Patterns

Trust & Control Plane

Autonomy governance, operational configuration, transparency, and guardrail patterns that establish and maintain user trust in agentic experiences.

Configuration

Settings Templates

Reusable control groups for product teams that need durable agent boundaries across sessions, not one-off prompt instructions.

Reusable Settings Groups

Autonomy Settings

Set the maximum independence level, escalation threshold, and allowed action classes.

Notification Settings

Choose when background runs, blockers, approvals, and completions notify users.

Approval Policy Settings

Require confirmation for external communication, spending, publishing, and destructive edits.

Memory & Privacy Settings

Control durable memory review, workspace scope, expiry, and removal behavior.

Effective policy

Autonomy

Maximum Level 2: Human-in-Command

Applies to the current workspace until changed.

Review

External actions

Approval required before sending, publishing, or modifying shared records.

Risky actions should show a locked consequence preview before execution.

Required

Notifications

Notify on blockers, approvals, completions, and budget warnings.

Allowed

Memory

Durable memory is blocked until review settings are enabled.

Memory should not expand scope silently.

Blocked

Settings templates should use confirmation or undo for risky changes such as disabling approval gates, lowering escalation thresholds, or expanding memory scope.

Governance

Autonomy Level

Select how much independence the agent has. Higher levels increase speed but reduce oversight. Uses the 6-level autonomy scale from foundations.

Controls

Level 2·Human-in-Command

AI drafts outputs and proposes actions; human approves every one before execution.

Capabilities

Draft project findings for review

Propose requirement-to-test-case mappings

Suggest source requests to developer

Restrictions

Cannot send emails without approval

Cannot modify project records

Cannot create or close findings

Surface: Approval modal

Property	Value	Notes
Scale	6 levels (1–6)	From Human-Augmented to Human-Out-of-the-Loop
Default	Level 2	Start conservative, unlock higher levels over time
Indicator	Stepped bar	Discrete steps, not a continuous slider

Autonomy levels should be progressive — start at Level 2 for new workflows and unlock higher levels only after the agent has demonstrated reliability. Never default to full autonomy for review tasks that affect approval outcomes.

Governance

Mode Toggles

Switch the agent's operational mode to focus on different aspects of the review workflow. Each mode changes available tools and priorities.

Controls

Requirements mode

Active

Focus

Ensuring all source material meets operating playbook requirements and policy alignment claims.

Available tools

Source completeness checker

Requirement coverage matrix generator

Policy alignment validator

Lifecycle document scanner

Mode	Focus	Tools
Requirements	Source material and policy alignment	4 requirements-specific tools
Research	Technical investigation	4 research-specific tools
Review	Deliverable review and audit prep	4 review-specific tools

Mode switching should be instant — no confirmation dialog needed since it only changes tool availability and focus, not data access. Reviewers typically switch modes multiple times during a single review session.

Governance

Context Scope

Define which documents and project artifacts the agent can access. Narrower scopes reduce noise; wider scopes enable cross-referencing.

Controls

Portal Only

ACME Customer Portal v3.1

Accessible documents

Project brief v3— Full document

QA Notes 2026-003— Product-specific checks

2 documents in scope

Scope	Documents	Use case
Portal Only	2 documents	Focused work on a single product
Portal + Policy	4 documents	Evaluating policy alignment claims
Global	6 documents	Cross-referencing across full project workspace

Context scope directly affects response quality and cost. A narrower scope produces faster, cheaper answers but may miss cross-document dependencies. For OR preparation, always use Global scope to ensure nothing is overlooked.

Permissions

Consent Flow

Explicit user consent before the agent takes sensitive or irreversible actions. Users can accept, decline, or learn more before deciding.

Controls

Action requires your approval

The agent wants to send a project finding summary to the developer contact for ACME Customer Portal v3.1.

Action preview

Email 2 findings (Export workflow, Timestamp handling) to project-owner@acme.internal with a 10-day response deadline.

Property	Value	Notes
Trigger	Sensitive or irreversible actions	Emails, deletions, external API calls
States	Prompt → Accepted / Declined	Three mutually exclusive states
Action preview	Required	Shows exactly what will happen before user decides
Reversibility	Settings override	Declined actions can be re-approved later

Consent flows should be lightweight enough that users don't develop "approval fatigue." Reserve them for actions with real consequences — sending external communications, modifying project records, or deleting source material.

Transparency

Confidence Display

How the agent communicates its certainty level through language, visual cues, and actionable follow-ups.

Controls

High confidence

Export workflow requires CSV and JSON export encryption for all data-at-rest operations. The product implements this through the approved export service referenced by the implementation notes.

Source: Project brief v3, §5.1.1

Level	Indicator	Language pattern
High	Green dot	Direct assertions with citations
Medium	Amber dot	Hedged language: "appears to," "based on"
Low	Red dot	Explicit uncertainty + verify action

Confidence indicators should never be hidden from the user. Even when the agent is highly confident, showing the source builds trust over time. Low-confidence responses must always offer a path to human verification.

Control

Kill Switch

Always-available mechanism to immediately halt agent execution. The stop control adapts its prominence to the agent's current state.

Controls

Agent idle

Waiting for instructions

State	Button style	Behavior
Idle	Subtle border	Present but low prominence
Running	Red-tinted background	Prominent, immediately accessible
Stopped	Resume + Discard options	Partial results preserved, user chooses next step

The stop button must always be reachable within one click. During long-running operations like batch requirement analysis, it should be the most prominent UI element. Stopped agents must preserve partial work — never discard without explicit user consent.

Transparency

Cost Transparency

Showing users the computational cost of agent operations. Compact mode provides a glanceable summary; detailed mode breaks down token usage and pricing.

Controls

13,134 tokens

·$0.21·

4.2s

Mode	Shows	Use case
Compact	Total tokens, cost, elapsed time	Inline display after each response
Detailed	Input/output split, model, pricing	Budget review and cost optimization

Cost transparency builds trust with procurement teams and lab managers who need to justify AI spending. The compact format should be unobtrusive; detailed mode is for when users actively want to understand costs.

Transparency

Data Provenance

Tracing information back to its origin. Sources mode shows where data came from; chain mode shows the full reasoning path from source to conclusion.

Controls

Project brief v3Primary

§5.1 — Requirement Definitions

94%

Operating playbookGuidance

§12.4 — Reviewer Actions

87%

Previous launch review (2025-08)Reference

§6 — Findings Summary

71%

Mode	Shows	When to use
Sources	Document, section, confidence, type	Quick verification of data origin
Chain	Source → fact → inference → conclusion	Auditing the full reasoning path

In complex review workflows, every claim must be traceable to source material. Data provenance mirrors the reviewer's own methodology — showing the chain from source document through extracted requirement to analytical conclusion. This makes agent outputs auditable by review teams.

Accountability

Audit Trail

Immutable log of all agent actions for requirements and review. Summary mode shows a compact timeline; detailed mode expands each entry with full context and source links.

Controls

14:02:11

Opened Project brief v3

14:02:14

Cross-referenced Export workflow QA notes

14:02:18

Flagged Export workflow for reviewer approval

14:02:22

Reviewer approved finding classification

Mode	Shows	Audience
Summary	Timestamp + action description	Quick scan during review
Detailed	User, outcome, source links	Formal audit and requirements review

Audit trails are a regulatory requirement in compliance and release-governance contexts. Every agent action must be logged with enough detail for an review team sessioner to reconstruct exactly what happened. The summary view keeps daily work manageable while the detailed view satisfies formal review needs.