All posts
June 15, 20263 min read

Approval workflows for AI agents on GCP

The action you want to pause An autonomous agent decides the cleanest way to fix a data problem is to delete and rebuild a table in your production BigQuery dataset. Technically it is in scope. Operationally it is the kind of thing a human should see first. Without a checkpoint, the agent simply does it, and you find out from the metrics. Approval workflows for AI agents on GCP exist to insert a human at exactly these moments, without slowing down the routine work the agent does fine on its own

Free White Paper

AI Agent Security + Access Request Workflows: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Coleman Nye

The action you want to pause

An autonomous agent decides the cleanest way to fix a data problem is to delete and rebuild a table in your production BigQuery dataset. Technically it is in scope. Operationally it is the kind of thing a human should see first. Without a checkpoint, the agent simply does it, and you find out from the metrics. Approval workflows for AI agents on GCP exist to insert a human at exactly these moments, without slowing down the routine work the agent does fine on its own.

This post covers how to gate risky agent actions against GCP-hosted infrastructure with approvals.

Why agents need a different approval model

Human access reviews assume a human who hesitates. An agent does not hesitate. It executes whatever its plan produced, at machine speed, with no instinct that says "this one is different." So the approval cannot live in the agent's judgment. It has to live in the path the agent's action travels through, where a policy can hold the action until a person responds.

The requirement is structural: the approval check must run where the agent cannot route around it or reconfigure it. If the agent can decide whether its own action needs approval, there is no control. The gate belongs outside the agent.

What to gate, and what to let flow

Good approval workflows are selective. Gate everything and the agent stalls and people rubber-stamp; gate nothing and you are back to no control. On GCP, a sensible split:

  • Flows without approval: reads within an agent's scope, idempotent queries, routine pulls from a BigQuery dataset.
  • Pauses for approval: destructive statements (DROP, DELETE, TRUNCATE) against a GCP-hosted database, schema changes, anything that touches a flagged production resource.

The split is a policy decision, and it should be expressed at the connection layer so it applies regardless of what the agent intends.

Continue reading? Get the full guide.

AI Agent Security + Access Request Workflows: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.

Building the workflow with hoop.dev

hoop.dev is an open-source Layer 7 access gateway. It proxies the agent's connection to the GCP-hosted resource, and its review step is where the approval lives. Because the gate sits in the connection path, the agent cannot skip it.

  1. Register the GCP-hosted connections your agents use, for example a Cloud SQL instance or a BigQuery dataset.
  2. Enable GCP IAM federation so each request is attributed to a per-user short-lived OAuth identity. Approvers see who, not just what.
  3. Define which operations require approval on each connection. Destructive or production-touching actions route to a reviewer; in-scope reads flow through.
  4. When an agent issues a gated action, the gateway holds it until an approver responds. On approval, it proceeds; on denial, it never runs.
  5. Verify: have an agent attempt a DROP against a gated connection, confirm it pauses pending approval, approve it, and confirm the session record shows the request, the approver, and the outcome.

The routine query runs untouched. The destructive one waits for a person. That is the whole point of selective approval.

Keeping the approval honest

An approval is only as good as its record. Each gated request, who approved it, and the exact action should land in the session record, stored outside the agent. That way the approval is not a verbal nod that disappears; it is evidence you can show later that a human signed off on a specific command by a specific identity.

Pitfalls to avoid

  • Do not gate so broadly that approvers stop reading. Reserve approvals for genuinely risky actions so each one means something.
  • Do not let the agent self-classify which actions need approval. The policy must live outside the agent.
  • Do not expect approvals to cover the GCP control plane. hoop.dev gates actions on connections to GCP-hosted infrastructure, not GCP admin API calls.

FAQ

Will approval workflows block every agent action?

Only the ones you choose to gate. Routine, in-scope reads flow through; destructive or production-touching actions pause for a human. The split is yours to set per connection.

Who sees the approval request?

The reviewers you designate. Because GCP IAM federation attributes the request to a specific identity, approvers see which agent or principal asked, and for what exact action.

Is the approval recorded?

Yes. The request, the approver, and the outcome are captured in the session record, outside the agent process.

To add approval workflows for AI agents on GCP, run the open-source gateway at github.com/hoophq/hoop, see the getting started guide to configure your first gated connection, and read hoop.dev/learn for how the review step sits in the connection path.

Open source

Save the open-source gateway for agent data access

Hoop is MIT-licensed infrastructure for controlling how AI agents reach production data. Star hoophq/hoop so you can inspect it, deploy it, or share it when your team starts governing agent access.

Star and save the repo →More posts
Ask AI about this topic
ClaudeChatGPTGrokGeminiPerplexityCopilot