
1. Introduction ................................................ 3
2. Terminology ................................................. 4
3. Problem Statement ........................................... 5
4. HITL Primitive Framework .................................... 6
5. Approval Workflow Primitives ................................ 7
6. Override and Intervention Primitives ........................ 8
7. Explainability and Transparency Primitives .................. 9
8. Integration with Agent Architectures ........................ 10
9. Security Considerations ..................................... 11
10. IANA Considerations ......................................... 12
11. References .................................................. 13
1. Introduction
The rapid advancement and deployment of AI agents in critical
network operations and infrastructure management has created an
urgent need for standardized human oversight mechanisms. As
documented in [draft-cui-nmrg-llm-nm] and [draft-irtf-nmrg-llm-
nm], AI agents are increasingly being deployed for network
management tasks that were traditionally performed by human
operators. However, the current landscape of AI agent systems
lacks consistent and interoperable Human-in-the-Loop (HITL)
mechanisms, creating significant risks for organizations that
require human accountability and oversight in their autonomous
systems.
Current AI agent deployments typically implement ad-hoc or
proprietary mechanisms for human oversight, if any oversight
mechanisms exist at all. This inconsistency creates several
critical problems: organizations cannot easily integrate HITL
capabilities across different agent systems, human operators lack
standardized interfaces for agent oversight, and regulatory
compliance becomes difficult to achieve and demonstrate. The
absence of standardized HITL primitives means that each agent
implementation must create its own oversight mechanisms, leading
to fragmented approaches that cannot interoperate and may have
significant security or reliability gaps.
The risks of uncontrolled autonomous operation are particularly
acute in regulated environments such as financial services,
healthcare, and critical infrastructure, where human oversight is
often legally mandated. When AI agents operate without appropriate
human safeguards, organizations face potential regulatory
violations, liability issues, and operational failures that could
have been prevented through proper human oversight. Furthermore,
the lack of standardized explainability interfaces means that
human operators often cannot understand or validate agent
decisions, undermining the effectiveness of any oversight
mechanisms that do exist.
This document addresses these challenges by defining a
comprehensive framework of HITL primitives that can be integrated
with existing agent architectures in a protocol-agnostic manner.
The framework builds upon established patterns from OAuth 2.0
[RFC6749] and JSON Web Tokens [RFC7519] to provide standardized
mechanisms for approval workflows, override capabilities, and
explainability interfaces. These primitives are designed to ensure
that human oversight can be consistently implemented and enforced
across different AI agent systems while maintaining the
operational efficiency benefits of autonomous operation.
The HITL primitive framework specified in this document enables
organizations to deploy AI agents with appropriate human
safeguards that meet regulatory requirements and organizational
policies. By standardizing these mechanisms, the framework
facilitates interoperability between different agent systems and
provides a foundation for secure, accountable autonomous
operations. The primitives are designed to be composable and
configurable, allowing organizations to implement the level of
human oversight appropriate for their specific use cases and risk
tolerance.
2. Terminology
This document uses terminology consistent with [RFC2119] and
[RFC8174] when describing requirement levels. The key words
"MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD",
"SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
"OPTIONAL" in this document are to be interpreted as described in
BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
capitals, as shown here.
HITL Primitive refers to a standardized, composable mechanism that
enables structured human oversight and intervention in AI agent
decision-making processes. These primitives serve as the
fundamental building blocks for implementing human control over
autonomous systems and can be combined to create comprehensive
oversight frameworks tailored to specific operational
requirements.
Approval Workflow defines a structured process that requires
explicit human consent before an agent action is executed. As
described in [draft-cui-nmrg-llm-nm] and [draft-irtf-nmrg-llm-nm],
these workflows enforce human control over automated actions by
creating mandatory checkpoints where agent decisions must receive
human validation. Approval workflows include mechanisms for
request formatting, response handling, timeout management, and
escalation procedures.
Override Mechanism encompasses capabilities that allow humans to
modify, halt, or redirect agent decisions in real-time, both
during the decision-making process and after initial action has
begun. These mechanisms provide emergency intervention
capabilities and enable humans to maintain ultimate control over
agent behavior, even when agents are operating with significant
autonomy.
Explainability Interface represents a standardized method for
agents to provide transparency into their reasoning and decision-
making processes. These interfaces enable informed human oversight
by presenting agent logic, data sources, confidence levels, and
decision rationale in human-comprehensible formats. The
explainability interface is essential for meaningful human
participation in approval workflows and override decisions.
Human Oversight denotes the structured involvement of human
operators in monitoring, approving, or modifying AI agent actions.
This encompasses both proactive oversight through approval
workflows and reactive oversight through monitoring and
intervention capabilities. Human oversight requirements may be
specified through structured claims and validation patterns as
referenced in authorization frameworks [RFC6749] [RFC7519].
Decision Point identifies a specific moment in agent execution
where human intervention may be required, beneficial, or
optionally available. Decision points are defined based on action
criticality, risk assessment, regulatory requirements, or
organizational policy. Each decision point specifies the type of
human involvement required and the mechanisms through which such
involvement occurs.
Intervention Trigger describes a condition, threshold, or event
that automatically activates human-in-the-loop mechanisms.
Triggers may be based on risk scores, confidence levels,
environmental changes, error conditions, or explicit policy rules.
When activated, intervention triggers initiate appropriate HITL
primitives to ensure human involvement in agent decision-making
processes.
3. Problem Statement
As AI agents become increasingly prevalent in critical network
infrastructure and operational environments, they are often
deployed with varying degrees of autonomy and inconsistent
mechanisms for human oversight. Current agent implementations
typically rely on ad-hoc or proprietary methods for human
intervention, ranging from simple logging systems to custom
approval interfaces that lack standardization across platforms and
vendors. This fragmentation creates significant challenges for
organizations attempting to maintain consistent oversight policies
across heterogeneous agent deployments, particularly in regulated
environments where human accountability is not merely preferred
but legally mandated.
The absence of standardized Human-in-the-Loop (HITL) mechanisms
leads to several critical problems in autonomous agent deployment.
Without consistent approval workflows, agents may execute high-
impact actions without appropriate human review, potentially
causing unintended consequences in production systems. The lack of
standardized override mechanisms means that human operators cannot
reliably intervene when agents begin executing problematic
decisions, creating situations where autonomous systems continue
operating beyond safe parameters. Furthermore, the absence of
explainability interfaces prevents operators from understanding
agent reasoning, making it impossible to provide informed
oversight or learn from agent behavior patterns. These gaps are
particularly problematic in network management contexts, as
highlighted in [DRAFT-CUI-NMRG-LLM-NM] and [DRAFT-IRTF-NMRG-LLM-
NM], where LLM-generated network decisions require structured
human validation before execution.
The consequences of uncontrolled autonomous operation extend
beyond immediate operational risks to encompass regulatory
compliance and accountability challenges. In many jurisdictions,
regulations require that critical decisions affecting network
infrastructure, user data, or service availability maintain clear
chains of human responsibility. Current agent systems often
operate as "black boxes" where the decision-making process is
opaque to human oversight, making it difficult or impossible to
demonstrate compliance with regulatory requirements. This opacity
also hinders incident response and post-mortem analysis, as
operators cannot determine why an agent made specific decisions or
identify patterns that might prevent future issues.
The need for human accountability in AI agent systems is further
complicated by the temporal aspects of autonomous operation.
Unlike traditional software systems that execute predetermined
logic, AI agents make dynamic decisions based on environmental
conditions and learned behaviors that may not be fully predictable
at deployment time. This unpredictability necessitates real-time
human oversight capabilities that can adapt to emerging
situations. However, without standardized primitives for human
intervention, organizations resort to crude mechanisms such as
complete system shutdown or manual takeover, which eliminate the
benefits of autonomous operation while failing to provide granular
control over agent behavior.
The lack of interoperability between different HITL
implementations creates additional operational burden and security
risks. Organizations deploying multiple agent systems must
maintain separate oversight interfaces and procedures for each
platform, increasing complexity and the likelihood of human error.
This fragmentation also prevents the development of unified
oversight dashboards and centralized approval workflows that could
improve operational efficiency while maintaining appropriate human
control. The security implications are equally concerning, as non-
standardized override mechanisms may lack proper authentication,
authorization, and audit capabilities, potentially enabling
unauthorized intervention in autonomous systems.
4. HITL Primitive Framework
This document defines a framework of Human-in-the-Loop (HITL)
primitives that provide standardized mechanisms for human
oversight of AI agent systems. The framework establishes three
core primitive categories that work together to ensure appropriate
human control over autonomous operations while maintaining
operational efficiency. These primitives are designed to be
protocol-agnostic and can be integrated with existing agent
architectures regardless of the underlying communication protocols
or decision-making systems.
The HITL primitive framework operates on the principle that human
oversight requirements vary based on context, risk level, and
regulatory constraints. Each primitive category addresses a
specific aspect of human-agent interaction: approval workflows
ensure human consent for critical actions, override mechanisms
provide real-time intervention capabilities, and explainability
interfaces enable informed human decision-making. The framework
defines standardized interfaces and message formats that allow
these primitives to be composed into comprehensive oversight
systems tailored to specific operational requirements.
At the architectural level, HITL primitives integrate with agent
systems through well-defined decision points where human
intervention may be required. These decision points are identified
during agent operation based on configurable triggers such as risk
thresholds, regulatory requirements, or operational policies. When
a decision point is reached, the appropriate HITL primitive is
activated, temporarily suspending autonomous operation until human
oversight is satisfied. This approach ensures that human oversight
requirements, as referenced in [draft-cui-nmrg-llm-nm] for network
management scenarios, can be consistently enforced across diverse
agent deployments.
The framework establishes a common message structure for all HITL
primitives that includes essential metadata such as agent
identity, decision context, timestamp, and urgency level. This
standardized approach enables interoperability between different
agent systems and human oversight tools while providing the
flexibility to extend primitives for domain-specific requirements.
The message structure follows JSON formatting conventions per
[RFC8259] and incorporates security considerations including
authentication tokens and integrity protection mechanisms as
specified in [RFC7519] and [RFC8446].
Implementation of HITL primitives MUST ensure that human oversight
mechanisms cannot be bypassed or manipulated by agent systems. The
framework requires that primitive activation be deterministic and
based on verifiable conditions, preventing agents from selectively
avoiding human oversight. Additionally, all HITL interactions MUST
be logged with sufficient detail to support audit requirements and
accountability frameworks. This logging requirement supports the
human oversight validation patterns needed for authorization
systems and ensures compliance with regulatory oversight mandates.
5. Approval Workflow Primitives
Approval workflow primitives provide standardized mechanisms for
requiring explicit human consent before AI agents execute specific
actions. These primitives establish a structured framework where
agents identify decision points that require human oversight,
format approval requests with sufficient context for human
evaluation, and await explicit authorization before proceeding.
The approval workflow primitive ensures that critical or high-risk
agent actions cannot be executed without human validation,
maintaining human authority over autonomous systems while
preserving operational efficiency through selective intervention
points.
The core approval request structure MUST include the proposed
action description, associated risk assessment, relevant context
for human evaluation, and expected execution timeline. Each
approval request MUST be uniquely identified and include
sufficient information for a human operator to make an informed
decision. The request format SHOULD follow structured data
conventions as defined in [RFC8259] to ensure consistent parsing
and presentation across different human interface systems. Agents
MUST provide clear rationale for why the action requires approval
and include any relevant alternative options that humans may
consider during the evaluation process.
Human responses to approval requests MUST use standardized
response codes that clearly indicate approval, denial, or
modification instructions. Approved actions receive an explicit
authorization token that agents MUST validate before execution,
ensuring that only genuinely authorized actions proceed. Denied
requests MUST include human feedback when possible to enable agent
learning and improved future decision-making. The response format
SHOULD accommodate conditional approvals where humans specify
constraints or modifications to the proposed action while still
granting execution authority.
Timeout handling mechanisms are critical components of approval
workflow primitives to prevent system deadlock when human
operators are unavailable. Agents MUST implement configurable
timeout periods appropriate to the urgency and criticality of the
requested action, with default behavior clearly specified for
timeout scenarios. When approval requests exceed timeout
thresholds, agents SHOULD implement fallback strategies such as
escalation to alternate human operators, execution of safe default
actions, or graceful degradation of service. The timeout
configuration SHOULD be contextually aware, allowing shorter
timeouts for routine operations and longer timeouts for complex
decisions requiring thorough human evaluation.
Integration with authentication and authorization systems ensures
that approval responses originate from authorized human operators
with appropriate privileges for the requested action type. The
approval workflow primitive SHOULD leverage existing identity
frameworks such as those defined in [RFC6749] and [RFC7519] to
validate human operator credentials and maintain audit trails of
approval decisions. This integration enables fine-grained access
control where different categories of actions require approval
from operators with specific roles or clearance levels, supporting
organizational hierarchy and responsibility structures within
human-agent collaborative systems.
6. Override and Intervention Primitives
Override and intervention primitives provide real-time mechanisms
that allow human operators to modify, halt, or redirect agent
decisions during execution. These primitives are essential for
maintaining human control over autonomous systems, particularly in
situations where agent decisions may lead to undesirable outcomes
or where dynamic conditions require human judgment. The override
mechanisms MUST be designed to operate with minimal latency to
ensure timely human intervention when required.
The core override primitive consists of three fundamental
operations: halt, modify, and redirect. The halt operation
immediately stops agent execution and places the system in a safe
state, while the modify operation allows humans to adjust specific
parameters or constraints of the current agent decision. The
redirect operation enables complete substitution of the agent's
proposed action with a human-specified alternative. Each override
operation MUST include authentication credentials as defined in
[RFC6749] and SHOULD provide a reason code indicating the basis
for intervention. Override requests MUST be processed
synchronously when possible, with acknowledgment timeouts not
exceeding implementation-defined thresholds.
Emergency stop procedures represent a specialized category of
override primitives designed for critical situations requiring
immediate agent termination. These procedures MUST bypass normal
approval workflows and provide direct, low-latency mechanisms for
halting agent operations. Emergency stops SHOULD be implemented
through multiple redundant channels to ensure reliability, and
MUST trigger immediate notification to designated human
supervisors. The emergency stop primitive MUST include safeguards
to prevent accidental activation while ensuring accessibility
during genuine emergencies.
Decision modification interfaces enable fine-grained human
adjustment of agent decisions without complete override. These
interfaces MUST provide structured formats for specifying
modifications to agent parameters, constraints, or objectives
using JSON [RFC8259] or equivalent structured data formats.
Modification requests SHOULD include validation mechanisms to
ensure proposed changes are within acceptable operational bounds.
The agent MUST acknowledge modification requests and indicate
whether the requested changes can be accommodated within current
operational constraints.
Real-time intervention capabilities require agents to expose
decision points where human oversight can be effectively applied.
Decision points MUST be clearly identified in agent execution
flows, with appropriate pause mechanisms that allow human
evaluation without timeout penalties. Agents SHOULD provide
context information at each decision point, including current
state, proposed actions, and confidence levels. The intervention
interface MUST support both synchronous and asynchronous human
responses, with clear timeout behaviors defined for each
interaction mode.
Integration with agent architectures requires override primitives
to maintain compatibility with existing agent communication
protocols while providing standardized intervention interfaces.
Override mechanisms SHOULD be implemented as middleware components
that can intercept agent communications without requiring
modification to core agent logic. The primitive framework MUST
support distributed scenarios where human operators may be remote
from agent execution environments, utilizing secure communication
channels as specified in [RFC8446] for all override operations.
7. Explainability and Transparency Primitives
This section defines standardized interfaces that enable AI agents
to provide transparency into their reasoning and decision-making
processes. Explainability primitives are essential for enabling
informed human oversight, as humans cannot effectively supervise
agent actions without understanding the underlying rationale.
These interfaces MUST provide structured information about agent
reasoning in formats that support human comprehension and
decision-making.
The core explainability primitive is the Reasoning Trace, which
captures the agent's decision-making process in a structured
format. A Reasoning Trace MUST include the following elements: the
initial problem or goal statement, key inputs and data sources
consulted, reasoning steps taken, alternative options considered,
confidence levels for decisions, and any uncertainty or
limitations acknowledged by the agent. This trace SHOULD be
generated in JSON format [RFC8259] to ensure machine-readable
structure while remaining human-interpretable. The trace MUST be
available before any approval workflow is initiated, allowing
humans to make informed decisions about proposed agent actions.
Agents MUST implement a Context Explanation interface that
provides on-demand details about specific aspects of their
reasoning. This interface allows human operators to query
particular decision points, request elaboration on confidence
levels, or explore alternative approaches that were considered but
rejected. The interface SHOULD support structured queries using
predefined categories such as "data-sources", "assumptions",
"risk-factors", and "alternatives". Responses MUST be provided in
a consistent format that enables both human review and automated
analysis for audit purposes.
The Uncertainty Declaration primitive requires agents to
explicitly communicate their confidence levels and known
limitations regarding proposed actions. Agents MUST provide
quantitative confidence scores where applicable and qualitative
uncertainty statements for aspects that cannot be numerically
assessed. This primitive is particularly critical in regulated
environments where human operators need to understand the
reliability of agent recommendations before granting approval, as
specified in human oversight requirements frameworks [draft-cui-
nmrg-llm-nm].
To support audit and compliance requirements, explainability
interfaces MUST generate persistent explanation records that can
be stored and retrieved for later review. These records SHOULD
include timestamps, version information for the agent making
decisions, and cryptographic signatures to ensure integrity. The
explanation data MUST be structured to support automated analysis
and pattern detection, enabling organizations to identify trends
in agent decision-making and improve oversight processes over
time.
8. Integration with Agent Architectures
The integration of HITL primitives with existing agent
architectures requires careful consideration of both the agent's
internal decision-making processes and the external communication
protocols used for human interaction. Agent systems MUST implement
HITL primitives as composable components that can be inserted into
the agent's execution pipeline without requiring fundamental
architectural changes. This approach ensures that existing agent
deployments can adopt human oversight mechanisms incrementally,
maintaining backward compatibility while enhancing human control
capabilities.
Agent architectures SHOULD implement HITL primitives through a
middleware layer that intercepts agent decisions at configurable
decision points. This middleware approach allows the same HITL
mechanisms to be applied across different agent types and
execution environments. The middleware MUST support protocol-
agnostic communication, enabling human oversight through various
channels including HTTP-based APIs [RFC9110], WebSocket
connections for real-time interaction, or message-oriented
protocols. The choice of communication protocol SHOULD be
configurable to accommodate different operational environments and
human interface requirements.
Integration with authorization frameworks presents a critical
opportunity to enforce human oversight requirements at the system
level. Agent architectures SHOULD leverage OAuth 2.0 [RFC6749]
scopes and claims to specify when human approval is required for
specific actions, building upon human oversight requirement
patterns that embed HITL constraints directly into authorization
tokens [draft-aap-oauth-profile]. This integration ensures that
human oversight requirements are enforced consistently across
distributed agent systems and cannot be bypassed by individual
agent implementations.
For network management applications, HITL primitives MUST
integrate with existing network management protocols and
frameworks while preserving the human-in-the-loop workflows
defined for LLM-generated network management decisions [draft-cui-
nmrg-llm-nm]. Agent architectures in network domains SHOULD
implement decision checkpoints that align with critical network
operations, ensuring that configuration changes, policy updates,
and topology modifications trigger appropriate human oversight
mechanisms. The integration MUST preserve existing network
management interfaces while adding human oversight capabilities as
an additional validation layer.
The implementation of HITL primitives SHOULD support both
synchronous and asynchronous interaction patterns to accommodate
different operational requirements and human availability
constraints. Synchronous patterns are appropriate for real-time
decision approval, while asynchronous patterns enable human
oversight in environments where immediate human response is not
feasible. Agent architectures MUST implement timeout mechanisms
and fallback behaviors for both interaction patterns, ensuring
system stability when human oversight is delayed or unavailable.
Configuration and policy management for HITL primitives SHOULD be
externalized from agent implementations to enable dynamic
adjustment of human oversight requirements without agent
redeployment. This externalization allows organizations to adjust
human oversight policies based on operational conditions,
regulatory requirements, or agent performance metrics. The
configuration mechanism MUST support fine-grained control over
which agent decisions require human oversight, the type of
oversight required, and the specific human operators authorized to
provide oversight for different decision categories.
9. Security Considerations
The security of HITL primitives is paramount, as these mechanisms
represent critical control points where human authority intersects
with autonomous agent operation. Authentication and authorization
of human operators MUST be implemented using strong cryptographic
methods, with multi-factor authentication RECOMMENDED for high-
impact decision points. Human operator credentials SHOULD be
managed through established identity frameworks such as OAuth 2.0
[RFC6749] or equivalent, with token-based authentication providing
both security and auditability. Organizations MUST implement role-
based access controls that ensure only authorized personnel can
approve specific types of agent actions, with the principle of
least privilege applied to limit human operator permissions to
necessary functions only.
Protection against manipulation and spoofing attacks requires
robust integrity mechanisms throughout the HITL workflow. All
approval requests, human responses, and override commands MUST be
cryptographically signed to prevent tampering and ensure non-
repudiation. The system MUST validate that approval workflows
cannot be bypassed through direct agent-to-agent communication or
through exploitation of timing vulnerabilities. Particular
attention MUST be paid to preventing replay attacks where
previously valid human approvals could be reused inappropriately.
Human operators MUST be provided with sufficient context and
verification mechanisms to detect potentially malicious approval
requests that might be designed to trick humans into approving
harmful actions.
Secure communication channels are essential for protecting HITL
interactions from eavesdropping and man-in-the-middle attacks. All
communication between agents, HITL interfaces, and human operators
MUST use transport-layer security equivalent to TLS 1.3 [RFC8446]
or stronger. The system MUST implement proper certificate
validation and SHOULD use mutual TLS authentication where
feasible. Session management for human operators MUST include
appropriate timeout mechanisms to prevent unauthorized use of
abandoned sessions, with sensitive approval workflows requiring
fresh authentication for extended operations.
The explainability interfaces present unique security challenges,
as they must balance transparency with protection of sensitive
algorithmic details and operational information. Explanations
provided to human operators MUST be sanitized to prevent
information disclosure that could be exploited by attackers to
reverse-engineer agent decision patterns or identify system
vulnerabilities. The system MUST implement access controls that
ensure explainability information is only provided to operators
with appropriate clearance levels for the specific operational
context. Additionally, all HITL interactions MUST be logged with
tamper-evident audit trails that include cryptographic checksums
and timestamps to ensure accountability and enable post-incident
analysis while protecting sensitive operational details from
unauthorized disclosure.
10. IANA Considerations
This document introduces several new protocol elements and
identifiers that require standardized registration to ensure
interoperability across implementations. IANA is requested to
establish and maintain registries for HITL primitive types,
approval workflow identifiers, and standardized response codes as
specified in this section. These registries will enable consistent
implementation of human-in-the-loop mechanisms across different
agent systems and organizational boundaries.
IANA SHALL establish a new registry titled "Human-in-the-Loop
(HITL) Primitive Types" to maintain standardized identifiers for
the core HITL mechanisms defined in this specification. The
registry MUST include entries for "approval-workflow", "override-
mechanism", and "explainability-interface" as the initial
primitive types, with additional types to be registered through
the Specification Required policy as defined in [RFC8126]. Each
registry entry MUST include the primitive type identifier, a brief
description of its function, and a reference to the defining
specification. Registration requests MUST specify how the proposed
primitive type differs from existing entries and demonstrate clear
utility for human oversight scenarios.
A second registry titled "HITL Approval Workflow Identifiers"
SHALL be established to maintain standardized workflow patterns
for approval primitives. This registry MUST include initial
entries for common workflow types such as "single-approver",
"multi-stage-approval", "consensus-required", and "emergency-
bypass", with new workflow identifiers registered under the
Specification Required policy. Each workflow identifier entry MUST
specify the approval pattern, required participant roles, decision
criteria, and timeout handling mechanisms. This registry enables
organizations to reference standardized approval patterns while
maintaining consistency across different agent deployments.
IANA SHALL create a "HITL Response Codes" registry to standardize
the status and error codes used in human-in-the-loop
communications as defined in Section 5 and Section 6 of this
specification. The registry MUST include standard response codes
for approval granted (200), approval denied (403), timeout
exceeded (408), override initiated (300), and explanation
requested (250), following the pattern established by HTTP status
codes in [RFC9110]. Additional response codes MAY be registered
using the Expert Review policy, with registration requests
requiring demonstration of unique semantic meaning not covered by
existing codes. The registry MUST specify the numeric code,
textual description, applicable primitive types, and any special
handling requirements for each response code to ensure consistent
interpretation across implementations.
11. References
11.1. Normative References
[RFC 2119]
RFC 2119
[RFC 8174]
RFC 8174
[RFC 8446]
RFC 8446
[RFC 9110]
RFC 9110
[RFC 8259]
RFC 8259
[draft-rosenberg-cheq]
draft-rosenberg-cheq
11.2. Informative References
[RFC 6749]
RFC 6749
[RFC 7519]
RFC 7519
[draft-cui-nmrg-llm-nm]
draft-cui-nmrg-llm-nm
[draft-irtf-nmrg-llm-nm]
draft-irtf-nmrg-llm-nm
[draft-rosenberg-aiproto-cheq]
draft-rosenberg-aiproto-cheq
[draft-aap-oauth-profile]
draft-aap-oauth-profile
[draft-cowles-volt]
draft-cowles-volt
[draft-aylward-daap-v2]
draft-aylward-daap-v2
Author's Address
Generated by IETF Draft Analyzer
Family: agent-ecosystem
2026-03-04