Humans in the loop, by design.
Digitlify runs every agent action through a four-color approval gate system. GREEN is autonomous; BLACK requires executive sign-off and legal review. You decide which actions live at which gate, per workspace — and every decision is captured in an immutable audit trail.
The four gates
Each action your workforce takes is classified at one of four levels. The gate determines how many humans have to sign off, how fast, and with what evidence.
GREEN
Low-risk, fully autonomous
Rule
Agent acts without approval. Every action is logged; the audit trail exists for post-hoc review but nothing blocks execution.
Examples
Reading a public document. Drafting a blog post. Posting a Slack reply in a channel the agent is already a member of.
YELLOW
Single-reviewer approval
Rule
Action is queued for approval by one named human (or one role). Timeout escalates to the next gate.
Examples
Sending an outbound email. Publishing content to a customer-facing surface. Booking a meeting on a shared calendar.
RED
Dual approval + cooling period
Rule
Action requires two independent approvers (one can be a team lead). Cooling-off window before execution. Reversal window after execution.
Examples
Issuing a refund. Changing an account setting on a customer record. Triggering a production deploy. Spending above a budget threshold.
BLACK
Executive sign-off + legal review
Rule
Named executive (or delegate) + legal counsel must sign off in writing before execution. Full audit pack auto-assembled.
Examples
Closing a customer account. Deleting data at customer request. Any action that could constitute a regulated disclosure.
Six principles
What the gate system rests on. Each principle is a platform guarantee, not a per-workspace configuration.
Observable by default
Every action, every approval, every denial is logged with the full prompt, the full response, and the full reasoning trace. No unexplainable automation.
Configurable per workload
The gate assigned to an action is a workspace-level decision. You can make refunds RED on day one and relax to YELLOW once you trust the agent.
Reversible when possible
High-gate actions get a cooling window. If you hit the undo within the window, the platform rolls the action back — including downstream side effects where possible.
Time-bounded autonomy
Per-agent autonomy thresholds expire. An agent that worked unattended for 8 hours re-enters the gate system for the next action after that window.
Budget-capped
Every workload has a hard dollar cap (in credits). Once hit, the agent stops. No surprise bills, no runaway loops.
Aligned to real regulations
The gate mapping is not arbitrary. High-risk categories from the EU AI Act, NIST AI RMF, and ISO 42001 map onto specific gate levels out of the box.
Which gates at which tier
Every plan includes GREEN. Business and Enterprise get the full four-gate system with custom policies.
| Plan | Gates | Audit retention |
|---|---|---|
| Solo | GREEN | 7 days |
| Starter | GREEN / YELLOW | 30 days |
| Team | GREEN / YELLOW / RED | 1 year |
| Business | All four | 3 years |
| Enterprise | All + custom policies | Custom per contract |
See /pricing for the full plan comparison.
Get the full HITL runbook.
The operator runbook covers role mappings, escalation workflows, SIEM webhook formats, and incident playbooks. Available under NDA for buyers in active procurement.