A Guide to Human-in-the-Loop Approval in RAG

Many assume that adding a reviewer after a Retrieval Augmented Generation (RAG) pipeline finishes is enough to guarantee safe output, but that skips true human-in-the-loop approval. The reality is that once the language model receives a prompt, it can already leak proprietary data or generate harmful content before any human ever sees it. A post‑generation check does not stop the model from accessing the underlying knowledge base, nor does it provide an audit trail of what was asked.

RAG systems typically stitch together a vector store, a LLM, and an application layer. Engineers often wire the components together with static API keys, give the service account broad read access to the vector database, and let the LLM run unchecked. The result is a fast prototype, but the organization loses visibility into who queried what, when, and whether the response needed extra scrutiny.

What teams really need is a control point that can enforce human-in-the-loop approval *before* the model returns a response, while still preserving the developer experience. The control point must be able to see the full request, pause execution for an approver, optionally mask sensitive fields, and record the entire exchange for later review. Importantly, the control must sit on the data path, not merely in an external logging system.

Why the existing setup falls short

In the typical unsanitized state, a RAG service runs inside a private subnet with a service account that has read‑only access to the vector store and unrestricted invoke rights on the LLM. The service account is created once, stored in a secret manager, and shared across multiple micro‑services. No per‑request authentication or authorization is performed. When a user triggers a query, the request travels directly from the application to the LLM, bypassing any gate that could require a human decision.

Even when organizations add an external approval workflow, say, a ticket that a reviewer signs off on after the fact, the LLM has already processed the prompt. If the model inadvertently returns a confidential snippet, the damage is done. Moreover, because the request never passes through a central enforcement point, there is no reliable audit log that ties the query to a specific identity, nor is there any guarantee that sensitive fields are redacted before they leave the system.

Defining the precondition for safe RAG

The core requirement is a request‑level guard that can evaluate each incoming prompt, enforce human-in-the-loop approval, and optionally mask or block content. This guard must understand the user’s identity, enforce least‑privilege access, and be positioned where it can intercept traffic before the LLM sees it. The guard does not replace the identity provider; it consumes the identity token to decide whether the request is eligible for automatic execution or needs a manual sign‑off.

At this stage, the system still lacks a concrete enforcement mechanism. The request still reaches the LLM directly, without any real‑time approval, without any guarantee that the response will be inspected, and without a tamper‑evident record of the exchange. The precondition therefore solves the “who can ask” problem but leaves the “what happens to the request” problem open.

Introducing a data‑path gateway as the solution

Enter hoop.dev. It is an identity‑aware proxy that sits between the RAG application and the language model. By placing hoop.dev on the data path, every prompt and response passes through a single enforcement point. hoop.dev reads the OIDC token presented by the caller, checks the caller’s group membership, and then decides whether to allow the request to proceed automatically or to pause for a human approver.

Because hoop.dev is the active component in the path, it can enforce the following outcomes:

• Human‑in‑the‑loop approval: hoop.dev presents the pending prompt to an authorized reviewer, records the decision, and only forwards the request to the LLM after explicit approval.
• Inline masking: before the LLM’s answer reaches the application, hoop.dev can redact fields that match configured patterns, ensuring that confidential identifiers never leave the gateway.
• Session recording: hoop.dev captures the full request and response payloads, timestamps, and the approving identity, creating a reliable audit record for compliance and forensic analysis.
• Just‑in‑time access: the gateway issues short‑lived credentials to the vector store only for the duration of an approved query, limiting the attack surface.

All of these enforcement outcomes exist because hoop.dev is the only component that sits in the data path. The identity provider (Setup) determines who is making the request, but without hoop.dev the request would flow straight to the LLM, bypassing any guardrails. The gateway (Data path) is the sole place where policy can be applied, and hoop.dev actively enforces the policy.

How the architecture fits together

1. Setup: Users authenticate with an OIDC provider (Okta, Azure AD, Google Workspace, etc.). The token includes group claims that indicate whether the user is allowed to request automatic execution or must trigger an approval.

2. The data path: The RAG application sends the prompt to hoop.dev instead of directly to the LLM. hoop.dev validates the token, consults its policy store, and either forwards the request or queues it for a reviewer.

3. Enforcement outcomes: When a reviewer approves, hoop.dev forwards the prompt, receives the LLM’s answer, applies any masking rules, records the session, and finally returns the sanitized response to the application.

This separation makes it impossible for a compromised application to bypass the approval step, because the LLM never receives the prompt until hoop.dev explicitly forwards it. Likewise, any attempt to retrieve raw vectors from the store is blocked unless hoop.dev has granted a just‑in‑time credential for that specific request.

Getting started

Deploying hoop.dev is straightforward. The official getting‑started guide walks you through a Docker Compose deployment, OIDC configuration, and the creation of a policy that requires human‑in‑the‑loop approval for all RAG queries. Once the gateway is running, point your application’s LLM client to the hoop.dev endpoint and let the gateway handle the rest.

FAQ

Does hoop.dev replace my existing identity provider?

No. hoop.dev consumes the identity token issued by your provider. It does not store credentials or act as an IdP.

Can I still use automated queries for low‑risk prompts?

Yes. Policies can be fine‑grained: certain groups or request types can be allowed to bypass approval, while others always require a reviewer.

How does hoop.dev ensure the audit log cannot be tampered with?

Because hoop.dev is the only component that sees the traffic, it records each session before any data leaves the gateway. The logs are stored in a location you configure, providing a reliable audit trail.

By placing a gate in the data path, organizations can finally achieve true human-in-the-loop approval for Retrieval Augmented Generation without sacrificing developer velocity.

Explore the source code and contribute on GitHub.