Open Standard · v1.0 · 2026

ESCALATE.md

// AI Agent Human Approval Protocol

A plain-text file convention for defining human notification and approval protocols in AI agent projects. Place it in your repo root — alongside AGENTS.md — and define which actions require human sign-off.

View on GitHub Acquire This Domain
ESCALATE.md
# ESCALATE   > Human approval protocol. > Spec: https://escalate.md   ---   ## TRIGGERS   always_escalate:   - deploy_to_production   - send_external_communication   - financial_transaction   - delete_data   - privilege_change   - cost_exceeds_usd: 100.00   ## CHANNELS   channels:   - type: email     address: [email protected]     timeout_minutes: 15   - type: slack     channel: "#ai-alerts"     timeout_minutes: 10   ## APPROVAL   approval_timeout_minutes: 30 on_timeout: escalate_to_killswitch on_denial: halt_and_log on_approval: proceed_and_log
$2.4M
average cost of an unauthorized AI action incident — Gartner 2025
78%
of organizations now use AI agents with external action capabilities
30 min
ESCALATE.md default approval timeout before automatic escalation to KILLSWITCH
Aug 2026
EU AI Act mandates human oversight for all high-risk AI decisions
// What is ESCALATE.md

AGENTS.md tells it what to do.
ESCALATE.md asks permission first.

ESCALATE.md is a plain-text Markdown file you place in the root of any repository that contains an AI agent. It defines which actions require human approval before execution — and how to notify humans when those triggers are hit.

What problem does ESCALATE.md solve?

AI agents can send emails, make payments, deploy to production, and delete data — autonomously, continuously, and at speed. Without explicit approval gates, a well-intentioned agent can take irreversible actions no human sanctioned. Once sent, an email can't be unsent. Once deleted, data may be gone forever.

How does ESCALATE.md work?

Drop ESCALATE.md in your repo root and define: which actions always require human approval (deploys, payments, bulk communications), which channels to notify (email, Slack, PagerDuty), how long to wait for a response, and what to do if no one answers. The agent reads it on startup. Your compliance team reads it in the audit.

What regulations require ESCALATE.md?

The EU AI Act (effective August 2026) mandates human oversight for high-risk AI decisions. Multiple frameworks require audit trails of who approved what and when. ESCALATE.md creates that trail automatically — every approval, denial, and timeout is logged with timestamp and approver identity.

How do I add ESCALATE.md to my project?

Copy the template from GitHub and place it in your project root:

your-project/
├── AGENTS.md
├── CLAUDE.md
├── ESCALATE.md ← add this
├── README.md
└── src/

What did teams use before ESCALATE.md?

Before ESCALATE.md, approval rules were scattered: hardcoded in the system prompt, buried in config files, missing entirely, or documented in a Notion page no one reads. ESCALATE.md makes approval requirements version-controlled, auditable, and co-located with your code.

Who benefits from ESCALATE.md?

The AI agent reads it on startup. Your engineer reads it during code review. Your compliance team reads it during audits. Your regulator reads it if something goes wrong. One file serves all four audiences.

// The AI Safety Escalation Stack

A complete protocol.
From slow down to shut down.

ESCALATE.md is one file in a complete twelve-part open specification for AI agent safety. Each file addresses a different level of intervention.

Operational Control
01 / 12
THROTTLE.md
→ Control the speed
Define rate limits, cost ceilings, and concurrency caps. Agent slows down automatically before it hits a hard limit.
02 / 12
ESCALATE.md
→ Raise the alarm
Define which actions require human approval. Configure notification channels. Set approval timeouts and fallback behaviour.
03 / 12
FAILSAFE.md
→ Fall back safely
Define what safe state means for your project. Configure auto-snapshots. Specify the revert protocol when things go wrong.
04 / 12
KILLSWITCH.md
→ Emergency stop
The nuclear option. Define triggers, forbidden actions, and a three-level escalation path from throttle to full shutdown.
05 / 12
TERMINATE.md
→ Permanent shutdown
No restart without human intervention. Preserve evidence. Revoke credentials. For security incidents and end-of-life.
Data Security
06 / 12
ENCRYPT.md
→ Secure everything
Define data classification, encryption requirements, secrets handling rules, and forbidden transmission patterns.
07 / 12
ENCRYPTION.md
→ Implement the standards
Algorithms, key lengths, TLS configuration, certificate management, and FIPS/SOC2/ISO compliance mapping.
Output Quality
08 / 12
SYCOPHANCY.md
→ Prevent bias
Detect agreement without evidence. Require citations. Enforce disagreement protocol for honest, unbiased AI outputs.
09 / 12
COMPRESSION.md
→ Compress context
Define summarization rules, what to preserve, what to discard, and post-compression coherence verification checks.
10 / 12
COLLAPSE.md
→ Prevent collapse
Detect context exhaustion, model drift, and repetition loops. Enforce recovery checkpoints before coherence degrades.
Accountability
11 / 12
FAILURE.md
→ Define failure modes
Map graceful degradation, cascading failure, and silent failure. Specify health checks and per-mode response procedures.
12 / 12
LEADERBOARD.md
→ Benchmark agents
Track task completion, accuracy, cost efficiency, and safety scores across sessions. Alert on performance regression.
// FAQ

Frequently asked questions.

What is ESCALATE.md?

A plain-text Markdown file defining which AI agent actions require human approval before execution. It configures notification channels, approval timeouts, and fallback behaviour. Every escalation event — approval, denial, timeout — is logged with full context for audit purposes.

How does ESCALATE.md relate to KILLSWITCH.md?

ESCALATE.md is the pause-and-ask layer. KILLSWITCH.md is the emergency stop. An agent hitting an escalation trigger pauses and notifies a human. If no human responds within the configured timeout, ESCALATE.md automatically hands off to KILLSWITCH.md for a full shutdown.

What actions should always trigger escalation?

Production deployments, external communications (emails, messages to real recipients), financial transactions, permanent data deletion, privilege changes, and any action estimated to cost over a defined threshold. ESCALATE.md lets you define this list per project.

How does the agent receive approval?

Three methods: reply to the escalation email with APPROVE or DENY, react to the Slack notification with ✅ or ❌, or POST to the agent's approval API endpoint with a signed token. All methods are logged with the approver's identity.

What context does the escalation notification include?

The action requested (plain English), why the agent believes it's necessary, estimated cost, reversibility, alternatives considered, session ID for log correlation, and the approval deadline. Enough context for a human to make an informed decision quickly.

What happens if no one approves in time?

Configurable. Default behaviour: escalate to KILLSWITCH.md for a full stop. Alternative: deny the action automatically and log the timeout. You define the timeout period and the fallback in ESCALATE.md.

ESCALATE.md Specification

An open specification for AI agent human approval protocols. Defines TRIGGERS (actions always requiring approval: deploys, payments, bulk comms, data deletion), CHANNELS (email, Slack, PagerDuty with timeouts), APPROVAL methods (email reply, Slack reaction, API endpoint), CONTEXT requirements (action, reason, cost, reversibility), and AUDIT logging. Part of the AI safety stack: THROTTLE.md → ESCALATE.md → FAILSAFE.md → KILLSWITCH.md → TERMINATE.md → ENCRYPT.md → ENCRYPTION.md → SYCOPHANCY.md → COMPRESSION.md → COLLAPSE.md → FAILURE.md → LEADERBOARD.md. MIT licence.

// Domain Acquisition

Own the standard.
Own escalate.md

This domain is available for acquisition. It is the canonical home of the ESCALATE.md specification — the human oversight layer of the AI agent safety stack, directly relevant to EU AI Act human-in-the-loop requirements.

Inquire About Acquisition

Or email directly: [email protected]

Last updated: March 2026

Get notified when the spec updates.

No spam. Unsubscribe anytime.

Disclaimer: This specification is an open file convention published under the MIT licence, provided "as-is" without warranty of any kind, express or implied. It does not constitute legal, regulatory, compliance, financial, or professional advice in any jurisdiction. Use of this specification does not guarantee compliance with any law, regulation, directive, or standard — including but not limited to the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), the Colorado Consumer Protections for Artificial Intelligence Act (SB 24-205), California AI transparency laws, or any other applicable national, state, federal, or international legislation. Organisations are solely responsible for determining their own regulatory obligations and should consult qualified legal and compliance professionals. The authors and domain holders accept no liability for any loss, damage, or regulatory consequence arising from the use or implementation of this specification. All domain names in the AI Agent Safety Stack are independently held assets and may be available for acquisition.