AI Governance
Action Confirmation Policy
How Allorc categorizes low-, medium-, and high-risk actions and when approval is required.
Action Confirmation Policy
This policy describes how Allorc categorizes AI-driven actions by risk and the approval posture that should apply to each category.
Purpose
Not every action taken by an AI worker carries the same level of risk. This policy is intended to align product controls with the likely impact of an action.
Risk categories
| Category | Typical examples | Default approval posture |
|---|---|---|
| Low risk | Summaries, internal drafting, note organization, task creation, suggested replies | May run automatically within granted permissions |
| Medium risk | Sending emails to external recipients, modifying shared documents, creating calendar invites, calling selected APIs | Should require either prior user authorization for that action class or a configurable approval step |
| High risk | Financial transactions, deleting large data sets, changing security settings, making legally binding commitments, sending irreversible instructions to third parties | Should require explicit confirmation before execution unless a customer has knowingly enabled autonomous execution for that category and Allorc supports that control |
User configuration matters
The final behavior for a given action depends on:
- the permissions granted to the AI worker;
- the presence or absence of approval controls;
- the maturity of the relevant feature;
- the connected service through which the action will run.
Current product posture
Allorc intends to expand approval controls over time. Until a feature expressly supports autonomous execution for a high-impact category, users should assume that sensitive actions require human review before reliance or completion.
Override and responsibility
If a user or customer deliberately configures more autonomous behavior, that user or customer remains responsible for that decision and for supervising downstream consequences.
Relationship to other policies
This policy should be read with the Autonomous Agent Policy, AI Services Policy, and Terms of Service.