Autonomy and approvals

Control when the agent can use tools automatically and when it must ask for your approval.

Autonomy settings determine how much the agent can do before asking you to approve a tool call. You can set separate policies for work you trigger and delegated work that runs as you.

Where to find it

Open Settings → Agent.

When a tool requires confirmation during a run, an approval card appears in the channel with Approve and Deny actions.

Resource boundary

Every agent run is tied to a trigger user. The agent can use only resources that user can access, including:

  • The user's private desktop filesystem.
  • Files shared with the user through Team Drive, Shared with me, or channel shares.
  • Integrations, MCP servers, and skills that the user owns or that have been shared with them.
  • Channels and other workspace objects the user is allowed to see.

The agent does not silently access another member's private home directory or private credentials. Work that requires another person's private resources must run as that member.

Runs triggered by you

The Run by you setting applies when you are the trigger user. This includes runs started by a message you sent, one of your scheduled tasks, or an email, Messaging, or Slack identity paired with your account.

OptionBehavior
Ask for everythingThe agent asks permission before executing every tool.
Auto (AI tool review)An AI reviewer evaluates each action against your Auto tool review policy.
Run everythingThe agent runs tools without asking for permission.

Runs delegated by another member

The Run by another workspace member setting provides the same three options for delegated runs. It most commonly applies when a subagent runs as you even though another member started the parent conversation.

For example, suppose Alex asks the agent for a file that exists only on Blake's private desktop:

  1. Alex's agent cannot read Blake's private file directly.
  2. The agent can dispatch a subagent that runs as Blake.
  3. That subagent uses Blake's resource boundary, including Blake's files and private integrations.
  4. Tool calls follow Blake's Run by another workspace member policy.

This setting does not let teammates casually take over your desktop. It controls approval behavior when another member's workflow needs a step to execute as you, such as:

  • Reading or editing one of your unshared files.
  • Using a private integration that you have not shared with the workspace.
  • Completing a step that must run in your user container.

Choose Ask for everything or Auto (AI tool review) here if you want additional review whenever a delegated workflow uses your access.

Auto tool review policy

The policy editor appears when either permission level is set to Auto (AI tool review).

  • Enter up to 10,000 characters of Markdown instructions.
  • Describe which tool calls should require your explicit approval.
  • The reviewer uses the policy for both your own runs and delegated runs.
  • Select Save to persist your changes.

How the settings affect a run

  • Ask for everything pauses every tool call until you select Approve or Deny on its in-channel card.
  • Auto (AI tool review) lets the reviewer decide from your policy. Borderline actions and calls matched by the policy can still require manual approval.
  • Run everything removes the approval gate, but product safety limits and channel or task constraints still apply.

Task channels can additionally skip approvals for scheduled work through Whitelist task tools. See Tasks.