Approval Bypass

Approval bypass is an AI-agent security failure mode where a system appears to keep a human in control, but the approval step does not actually bind the risky action. The operator approves a broad label such as “run command,” “open PR,” or “execute trade,” while the model still controls the parameters that determine the real blast radius.

This matters because human approval is often presented as a compensating control for prompt injection, tool misuse, or autonomous execution risk. In practice, many systems implement approval at the wrong abstraction layer. The review happens on a summary of intent, while the dangerous details remain invisible or mutable: shell arguments, file paths, recipient addresses, token approvals, calldata, webhook targets, or follow-up actions generated after the approval was granted.

In security terms, approval bypass is a trust-boundary failure. The human believes they are authorizing a specific action, but the runtime still gives the AI system discretion over fields that should have been fixed before execution. That gap creates room for prompt injection, data exfiltration, or privilege escalation even when a visible confirmation step exists.

The issue becomes more severe in long-lived agents and financial systems. A standing approval can be reused later under different context, or a treasury agent can convert a seemingly benign “swap” approval into a materially different route, spender, or recipient. In those cases, the approval control is not just weak. It can create a false sense of safety that delays detection until after funds move or secrets leak.

Auditors should test whether approval is bound to exact sink-time parameters, whether those parameters can mutate after review, whether approvals persist across sessions, and whether logs preserve both the approved artifact and the executed artifact for later forensics.