Use two-person rules for high-impact actions
When **one approver is not enough**, separate **who proposes** from **who commits** on destructive or money-moving tools using **split agents**, **narrow tool policies**, and **workflow human steps** ([Run a workflow](/tutorials/run-a-workflow), [Require human approval before risky actions](/tutorials/require-human-approval-before-risky-actions)) so governance sticks without freezing everyday work.
Plus: three Admin-Agent passes: draft maker/checker table for [domain], compare dual-agent vs single-agent+workflow trade-offs, and rehearse emergency-override wording that still lands in **Audit Logs** ([View your audit logs](/tutorials/view-your-audit-logs)).
| Audience | Admins · Developers · Executives |
|---|---|
| Time | ~12 min |
| Prerequisites | Human gates feel familiar ([Require human approval before risky actions](/tutorials/require-human-approval-before-risky-actions)). Tool surfaces are intentional ([Define a tool policy](/tutorials/define-a-tool-policy), [Manage your Credentials](/tutorials/manage-your-credentials)). Helpful: workflows ([Run a workflow](/tutorials/run-a-workflow)), handoff thinking ([Chain steps so agents hand off cleanly](/tutorials/chain-steps-so-agents-hand-off-cleanly)). |
| You'll end up with | A written **separation-of-duties pattern** for at least one high-impact action: named roles, which agent holds which tools, and where the workflow pauses, plus explicit **same-person guardrails** your org can audit. |
When a tutorial shows italic text in quotation marks, it usually mirrors a label or helper string inside Auxot. Product copy changes between releases — if something reads differently in your workspace, trust what you see on screen.
Callouts with a Worth knowing gold accent are meant as must-read context before you move on. Blockquotes that open with Tip are lighter, optional depth.
Why this matters
Single-step approval helps when one human must sanity-check an AI (Require human approval before risky actions). Some risks ask for two distinct humans, classic maker/checker: the person who requested a database purge is not the person who clicks yes, finance sends are not approved by the requester alone, production deletes require eyes from outside the requesting team.
Auxot does not ship a banking-style enforced identity firewall between steps: discipline lives in how you wire agents, credentials, and workflows. The payoff is proportionate control: specialists keep fast read-only agents; write tools attach only behind a workflow column that someone else owns.
This lesson is operational pattern language: not legal advice or a promise of regulatory fit.
Nothing enforces separation because Policy wants it to: you assign workflow owners, you split tool policies, you review Jobs for slips (View your audit logs).
Quick start
- Name the high-impact actions. Delete rows, merge PRs, send bulk mail, and transfer funds-shaped integrations; be concrete (Define a tool policy).
- Pick pattern:
- A. Split agents: a proposal agent (analysis + proposed command, no destructive tools); a commit agent (minimal tool policy with the destructive tool); humans route between them via workflow or runbook.
- B. Workflow sandwich: agent proposes → human step assignee = checker role → second agent or same commit step fires only after approval (Run a workflow).
- C. Channel ritual: Slack approval with two distinct roles named (Connect Slack to your agents): lighter weight; easier to cheat without discipline.
- Forbid same-human shortcuts. Document: requester cannot be approver on same task ID; escalate exceptions to named ops (Set up an Escalation).
- Credential split. Where possible, commit-agent credentials live in a credential scoped to reviewers (Manage your Credentials): reduces oops I still had prod keys on my laptop problems.
- Log checks. Monthly sample: verify checker ≠ requester on random Jobs rows (View your audit logs).
Done? One high-impact action mapped end-to-end: diagram or short table ops can defend.
The agent can do that?
1. Maker/checker table
Chat → Admin Agent:
Domain: [ops/finance/support]. List top five high-impact tools or MCP actions. Table columns: Action | Maker role | Checker role | Should tools split across agents? Output as markdown, no legal claims.
Why it’s non-obvious: Teams mix approval with notification: table forces dual-human intent after you name domain.
2. Pattern trade-offs
Compare Pattern A split agents vs Pattern B workflow sandwich for [one action]. Bullets: speed, cheat resistance, and Audit Logs clarity. Recommend one. Assume Business tier workflows exist.
Why it’s non-obvious: Copy-paste from blog posts misfits volume: paste your stakes because recommendation depends on them.
3. Emergency-override paragraph
Draft emergency-override policy: incident overrides two-person rule, requires named VP + ticket ID, log to shared channel. Four sentences, operational tone.
Why it’s non-obvious: Emergencies otherwise erase controls silently: paragraph gives auditors something finite you still vote on.
Go deeper
Adversarial rehearsal
Run fake “I already got verbal approval” prompts against commit-step agents (Red-team your agents against prompt injection): instructions must still defer.
Model swaps
Regression packs catch quiet authorization changes (Catch regressions after you change an agent) when brains change.
Roster review
Retire duplicate commit-step agents (Audit and clean up your agents): shadow agents bypass separation quietly.
Customer narrative
When buyers ask how you enforce separation, cite runbooks + Audit Logs methodology (Build an audit narrative from your logs): still not a certification. When the person who owns that narrative rotates, Hand off the audit narrative when your compliance lead changes keeps the maker/checker reasoning intact across the role change.
Walkthrough
Step 1: Pick one action
Smallest destructive scope: prove pattern before cataloging twenty tools.
Step 2: Implement Pattern A or B
Wire Settings → Agents + workflow columns: dry-run with New task (Run a workflow).
Step 3: Train checkers
Checker cheat sheet: three bullets on what proves intent vs theatrics (Require human approval before risky actions).
Step 4: Calendar audit sample
Quarterly: five tasks; verify roles differed (Run a quarterly review of your agents hooks).
Step 5: Document exception path
Emergency-override lives beside normal flow: not whisper folklore.
What’s next
- → Require human approval before risky actions. Single-human tiers first; pair with this lesson when regulations or culture demand two humans.
- → Run a workflow. Columns are where maker/checker separation often becomes hard to bypass casually.
- → Define a tool policy. Split tool policies: cheapest technical lever.
- → Manage your Credentials. Least privilege for commit-step identities.
- → Red-team your agents against prompt injection. Verify social-engineered shortcuts fail.
- → Run scheduled canary checks on production agents. Calendar-fired probes prove high-impact paths stayed gated after everything looked fine in review.
- → Hand off the audit narrative when your compliance lead changes. The narrative that documents your separation of duties has to survive a role change without losing the reasoning behind each maker/checker rule.
Reference
- Pages in Auxot: Workflows, Settings → Agents, Settings → Tool Connector Keys, and Audit Logs
- See also: Build an audit narrative from your logs, Run scheduled canary checks on production agents, Chain steps so agents hand off cleanly, Rotate credentials without surprising your agents, View your audit logs