AI agent in production: where should SMEs put human approval?

Why human approval becomes the real issue

For a while, AI usage in SMEs looked like a conversation.

Someone opened ChatGPT, Claude, Gemini or Mistral. They asked for a rewrite, a summary, a draft response, a document synthesis. There was already risk, especially around confidential data and false answers, but the final action usually stayed human. Someone copied, reviewed, sent, filed or corrected the output.

With AI agents, we move into another category.

An agent does not only generate text. It can use tools. It can read an inbox, query a CRM, call an API, modify a spreadsheet row, create a task, send a message, trigger a payment, publish content or open a support ticket.

France Num described this shift in its 18 May 2026 guide: small businesses are gradually moving from consumer AI tools to systems connected to existing business tools. The same guide also reminds readers that AI outputs must be checked, and that business leaders remain concerned about data security.

In other words: the more AI is connected to real work, the more human approval becomes concrete.

In an AI agents for business project, human approval is not a precaution added at the end. It is part of the architecture. It defines what the agent can do alone, what it can prepare, what it must ask to approve, and what it should never do.

Do not approve "AI". Approve actions

The first mistake is to treat human approval as a global switch.

"We want a human in the loop."

Good. But in which loop?

Approving a text response is not the same as approving a commercial discount. Approving email classification is not the same as approving quote delivery. Approving an internal note is not the same as approving a hiring decision.

The right unit of analysis is not the agent. It is the action.

The same agent can have four levels of autonomy:

This matrix avoids two traps.

The first trap is the frozen agent. Everything requires approval. The system becomes slower than the manual process, so teams abandon it.

The second trap is the overpowered agent. It can act on business tools without technical guardrails, and the company discovers mistakes after the fact.

The useful path is more precise: an agent can have significant autonomy on reading, preparation and structuring, but very little autonomy on actions that commit a customer relationship, sensitive data, a financial obligation or a person.

The risk matrix I would use in an SME

Before building a workflow, I would list every action the agent could perform.

Not the marketing features. The real business verbs.

Read. Summarize. Classify. Create. Modify. Send. Follow up. Delete. Invoice. Pay. Publish. Reject. Escalate.

Then I would classify them against five criteria.

This matrix is deliberately simple. It is made for an SME, not for a large-company governance committee.

Yet it is enough to prevent many bad decisions.

For example, an agent can automatically summarize every incoming email in a shared inbox. The risk is low if summaries stay internal and sources remain accessible.

The same agent can suggest a customer reply. The risk increases. Human approval is often needed, at least at the beginning.

It can create a quote draft in the business tool. That is useful, but you must define what happens if a discount exceeds a threshold, if a product cannot be found, if the customer is not identified or if the amount exceeds a limit.

It can send the quote to the customer. That commits the company. I would keep human approval before sending, especially in sectors where price, deadlines, conditions or technical feasibility can create disputes.

This is exactly the logic I followed in my field report on the AI agent that creates quotes from Telegram. The agent prepares, checks missing information and fills the tools. A human validates the final business commitment.

Where to place the pause point in the workflow

Effective human approval is not a sentence in a prompt.

Writing "always ask for confirmation before sending" in the agent instructions is useful, but not enough. A prompt is still a text instruction. A production guardrail should live in the workflow, at the action level.

In a tool like n8n, the official documentation describes human-in-the-loop for AI agent tool calls. The idea is simple: when an agent wants to use a sensitive tool, the workflow pauses and sends an approval request through a configured channel, such as Slack, Telegram, Teams, Gmail, Outlook, WhatsApp Business or the n8n chat interface. The reviewer sees which tool the agent wants to call and which parameters it proposes. The reviewer approves or denies. If approved, the tool executes. If denied, the action is canceled.

The important point is this: approval blocks the tool, not only the text.

For an agent connected to the CRM, quoting software or inbox, I want to see a structure like this:

1. The agent analyzes the request.
2. It prepares a structured action.
3. The workflow checks whether the action is sensitive.
4. If it is sensitive, the workflow requests approval.
5. The human sees the parameters before execution.
6. The action is executed, denied or sent back for correction.
7. The result is logged.

This is not much heavier to design. But it is much more robust than an agent that merely promises to ask before acting.

What the human must see before approving

An "approve" button is not enough.

If the manager receives a notification that only says "The agent wants to send an email. Approve?", the approval has almost no value. The human needs enough context to decide quickly and correctly.

In an SME, a good approval request should show at least:

• the proposed action,
• the customer, supplier, candidate or file involved,
• the fields that will be modified,
• the exact message that will be sent if the action is external,
• the sources used by the agent,
• missing or uncertain information,
• the estimated risk level,
• the consequences of approval,
• the person or team responsible in case of doubt.

Take a customer payment reminder.

Bad approval:

The agent wants to send a reminder. Approve?

Good approval:

Action: send invoice reminder. Customer: Dupont Menuiserie. Invoice: F-2026-0412. Amount: EUR 3,420 excluding tax. Overdue: 12 days. No customer email received in the last 7 days. Proposed message: [...]. Risk: medium, first reminder. Action if denied: create a task for the sales assistant.

The difference is huge.

In the first case, the human has to check everything elsewhere. In the second, they can decide inside the channel where they already work.

This is where workflow automation becomes useful. It does not replace judgment. It brings the right context at the right time.

Who should approve what

Human approval should not always go to the founder.

If every action goes through the CEO, the system becomes a bottleneck. In practice, you need authority levels.

The goal is to avoid two extremes: nobody controls anything, or everybody waits for the founder.

For every sensitive action, I recommend writing three things down:

1. Who can approve?
2. Who can deny?
3. What happens after a denial?

The third point is often forgotten. Yet a denial with no next step creates a dead end. The agent must know whether it should ask for clarification, create a task, escalate to someone else or abandon the action.

Cases where the agent should not decide alone

There are actions where human approval is not only a good practice. It becomes a condition for trust.

I would automatically place strong approval around:

• external messages with high commercial impact,
• invoices, credit notes, refunds and payments,
• data deletions or merges,
• price or discount changes,
• decisions that affect a person,
• HR, recruitment, evaluation or disciplinary use cases,
• legal or contractual content,
• communication in a conflict situation,
• actions involving sensitive data.

The EU AI Act follows a risk-based logic. It classifies some systems as high-risk, especially in employment, access to certain essential services, education, critical infrastructure and some biometric uses. For high-risk systems, Article 14 provides for effective human oversight, proportionate to risk, autonomy level and context of use.

Not every SME automation is a high-risk system under the AI Act. An agent that drafts a support reply or classifies internal emails is not the same thing as a tool that filters job applications.

But the logic is useful even outside regulated cases: the more an action touches a person, a right, a large amount of money, a sensitive relationship or confidential data, the more a human must remain able to understand, interrupt and correct.

This is not a blocker to automation. It is what makes automation usable beyond the demo.

Production does not stop at approval

Putting a human in the loop is not enough to make an agent reliable.

You also need to understand what happened afterwards.

In a production system, I want at least:

• an execution history,
• the agent's decisions,
• approvals and denials,
• the parameters actually sent to tools,
• errors,
• manual recovery steps,
• important workflow versions,
• retention or redaction rules for sensitive data.

n8n distinguishes manual executions, useful for testing, from production executions, launched automatically by triggers, webhooks, schedules or events. Executions make it possible to see whether a workflow succeeded, failed or waited for an action. n8n documentation also describes error workflows, triggered when a workflow fails, as well as debugging or re-running past executions.

For an SME, that changes everything.

When an agent misclassifies a request, misses information or receives an unexpected API response, you do not want to discover the issue three weeks later. You need an alert, a link to the execution, a responsible person and a recovery path.

Human approval answers the question: "Who authorizes the action?"

Logs and alerts answer the question: "What happened, and how do we fix it?"

You need both.

Frequent mistakes

The first mistake is confusing supervision with proofreading.

Reviewing a final answer is useful, but it is not enough if the agent has already changed data behind the scenes. Approval must happen before the sensitive action, not after.

The second mistake is asking for too much approval.

If the agent asks for approval for every summary, classification and draft, the team gains nothing. It is just working in one more tool.

The third mistake is giving the agent too many tools.

An agent that can read the CRM, write into the CRM, send emails, create invoices, modify the drive, publish on LinkedIn and trigger reminders must be tightly constrained. The more tools it has, the more granular the permissions must become.

The fourth mistake is leaving thresholds in people's heads.

"Small discounts are fine." Good, but how small? 3 percent, 5 percent, 10 percent? On which product? For which customer? Up to which amount? If the rule is not written down, the agent cannot apply it properly.

The fifth mistake is forgetting adoption.

An approval point must arrive in the channel where the team actually works. If your team lives in Slack, Teams, Telegram or email, approval must fit there. If you impose an interface nobody opens, the system will eventually be bypassed.

A simple 30-day plan

For an SME that wants to connect an AI agent to its tools without skipping the hard parts, I would start with a short plan.

Week one: map one workflow.

Not the whole company. One precise flow: inbound requests, quotes, reminders, support tickets, sales call notes, supplier invoices. List the actions, tools, data and exceptions.

Week two: classify actions by risk level.

Decide what the agent can read, prepare, modify, send or never do. Define thresholds: amount, discount, customer type, channel, urgency, sensitivity.

Week three: build the workflow with approval on sensitive actions.

Keep the scope deliberately narrow. One useful production agent is better than five spectacular demo agents.

Week four: test with real cases.

Not only clean examples. Incomplete emails, poorly named customers, CRM duplicates, ambiguous requests, denials, bad API responses, late approvals. That is where the system becomes serious.

Only then should you reduce some approvals.

For example, after several weeks without errors on a low-risk action, you can move from systematic approval to sample-based review. But I would almost never start there.

What I would do for a first agent

If I had to choose a first AI agent to put in production for an SME, I would not start with the most spectacular action.

I would choose a flow with regular volume, manageable risk and visible benefit.

Good candidates include:

• qualifying inbound emails and drafting replies,
• preparing quote drafts from field messages,
• summarizing sales calls and creating CRM tasks,
• classifying supplier invoices and flagging anomalies,
• preparing customer reminders without sending them automatically,
• routing support tickets with a suggested response.

These use cases share one thing: the agent removes repetitive work without making the business-critical decisions alone.

This is the logic I already used in the sales call analysis pipeline with n8n, Whisper and GPT-4o, the Pennylane invoicing automation with n8n, and the quote agent connected to Telegram.

In each case, AI is useful because it lives inside a workflow. Not because it "thinks" in isolation.

And when the workflow becomes critical, human approval becomes as important as the model you choose.

Sources consulted

• France Num, L'intelligence artificielle dans les TPE et PME : 10 réponses concrètes aux questions que se posent les dirigeants, published 18 May 2026, accessed 20 May 2026.
• France Num, Intégrer l'IA : retours d'expériences et cas d'usages accessibles aux PME, published 27 April 2026, accessed 20 May 2026.
• n8n Docs, Human-in-the-loop for AI tool calls, official documentation accessed 20 May 2026.
• n8n Docs, Executions, official documentation accessed 20 May 2026.
• Regulation EU 2024/1689, Article 14 on human oversight, Official Journal of the European Union, accessed 20 May 2026.
• European Commission, AI Act and risk-based approach, accessed 20 May 2026.

Conclusion

A production AI agent does not need to be autonomous everywhere.

It should be autonomous where risk is low, useful where work is repetitive, careful where the company is committing itself, and blocked where human judgment remains necessary.

Human approval is not a weakness. It is the mechanism that lets the agent act inside real business tools without turning every action into a gamble.

For an SME, the right goal is not "zero humans". The right goal is "the right human, at the right time, with the right context".

That is exactly what separates an AI agent that looks good in a demo from a system that holds up in production. If you want to frame this kind of workflow, the natural entry points are my AI Agents and Automation & Workflows pages. The work rarely starts with the model. It starts with the list of actions the agent will be allowed to perform.