What changes between Tier 2 and Tier 3 in practice

I've been moving agents up and down the six-rung ladder for long enough now that I can feel which transitions are routine and which ones are cliffs. Most of the rungs are gentle steps. Going from Tier 0 (suggest) to Tier 1 (draft) is mostly a workspace change. Going from Tier 4 to Tier 5 is mostly a question of whether anyone reads the after-the-fact report.

The transition from Tier 2 to Tier 3 is not a step. It's the steepest cliff on the ladder, and the team I'm watching at any given moment is usually trying to climb it without ropes.

Tier 2 (execute with confirmation) is a tier where the human is still load-bearing on every action. The agent does all the work right up to the moment of execution and then stops, holds the action, and waits for someone to look at it. Wrong actions get caught in the confirmation dialog. The audit trail is partially the agent's work and partially the confirming human's identity stamp on each action. The bounds on what the agent can do barely matter, because every action gets a fresh human review.

Tier 3 (execute bounded) removes the per-action confirmation. The agent acts freely inside a policy. The human is no longer in the hot path of any individual action. Wrong actions execute. The only things standing between an agent mistake and a real consequence are the policy bounds, the recoverability of what the agent just did, and the audit trail that lets you reconstruct what happened after the fact.

That's the cliff. Every safety property that the human-in-the-loop step was carrying for you at Tier 2 has to move somewhere else before you make the jump. If it doesn't move, you don't have a bounded autonomy system. You have an unbounded agent with a policy file you haven't tested.

What the confirmation step was actually doing

The thing that makes the jump so steep is that the confirmation step wasn't just a safety gate. It was doing a half-dozen jobs at once, and almost no team I've watched names them all before they remove it.

The confirmation was your calibration check, every wrong action the human caught was a signal that the agent's confidence was misaligned with reality on that operation class. Confirmation rate, override rate, and edit rate were all free calibration data, generated continuously.

The confirmation was your audit completion, the human identity, the timestamp, and any edits became part of the record without anyone designing an audit pipeline. The agent proposed; a named human accepted; both sides sat in the log next to each other.

The confirmation was your bound enforcement, even if the policy bounds were sloppy, the human was reviewing against an internal sense of "is this in or out of scope" that nobody had to formalize. The bound lived in the reviewer's head and the policy file was decoration.

The confirmation was your recovery insurance, every action got a chance to be cancelled before it caused damage. "Agent proposed, human declined" is a much easier recovery story than "agent acted and the action turned out to be wrong."

When you remove the confirmation step, you remove all of those at once. The work doesn't go away; it gets reassigned. If the other parts haven't been built, the work doesn't get done, it just stops happening.

What has to be in place before the promotion is safe

Three properties have to be load-bearing before you cross from Tier 2 to Tier 3, and the rule of thumb I keep coming back to is that all three have to be in place at the same time. Two out of three is a category error.

Confidence calibration has to actually work. The Tier 3 agent is deciding, on each action, whether the action is inside or outside the policy bounds. That decision rests on a confidence number, and the confidence routing piece is the longer version of why the number has to be calibrated against ground truth before you can trust the routing. At Tier 2, you can ship with a miscalibrated confidence and the human absorbs the cost. At Tier 3, miscalibration becomes systematic mis-action. The right time to discover 0.85 doesn't mean what you think it means is during Tier 2, not after the promotion.

The check is almost never done. Take a sample of recent Tier 2 actions where confidence was above whatever floor you'd use as the Tier 3 fast-path threshold. Look at how often the human accepted versus edited versus rejected. If the acceptance rate at the proposed floor isn't high enough (north of 95% for anything with non-trivial blast radius) the number doesn't say what you think it says.

The audit trail has to be complete enough to debug post-hoc. At Tier 2 the audit was the byproduct of the confirmation flow. At Tier 3 it has to be designed, because the human signature is no longer there to fill in missing fields. The minimum bar: anyone reading the trail can answer four questions about any action, what did the agent do, what input did it have, what policy version was in effect, what was the agent's stated reason. Without those four, you can see that something went wrong but can't tell why.

The harder part is that the trail has to be queryable, not just stored. A pile of JSON blobs in object storage isn't an audit trail; it's an excuse for not having one. If you can't ask "show me every action where confidence was below 0.9" in seconds at Tier 2, you definitely can't pull that query after a Tier 3 incident, when you need it most.

The bounded policy has to be tight enough that worst-case execution doesn't damage anything you can't recover. Teams write this down loosely and then trust it without stress-testing. The right way to think about it: assume the agent will take the worst action permitted by the policy, on the worst day, against the worst target, and ask whether you can recover. "We'd revert in five minutes" is tight enough. "We'd reconstruct from backups for two days" isn't, regardless of how unlikely the worst case feels.

The policy is not where the team's sense of "the agent wouldn't do that" lives. The agent will do whatever the policy permits, eventually, given enough operations and enough drift. Worst-case execution is the operating assumption.

What can no longer be optional once you cross the line

A few things stop being nice-to-have the moment you sit at Tier 3.

Drift detection on the model. At Tier 2 you can swap the model behind the agent and watch the human-in-the-loop catch the resulting weirdness. At Tier 3 the swap is invisible until something it produced lands wrong. Any model change (new version, new prompt, new fine-tune, new provider) has to demote the agent back to Tier 2 for an observation period. This was already in the original ladder piece as a demotion criterion; at Tier 3 it stops being a discipline and becomes a hard requirement.

Per-policy versioning in the audit record. The policy file is going to change. Someone is going to tighten or loosen a bound. When an action three weeks old gets reviewed, the question "was this action permissible under the policy that was in effect at the time" has to be answerable, and it can only be answered if the audit record carries the policy version. Embedding the version is two lines of code at the action site and no fun at all to retrofit after the first audit asks for it.

A demotion path that isn't a redeploy. Things will go wrong. The agent will produce a bad action, the rollback will be ugly, the on-call will want the agent back at Tier 2 immediately. If the way to demote the agent is "open a PR and wait for CI," you don't actually have a demotion path, you have a wish. Demotion has to be a runtime configuration change, applied within minutes, with the same audit trail as any other policy change.

A continuous read on the bounded-action distribution. At Tier 2 the human is implicitly noticing if the agent's actions are clustering near a bound, asking for the same thing repeatedly, or exhibiting any of the other small signals that something's off. At Tier 3 nobody is looking unless someone designed a dashboard. The dashboard is a Tier 3 prerequisite, not a nice-to-have for later.

A real plan for the action that slips through. Bounded autonomy isn't infallible autonomy. The right operating posture is "this will go wrong eventually; what does the recovery look like." Have the runbook before the incident, not during it. The team that wrote the recovery playbook on a quiet afternoon is the team that recovers in twenty minutes when something fires at 2am.

The promotion isn't a calendar event

The pattern I see most often is that teams treat the Tier 2 to Tier 3 promotion as a calendar event. The agent has been running cleanly for three months, the team is tired of confirming every action, the executive sponsor wants to talk about scaling agent operations, so the promotion happens. The policy file gets a quick review, the confirmation step gets removed, and the agent starts acting.

The honest version is that the promotion is a build. It's calibration work, it's audit work, it's policy work, it's runbook work, and it's organizational work, convincing the team that they've earned the right to stop confirming each action by demonstrating that everything the confirmation was carrying has moved somewhere else. The work is the prerequisite. The calendar is the consequence.

When the build is done, the promotion is uneventful. The agent stops asking for confirmation; the dashboards keep showing healthy distributions; the audit trail keeps producing complete records; the occasional bad action gets caught by the rollback and the runbook. The team mostly forgets that the cliff was there.

When the build isn't done, the promotion is a slow-motion incident. The bad actions accumulate beneath the threshold of detection because nobody designed the detection. The audit trail has gaps because nobody designed the audit. The policy is loose because nobody stress-tested the worst case. By the time someone notices, the agent has been operating outside the bounds you thought it had for weeks.

The cliff between Tier 2 and Tier 3 is the place where bounded autonomy stops being a framing and starts being an operational practice. Either the practice is in place before you cross, or the cliff is doing the teaching for you. The first version is cheaper.

, Sid