You shipped the agent. Who tells it no?
You gave an agent access to money, messages, and data because it needed them to do the job. Veto checks the governed tool call before it reaches Stripe, your database, or a customer.
Start with the call that can hurt you.
Do not start with a governance program. Pick one risky workflow your buyer, teammate, or future self will ask about: refund, payment, export, account change, case update, send, or delete.
Wrap the agent once. Define when the workflow should run, wait, or stop. Everything else keeps moving until it earns a policy.
One policy, three verdicts.
The policy reads the tool arguments, actor, tenant, and context before execution. It returns allow, review, or deny.
Allow
Inside policy. The tool runs and the decision is recorded.
Deny
Outside policy. The tool never reaches the real system.
Review
Risky but possible. A human approves or rejects before execution.
You write:
"Refunds under $200 run on their own. Anything higher waits for me. Never refund a card we didn't charge."
A $42 refund gets a yes and runs. A $5,400 refund waits for you. A refund to a card with no matching charge gets a no, every time, no matter how the agent was talked into it.
Wrap one tool. Keep everything else.
The SDK wraps the tool call you already wrote. You do not rebuild the agent, switch frameworks, or move the workflow to a new platform. See the framework guides or install the SDK to start.
Every governed call leaves a decision record of what the agent tried and what policy did about it. That is runtime authorization: a check outside the model and before the action.
What changes the day after
The scary call has a stop
Refunds, exports, sends, deletes, and writes no longer depend on the agent behaving.
The record is inspectable
Tool, arguments, policy, verdict, actor, tenant, and reviewer live in one decision record.
The demo becomes credible
You can show the risky workflow your customer will ask about, not a governance roadmap.
The blast radius is bounded
A wrong agent can still be wrong. It cannot be wrong past the policy boundary.
Objections worth settling early
"I'll just add an if-statement in the tool."
You can, and you will add another for the next tool, a third when the limit changes, and a fourth you forget about. Veto keeps the decision path in one place: policy, approval, record.
"My framework already has human-in-the-loop."
Framework pauses live inside the framework's runtime, on the calls it was written to catch, and they vanish when the run restarts or hands off to another step. Veto sits below that, on the tool call itself, and keeps the record either way. The two stack. See how approvals work as a runtime layer.
"I'm the only one here. I don't need approvals."
Then most calls get a yes and run, and you never see them. The point is not a process. The point is that the three or four calls that could end your week wait for the one human who can say no: you.
Frequently asked questions
I already told the agent to be careful in the prompt. Why isn't that enough?
Do I have to map every policy first?
What happens when a rule says to wait on me?
Does this slow the agent down?
Related
Draw one line before the agent crosses it.
Wrap the agent once. Define the policy. Ship it today.