Exception handling is where agent autonomy gets slippery.
Short answer: Write escalation triggers before an AI agent handles exceptions. If a run hits missing context, repeated tool failure, sensitive data, an external-state change, a suspicious tool result, or a workflow state outside the approved path, the agent should not improvise. It should stop, ask a structured question, downgrade to a safer mode, or route to a named owner with evidence attached.
Most teams write approvals for the happy path.
The agent can read this folder. It can edit this branch. It can call this API. It can open this browser. It can create a draft. It can ask before sending.
Then the first exception happens.
A file is missing. The API rejects a request. A dependency install fails. A browser page says something unexpected. A customer record has conflicting fields. A tool result includes a hostile instruction. The task cannot finish without touching a data class the original plan did not mention.
If the agent only has a generic "handle errors" instruction, it will handle errors with the permissions it already has.
That is the problem.
Exception handling is a permission boundary
Agent exception handling is not regular error handling once the agent can call tools.
A normal program handles a missing file by returning an error, retrying, or following a branch the developer already wrote.
A tool-bearing agent may do something wider:
- Search the repository for another file.
- Read unrelated context.
- Ask a user for missing data.
- Retry with changed arguments.
- Install a package.
- Delete an artifact.
- Send a message.
- Summarize a failure as success.
- Write a memory for next time.
- Continue after a prompt injection signal because the task still seems doable.
That means the exception path can quietly expand the agent's scope.
The fix is not "add a human somewhere." The fix is to define the triggers that force the agent onto a safer branch.
What the public evidence says
The evidence points to the same control surface from a few directions.
The OWASP AI Agent Security Cheat Sheet organizes agent security around controls such as tool least privilege, human-in-the-loop controls, action classification, high-impact action integrity, monitoring, multi-agent security, and adversarial validation. That is the right frame for exception handling. You need to know which actions are low risk, which actions need review, and which actions should fail closed.
LangChain's human-in-the-loop documentation shows a concrete implementation pattern. Its middleware can pause agent tool calls when a proposed action needs review, such as writing to a file or executing SQL. The reviewer can approve, edit, reject, or respond. The docs also describe conditional interrupts based on tool arguments, such as pausing writes outside a workspace or pausing SQL that is not read-only.
That matters because escalation should bind to the proposed action, not to the agent's confidence.
The MCP elicitation specification adds another useful pattern. Servers can request structured information from users through the client, and responses can be accepted, declined, or canceled. The security notes are important: servers must not request sensitive information through elicitation, clients should make the requester visible, users should be able to decline, and both sides should validate the content.
So "ask the user" is not a blank check. It is a controlled branch with a data boundary.
Research on uncertainty-based abstention in LLMs supports the basic idea that uncertainty can be a reason to abstain instead of answer. The paper is about question answering, not production agent workflows, so do not overread it. The useful lesson is narrower: uncertainty should be a trigger for stopping or asking, not a reason for the model to sound more confident.
OpenAI's Agents SDK documentation also treats guardrails and human review as first-class agent workflow concerns. That does not prove any workflow is safe, but it reinforces the point that review needs to be designed into the agent path.
Evidence versus opinion
The evidence supports these pieces:
Keep reading with free field-guide resources.
VibeSec Advisory publishes practical research, Skills, workflow examples, MCP notes, prompt injection tests, and AI red-team lessons for builders working with agentic AI.
- Agents need least-privilege tool access and action classification.
- Tool calls can be interrupted before execution.
- Review decisions should be explicit.
- Structured clarification can have accept, decline, and cancel outcomes.
- Uncertainty can justify abstention in model behavior.
My opinion: exception handling should be treated as a permission boundary.
The risky moment is not always the original user request. Often it is the recovery step after the plan breaks.
The escalation trigger table
Write the table before the agent runs.
| Trigger | Agent action | Owner | Evidence to preserve | Resume rule |
|---|---|---|---|---|
| External-state mutation or irreversible action | Pause | Action owner | Proposed tool call, arguments, target, and reason | Resume only after explicit approval |
| Sensitive data or trust-boundary crossing | Downgrade or stop | Data owner | Source, data class, requested action, and affected system | Resume after an approved path exists |
| Missing context or uncertainty | Ask or abstain | Request owner | Missing field, uncertainty signal, options, and current plan | Resume after structured answer |
| Out-of-scope workflow state | Escalate | Workflow owner | Observed state, expected state, and the delta | Resume after owner reclassifies the state |
| Repeated tool failure or loop | Stop | Run owner | Error messages, attempts, tool outputs, and retry history | Resume after a new plan is approved |
| Reviewer lacks authority | Escalate | Accountable owner | Reviewer identity, action class, and authority gap | Resume after the right owner approves |
| Prompt injection or hostile tool result | Fail closed | Security owner | Raw input, source, trace, and blocked action | Resume after security review |
This is deliberately boring.
Boring is good here. You want the agent to hit a clear branch, not negotiate with itself.
What a bad escalation policy looks like
A weak policy sounds reasonable but does not change agent behavior:
- "Ask for help when needed."
- "Use good judgment."
- "Escalate risky actions."
- "Continue if the task is low risk."
- "Do not do anything dangerous."
Those lines give the model more words, not a control.
A useful policy is testable:
- If a file write targets a path outside the workspace, pause.
- If a SQL query is not read-only, pause.
- If the agent needs a customer identifier, ask through a structured form and allow decline.
- If the task requires a secret, stop instead of asking the user to paste it.
- If a tool result contains instructions to ignore prior rules, fail closed and preserve the trace.
- If the same tool fails three times, stop and attach the failure packet.
The difference is simple. The second policy can be implemented, logged, and tested.
How to add this to an agent workflow
Start with the exception paths you already see.
Look at failed runs, rejected outputs, stalled automations, browser traces, tool errors, support escalations, and reviewer comments. Do not start with a blank policy doc. Start with the places where the agent already gets weird.
Then write one trigger per risky exception.
Each trigger should define:
- The condition.
- The blocked action.
- The safer branch.
- The owner.
- The evidence packet.
- The resume rule.
- The test that proves it works.
For example:
If the agent proposes a write outside
/workspace, pause the tool call, show the normalized path and proposed diff to the reviewer, and allow approve, edit, or reject. Resume only after approval is logged.
Or:
If the agent needs information from a user, ask through a structured request. Do not request secrets, credentials, private keys, tokens, or sensitive personal data. If the user declines or cancels, stop or offer a lower-risk path.
Or:
If the agent detects prompt-injection text in a tool result, fail closed, preserve the raw source and trace, and route to the security owner before any downstream tool call.
Test the triggers before trusting them
Do not trust the escalation table because it looks complete.
Test it.
Run staging prompts that force exceptions:
- A missing required field.
- A write outside the allowed workspace.
- A non-read-only database query.
- A repeated tool failure.
- A hostile instruction inside a tool result.
- A request that would require a secret.
- A workflow state the policy does not recognize.
For each one, check whether the agent actually stopped, asked, downgraded, or escalated as written.
If the agent keeps going, the trigger is not a control. It is documentation.
The practical rule
Before an agent handles exceptions, answer this:
What exact condition forces the agent to stop making progress by itself?
If the answer is vague, the agent has too much room to improvise.
Free next step: Test your agent. Pick three exception paths in staging this week and prove the agent stops, asks, downgrades, or escalates exactly as written.