Do not put every tool call behind human approval just because an agent is involved. Approval should protect meaningful risk, not turn every lookup into a modal.

Start with side effects. Sending an email, deploying, deleting data, issuing a refund, changing permissions, publishing content, placing an order, or calling an external system on behalf of a user may deserve approval. A read-only lookup usually does not, assuming authorization and validation are already correct.

Overusing approval creates fatigue. Users stop reading the request, developers look for ways around the friction, and the approval screen becomes theater instead of a real control.

Classify tools by risk. Some tools can run automatically after validation. Some need stricter authorization. Some need human approval. Some should not be exposed to the agent at all.

In Microsoft Agent Framework, that distinction can be made at the tool boundary:

AIFunction getCustomer =
    AIFunctionFactory.Create(GetCustomerAsync);

AIFunction issueRefund =
    AIFunctionFactory.Create(IssueRefundAsync);

AIFunction approvalRequiredRefund =
    new ApprovalRequiredAIFunction(issueRefund);

AIAgent supportAgent = chatClient.AsAIAgent(
    name: "support-agent",
    instructions: "Help support staff inspect customers and prepare refunds.",
    tools:
    [
        getCustomer,
        approvalRequiredRefund
    ]);

The read-only lookup can run automatically after normal validation and authorization. The refund tool is a side effect, so the agent can request it, but the application gets an approval request before execution continues.

Approval is strongest when it is rare, specific, and understandable. Show the exact operation and arguments, then let the user decide whether that side effect should happen.