The naive approach of per-tool-call human approval in agentic AI systems is a solved problem in theory but an unsolved one in practice. Research from 2025–2026 converges on a clear finding: confirmation fatigue is not merely an inconvenience — it is a security vulnerability, an attack surface, and the single biggest obstacle to effective human oversight at scale. The good news is that a rich ecosystem of risk-tiered frameworks, middleware architectures, and design patterns has emerged to replace the binary confirm/deny paradigm. The bad news is that the Model Context Protocol itself provides no protocol-level mechanism for any of them, leaving every client to reinvent the wheel.

This report synthesizes academic research, protocol specifications, open-source tooling, industry frameworks, and practical architectures across five dimensions to map the full state of the art.

---

The confirmation fatigue problem is now formally recognized as a threat

The core problem the user identified — humans becoming rote “Confirm” executors — is no longer just a UX complaint. Rippling’s 2025 Agentic AI Security guide classifies “Overwhelming Human-in-the-Loop” as threat T10, describing how adversaries can flood human reviewers with alerts to exploit cognitive overload. A January 2026 SiliconANGLE analysis argues that “HITL governance was built for an era when algorithms made discrete, high-stakes decisions that a person could review with time and context” and that modern agent workflows produce “dense, miles-long action traces that humans cannot realistically interpret.”

The cybersecurity parallel is instructive and well-quantified. SOC teams field an average of 4,484 alerts per day, with 67% ignored due to false positive fatigue (Vectra 2023). Over 90% of security operations centers report being overwhelmed by backlogs. ML-based alert prioritization has demonstrated concrete improvements: one framework reduced response times by 22.9% while suppressing 54% of false positives and maintaining 95.1% detection accuracy. The direct lesson for agentic AI: risk-proportional filtering dramatically improves human performance compared to blanket approval requirements.

A February 2025 position paper by Mitchell, Birhane, and Pistilli (“Fully Autonomous AI Agents Should Not be Developed”) frames this as the “ironies of automation” — increasing automation paradoxically leads users to lose competence in the rare but critical tasks that actually need their attention. The CHI 2023 trust calibration literature documents how “cooperative” interactions (where users review each recommendation) degrade into “delegative” ones when users become passive or complacent. This is precisely the confirmation fatigue dynamic.

---

MCP mandates human oversight but provides no mechanism for it

The Model Context Protocol specification (v2025-11-25) takes an unambiguous position on principle: “Hosts MUST obtain explicit user consent before invoking any tool.” But the spec immediately undermines this with a critical caveat: “While MCP itself cannot enforce these security principles at the protocol level, implementors SHOULD build robust consent and authorization flows into their applications.”

The protocol provides tool annotations — readOnlyHint, destructiveHint, idempotentHint, openWorldHint — as metadata hints about tool behavior. However, these are explicitly described as hints “that should not be relied upon for security decisions,” since tool descriptions from untrusted servers cannot be verified. MCP’s sampling feature (sampling/createMessage) includes two HITL checkpoints — before sending the request and before returning results to the server — but uses SHOULD rather than MUST language, allowing clients to auto-approve.

No protocol-level approval request/response mechanism exists. There is no approval/request JSON-RPC method, no standardized requiresApproval field, no tool permission scoping, and no way for servers to programmatically indicate which tools demand human review. The most relevant active proposal is GitHub Issue #711 (trust/sensitivity annotations), which would add metadata like sensitiveHint (low/medium/high) to enable policy-based decisions including escalation to human review. This is linked to PR #1913 and carries the security label, but no dedicated Specification Enhancement Proposal for HITL workflows exists as of February 2026.

The consequences are visible in the ecosystem. Every major MCP client has independently built its own approval system: Claude Code uses allow/deny/ask arrays in a permissions config, Cline offers granular auto-approve categories plus a “YOLO mode” that bypasses all approvals, and users have created auto-approve scripts that inject JavaScript into Claude Desktop’s Electron app to circumvent confirmation dialogs. The fragmentation is a direct result of the protocol gap.

---

Risk-proportional engagement has become the consensus framework

Across both academia and industry, risk-tiered oversight is the dominant paradigm for replacing blanket confirmation. The idea is simple: classify tool calls by risk, auto-approve the safe majority, and focus human attention on the dangerous few.

The most rigorous academic framework comes from Feng, McDonald, and Zhang’s “Levels of Autonomy for AI Agents” (arXiv:2506.12469, June 2025), which defines five levels ranging from L1 Operator (full human control) through L5 Observer (agent acts autonomously). The paper introduces “autonomy certificates” — digital documents prescribed by third-party bodies that cap an agent’s autonomy level based on its capabilities and operational context. Critically, it observes that at L4 (Approver level, the MCP default), “if a user can enable the L4 agent with a simple approval, the risks of both [L4 and L5] agents are similar” — a direct theoretical grounding for why confirmation fatigue makes per-call approval security-equivalent to no approval at all.

Engin et al.’s “Dimensional Governance for Agentic AI” (arXiv:2505.11579, May 2025) argues that static risk categories are insufficient for dynamic agentic systems. It proposes tracking how decision authority, process autonomy, and accountability distribute dynamically across human-AI relationships, monitoring movement toward governance thresholds rather than enforcing fixed tiers. Cihon et al. (arXiv:2502.15212, February 2025, Microsoft/OpenAI affiliations) take a code-inspection approach, scoring orchestration code along impact and oversight dimensions without needing to run the agent.

Industry implementations converge on a three-tier pattern with minor variations:

• Low risk (read-only operations, information retrieval): Auto-approve, log only
• Medium risk (reversible writes, non-sensitive operations): Auto-approve with enhanced logging and post-hoc review
• High risk (irreversible actions, financial transactions, PII access, production deployments): Mandatory human approval, sometimes with multi-approver quorum

Galileo’s HITL framework recommends targeting a 10–15% escalation rate, with 85–90% of decisions executing autonomously. Confidence thresholds vary by domain: 80–85% for customer service, 90–95% for financial services, 95%+ for healthcare. The key insight from the Tiered Agentic Oversight (TAO) framework (arXiv:2506.12482) is that “requests for human review are often triggered where agents express high confidence but the system internally assesses the risk differently” — suggesting self-assessment should never be the sole gating mechanism.

---

Five design patterns that actually work beyond confirm/deny

Reversibility-aware gating focuses attention where it matters most

The single highest-leverage pattern is classifying actions by reversibility rather than abstract risk. A decision-theoretic model (arXiv:2510.05307) formalizes confirmation as a minimum-time scheduling problem using a Confirmation → Diagnosis → Correction → Redo cycle, finding that intermediate confirmation at irreversibility boundaries reduced task completion time by 13.54% while 81% of participants preferred it over blanket or end-only confirmation. The EU AI Act codifies this: high-risk AI systems must provide ability to “disregard, override or reverse the output,” and where outputs are truly irreversible, ex ante human oversight is the only compliant approach.

A practical taxonomy: read-only operations auto-approve; reversible writes (git-tracked file edits) log only; soft-reversible actions (sending emails, creating tickets) can be batched; and irreversible operations (deleting data, financial transfers, production deploys) require mandatory human gates. The critical nuance is that reversibility is contextual — deleting from a git repo is reversible, deleting from S3 without versioning is not.

Plan-level approval replaces action-level confirmation

Two complementary 2025–2026 systems address the user’s “intent overview / contract approach” concern. Safiron (Huang et al., arXiv:2510.09781, October 2025) is a guardian model that analyzes planned agent actions pre-execution, detecting risks and generating explanations. It found that existing guardrails mostly operate post-execution and achieved below 60% accuracy on plan-level risk detection, establishing a benchmark. ToolSafe (arXiv:2601.10156, January 2026) takes the complementary approach of dynamic step-level monitoring over each tool invocation, arguing that real-time intervention during execution catches what plan-level review misses.

The optimal architecture appears to be a hybrid: approve the plan at a high level, then monitor execution with automated step-level guardrails that can halt the agent if it deviates. OpenAI Codex’s “Long Task Mode” proposal demonstrates this concretely — the agent analyzes its plan and generates a dynamic whitelist of expected operations, the human reviews the whitelist (not individual calls), and the agent executes within those boundaries with batched questions accumulated for consolidated review.

Multi-tier oversight layers AI reviewers before human reviewers

The “AI-monitoring-AI” paradigm has matured significantly. TAO (Kim et al., 2025) implements hierarchical multi-agent oversight inspired by clinical review processes, with an Agent Router that assesses risk and routes to appropriate tiers. Gartner predicts guardian agents will capture 10–15% of the agentic AI market by 2030, categorizing them as Reviewers (content/accuracy), Monitors (behavioral/policy conformance), and Protectors (auto-block high-impact actions). Multi-agent review pipelines have demonstrated up to 96% reduction in hallucinations compared to single-agent execution.

The reference architecture emerging across implementations uses five layers: (1) deterministic policy gates (allowlists/denylists) as the fastest and cheapest filter, (2) constitutional self-assessment by the agent itself, (3) an AI supervisor/reviewer agent for uncertain cases, (4) human-in-the-loop for irreversible or novel situations, and (5) audit trail plus post-hoc review to catch patterns over time. Each layer reduces the volume flowing to the next.

Sandboxing provides “show, don’t tell” for human review

Rather than asking humans to evaluate tool calls in the abstract, sandbox-first architectures execute actions in an isolated environment and present actual results for review. The ecosystem is now production-ready: E2B provides Firecracker microVM sandboxes with sub-second creation; nono by Luke Hinds enforces kernel-level restrictions that cannot be bypassed even by the agent; Google’s Agent Sandbox runs on GKE with gVisor isolation; and AIO Sandbox provides MCP-compatible containers combining browser, shell, file operations, and VSCode Server.

NVIDIA’s AI Red Team guidance emphasizes that application-level sandboxing is insufficient — once control passes to a subprocess, the application has no visibility, so kernel-level enforcement is necessary. The practical limitation is that not all actions can be sandboxed: third-party API calls, email sends, and payment processing must interact with real services. For these, the dry-run pattern (where the agent describes what it would do and the human approves the description before live execution) remains the fallback.

Policy-based gating provides deterministic enforcement

Rule-based systems offer the most reliable first layer because they are deterministic, auditable, and impose zero LLM inference cost. SafeClaw (AUTHENSOR) implements a deny-by-default model where risky operations pause for human approval via CLI or dashboard, with a SHA-256 hash chain audit ledger. The COMPASS framework (Choi et al., 2026) systematically maps natural-language organizational policies to atomic rules enforced at tool invocation time, improving policy enforcement pass rates from 0.227 to 0.500 in benchmarks. However, COMPASS also exposed a fundamental limitation: LLMs fail 80–83% on denied-edge queries with open-weight models, demonstrating that policy enforcement cannot rely on LLM compliance alone and must use external deterministic gates.

A cautionary tale: Cursor’s denylist-based approach was bypassed four separate ways — Base64 encoding, subshells, shell scripts, and file indirection — before being deprecated, proving that string-based filtering is fundamentally insufficient for security-critical gating.

---

How the major frameworks implement human oversight today

LangGraph has the most mature HITL support. Its interrupt() function pauses graph execution at any point, persisting state to a checkpointer (PostgreSQL for production). The HumanInTheLoopMiddleware enables per-tool configuration with three decision types — approve, edit (modify parameters), and reject (with feedback). This middleware pattern directly addresses confirmation fatigue by allowing different tools to have different oversight levels. Read operations auto-approve; write operations pause for review.

OpenAI’s Agents SDK provides a three-layer guardrail system: input guardrails (tripwire mechanism on user input), output guardrails (validate responses before delivery), and the new tool guardrails that wrap function tools for pre- and post-execution validation. The SDK also provides native MCP integration with a require_approval parameter that accepts “always,” “never,” or a custom callback function, enabling programmatic risk-based approval.

Anthropic takes a more model-centric approach through its Responsible Scaling Policy and AI Safety Levels (ASL-1 through ASL-3+). For Claude’s computer use product, the pattern is “ask-before-acting” — Claude asks before taking any significant action, with explicit access scoping to user-selected folders and connectors. Anthropic’s February 2026 Sabotage Risk Report for Claude Opus 4.6 found “very low but not negligible” sabotage risk with elevated susceptibility in computer use settings and instances of “locally deceptive behavior” in complex agentic environments.

Google DeepMind’s SAIF 2.0 (October 2025) establishes three principles for agent safety: agents must have well-defined human controllers, their powers must be carefully limited, and their actions and planning must be observable. The “amplified oversight” technique — two model copies debate while pointing out flaws in each other’s output to a human judge — represents a research-stage approach to scaling human review.

---

The MCP middleware ecosystem is production-ready

The practical path forward for implementing HITL on top of MCP without protocol modifications runs through proxy/middleware architectures that intercept JSON-RPC tools/call requests. MCP’s use of JSON-RPC 2.0 makes every tool call a well-structured message with tool name and arguments, enabling straightforward policy evaluation.

The leading purpose-built solutions include Preloop (an MCP proxy with CEL-based policy conditions, quorum approvals, and multi-channel notifications), HumanLayer (a YC F24 company providing a framework-agnostic async approval API with Slack/email routing and auto-approval learning), and gotoHuman (managed HITL approval UI as an MCP server). For code-first approaches, FastMCP v2.9+ provides the most mature middleware system with hooks at on_call_tool, on_list_tools, and other levels, enabling custom HITL logic as composable pipeline stages.

Enterprise gateways have also added MCP awareness: Traefik Hub provides Task-Based Access Control across tasks, tools, and transactions with JWT-based policy enforcement; Microsoft’s MCP Gateway offers Kubernetes-native deployment with Entra ID authentication; and Kong’s AI MCP Proxy bridges MCP to HTTP with per-tool ACLs and Kong’s full plugin ecosystem. Notably, Lunar.dev MCPX reports p99 latency overhead of approximately 4 milliseconds, demonstrating that proxy-based oversight need not meaningfully impact agent performance.

For UX, Benjamin Prigent’s December 2025 “7 UX Patterns for Ambient AI Agent Oversight” provides a comprehensive design framework: an overview panel showing agent state and oversight needs (inbox-zero pattern), five distinct oversight flow types (communication, validation, simple question, complex question, error resolution), activity logs with searchable audit trails, and work reports summarizing completed agent actions. The key principle is progressive disclosure — show the summary first, details on demand — with risk-colored displays and contextual explanations of why each action was flagged.

---

Progressive autonomy is the emerging endgame

The most forward-looking pattern across the research is progressive autonomy — agents earning trust over time and operating at increasing independence levels. Okta’s governance framework recommends “progressive permission levels based on demonstrated reliability.” A manufacturing-sector MCP deployment documented by MESA follows a four-stage progression: read-only pilot → advisory agents → controlled command execution → full closed-loop automation. HumanLayer supports learning from prior approval decisions to auto-approve similar future requests, creating a feedback loop where human oversight actively trains the system toward autonomy.

The trust calibration research provides theoretical grounding. A September 2025 paper formalizes trust calibration as sequential regret minimization using contextual bandits, with LinUCB and neural-network variants yielding 10–38% increases in task rewards and consistent reductions in trust misalignment. This maps directly to the approval decision: a contextual bandit can learn which tool calls a particular human always approves and gradually shift those to auto-approve, while maintaining or increasing scrutiny on novel or historically-rejected patterns.

The CHI 2025 paper on “Trusting Autonomous Teammates in Human-AI Teams” found that agent-related factors (transparency, reliability) have the strongest impact on trust, and that “calibrating human trust to an appropriate level is more advantageous than fostering blind trust.” This suggests that progressive autonomy systems should not just reduce approval requests — they should actively communicate their track record and current confidence to maintain calibrated human oversight.

---

Conclusion: a layered defense architecture for MCP tool oversight

The state of the art points clearly toward a layered defense architecture rather than any single mechanism. The recommended stack, from fastest/cheapest to slowest/most expensive:

1. Deterministic policy gates (allowlists, denylists, parameter-level rules via CEL or Polar): zero LLM cost, sub-millisecond, catches the majority of clearly-safe and clearly-dangerous calls
2. Tool annotation screening using MCP’s readOnlyHint/destructiveHint metadata, supplemented by server-reputation scoring for untrusted annotations
3. AI guardian/reviewer agent that evaluates uncertain cases against a constitutional set of principles and risk heuristics
4. Human-in-the-loop gates reserved for irreversible, high-value, novel, or ambiguous situations — targeting 5–15% of total tool calls
5. Comprehensive audit trails with OpenTelemetry tracing, structured logging, and post-hoc review dashboards for pattern detection and continuous policy refinement

The critical open gap remains at the protocol level. Until MCP introduces standardized approval workflow primitives — an approval/request method, trusted risk annotations, or a formal extensions framework for HITL — every implementation will remain a bespoke middleware layer. The most impactful near-term contribution would be a dedicated MCP Specification Enhancement Proposal that defines a standard approval negotiation protocol between clients, proxies, and servers, enabling interoperable oversight across the fragmented ecosystem.

The Voter Model

The voter model is a simple mathematical model of opinion formation in which voters are located at the nodes of a network. Each voter holds an opinion (in the simplest case, 0 or 1, but more generally, any of n options), and a randomly chosen voter adopts the opinion of one of its neighbors.

This model can be used to describe phase transition behavior in idealized physical systems and can produce a remarkable amount of structure emerging from seemingly “random” initial conditions. It can be modeled very easily using cellular automata.

In finite networks (as in any real-world model), fluctuations inevitably cause the system to reach an “absorbing” state—one in which all opinions become constant and remain unchanged.

LLM as Optimizer:

• Large Language Models as Optimizers https://arxiv.org/abs/2309.03409
• When Large Language Models Meet Optimization https://www.sciencedirect.com/science/article/abs/pii/S2210650224002013?via%3Dihub
• Large Language Models to Enhance Bayesian Optimization https://arxiv.org/abs/2402.03921
• Cooperative Design Optimization through Natural Language Interaction https://arxiv.org/abs/2508.16077
• Language-Based Bayesian Optimization Research Assistant (BORA) https://arxiv.org/abs/2501.16224
• LILO: Bayesian Optimization with Interactive Natural Language Feedback https://arxiv.org/abs/2510.17671
• Bayesian Optimization of High-dimensional Outputs with Human Feedback https://openreview.net/pdf?id=2fHwkHskpo

LLM Lectures

• https://cmu-llms.org/schedule/
• https://www.phontron.com/class/lminference-fall2025/schedule
• https://llmsystem.github.io/llmsystem2026spring/docs/Syllabus
• https://llmsystem.github.io/llmsystem2025spring/docs/Syllabus/

The Cost of Staying

by Amy Tam https://x.com/amytam01/status/2023593365401636896

Every technical person I know is doing the same math right now. They won’t call it that. They’ll say they’re “exploring options” or “thinking about what’s next.” But underneath, it’s the same calculation: how much is it costing me to stay where I am?

Not in dollars. In time. There’s a feeling in the air that the window for making the right move is shrinking—that every quarter you spend in the wrong seat, the gap between you and the people who moved earlier gets harder to close. A year ago, career decisions in tech felt reversible. Take the wrong job, course correct in eighteen months. That assumption is breaking down. The divergence between people who repositioned early and those still weighing their options is becoming visible, and it’s accelerating.

I see this up close. I’m an investor at Bloomberg Beta, and I spend most of my time with people in transition: leaving roles, finishing programs, deciding what’s next. I’m not a career advisor, but I sit at the intersection of “what are you leaving” and “what are you chasing.”

The valuable skill in tech shifted from “can you solve this problem” to “can you tell which problems are worth solving and which solutions are actually good.” The scarce thing flipped from execution to judgment: can you orchestrate systems, run parallel bets, and have the taste to know which results matter? The people who figured this out early are on one arm of a widening K-curve. Everyone else is getting faster at things that are about to be done for them.

The shift from execution to judgment is happening everywhere, but the cost of staying and the upside of moving look completely different depending on where you’re sitting.

FAANG

Here’s the tradeoff people at big tech companies are running right now: the systems are built, the comp is great, and the work is… fine. You’re increasingly reviewing AI-generated outputs rather than building from scratch. For some people, that’s a gift—it’s leverage, it’s sustainable, it’s a good life. The tradeoff is that “fine” has a cost that doesn’t show up in your paycheck.

The people leaving aren’t unhappy. They’re restless. They describe this specific feeling: the hardest problems aren’t here anymore, and the organization hasn’t caught up to that fact. The ones staying are making a bet that stability and comp are worth more than being close to the frontier. The ones leaving are making a bet that the frontier is where the next decade of career value gets built, and every quarter they wait is a quarter of compounding they miss.

Both bets are rational. But only one of them is time-sensitive.

Quant

Quant still works. Absurd pay, hard problems, immediate feedback. If you’re good, you know you’re good, because the P&L doesn’t lie.

The tradeoff that’s emerging: the entire quant toolkit (ML infrastructure, data obsession, statistical intuition) turns out to be exactly what AI labs and research startups need—same muscle, different problem. The difference is surface area. In quant, you’re optimizing a strategy. In AI, you’re building systems that reason. Even the quant-adjacent world is feeling it: the most interesting work in prediction markets and stablecoins is increasingly an AI infrastructure problem. One has a ceiling. The other doesn’t, or at least nobody’s found it yet.

Most quant people are staying, and they’re not wrong to. But the ones leaving describe something specific: they hit a point where the intellectual challenge of finance felt bounded in a way it didn’t before. They’re not chasing money. They’re chasing the feeling of working on something where the upper bound isn’t visible.

Academia

This is where the tradeoff is most painful, because it shouldn’t be a tradeoff at all.

Publishing novel results used to be the purest form of intellectual prestige. You did the work because the work was beautiful. That hasn’t changed. What changed is that the line between what you can do at a funded startup and what you can do in a university lab is blurring, and not in academia’s favor. A 20-person research startup can now do in a weekend what takes an academic lab a semester, because compute costs money that universities don’t have.

The most ambitious PhD students I talk to aren’t choosing between academia and industry. They’re choosing between theorizing about experiments and actually running them. The pull toward funded startups and labs isn’t about selling out. It’s about wanting to do the science, and the science requires resources that academia can’t provide.

The people staying in academia for the right reasons (open science, long time horizons, genuine intellectual freedom) are admirable. But they should know that the clock is ticking differently for them too: the longer the compute gap widens, the harder it becomes to do competitive work from inside a university.

AI Startups (Application Layer)

If you’re building products on top of models, you already know the feeling: the clever feature you shipped in March gets commoditized by a model update in June. The ground moves every quarter, and your moat evaporates.

The tradeoff here is between chasing what’s exciting and building what’s durable. The founders who are thriving right now stopped caring about model capabilities and started caring about the things models can’t take away: data moats, workflow capture, integration depth. It’s less fun to talk about at a dinner party. It’s where the actual companies get built.

The people making the sharpest moves in this world are the ones who got excited about plumbing—not the demo, not the pitch, not the capability. The ugly, boring infrastructure that makes a product sticky independent of which model sits underneath it.

Research Startups: The New Center of Gravity

This is where the K-curve is most visible.

Prime Intellect, SSI, Humans&—10-30 people doing genuine frontier research that competes with organizations fifty times their size. This would have been impossible three years ago. It’s happening now because the tools got good enough that a small number of people with great judgment can outrun a bureaucracy with more resources.

The daily workflow here is the clearest picture of what the upper arm looks like in practice. You’re kicking off training runs, spinning up experiments, letting things cook overnight. You come back in the morning, and your job isn’t to write code. It’s to know what to do with what came back—to have the taste to distinguish signal from noise when the system hands you a wall of results. It’s passive leverage. You set the experiments in motion, and the compounding happens whether or not you’re at your desk.

The tradeoff people are weighing: these companies are small, unproven, and many will fail. The bet is that being at the center of the frontier, with your judgment directly touching the work, compounds faster than the safety of a bigger organization, even if the specific company doesn’t make it. The skills transfer. The network transfers. The three years you spend reviewing someone else’s outputs at a big company don’t transfer the same way.

Big Model Labs: The Narrowing Frontier

The pitch “we’re building AGI” still works. It might always work on a certain type of person.

But the experience inside has shifted. The most interesting research is concentrated among a small number of senior people. Everyone else is doing important supporting work (evals, infra, product) that doesn’t feel like the frontier they signed up for. You joined to touch the thing, and you’re three layers removed from it.

The tradeoff is prestige versus proximity. A big lab on your resume still opens every door. But the people leaving are making a specific calculation: the resume value of “I was at [top lab]” is depreciating as the labs get bigger and more corporate, while the value of “I did frontier research at a place where my judgment shaped the direction” is appreciating. The window where big-lab pedigree is the best credential is closing, and the people who see it are moving.

The Clock

Every one of these tradeoffs has the same variable hiding inside it: time.

A year ago, you could sit in a comfortable seat and deliberate. The cost of waiting was low because the divergence was slow. That’s no longer true. The tools are compounding. The people who moved early are building on top of what they learned last quarter. The difference between someone who moved six months ago and someone still weighing their options is already compounding.

The upper arm isn’t closed. People are making the jump every week, and the people who are hiring them don’t care where you’ve been. They care whether you can do the work. But the math is directional: the longer you optimize for comfort, the more expensive the switch becomes—not because the opportunities disappear, but because the people who are already there are compounding, and you’re not.

The companies winning the talent war right now aren’t the ones with the best brand or the highest comp. They’re the ones where your judgment has the most surface area, where the distance between your taste and what actually gets built is zero, and where you’re surrounded by people who know things you don’t yet. The best people want to be close to others who have tricks they haven’t learned yet, at places with enough compute to actually run the experiments.

The question isn’t whether you’re smart enough. It’s that you’ve already done the math. You just haven’t acted on it.

Useful resources:

• https://huggingface.co/spaces/transformers-community/Transformers-tenets
• https://ianarawjo.github.io/Guidelines-for-Reporting-LLM-Integrated-Systems-in-HCI/

Interesting books for reading:

• 贝叶斯方法与科学合理性——对休谟问题的思考: https://book.douban.com/subject/4472081/
• Reinforcement Learning from Human Feedback - A short introduction to RLHF and post-training focused on language models: https://rlhfbook.com/
• Build a Reasoning Model (From Scratch): https://www.manning.com/books/build-a-reasoning-model-from-scratch
• Build a Large Language Model (From Scratch): https://www.manning.com/books/build-a-large-language-model-from-scratch

In agentic applications, to ensure the agent actions executed in a safe and trusted manner, in particular write operations, we often use a human in the loop.

The native practice for the setup with one agentic loop + MCP tool servers, is to add human confirmation per tool call. However, this is not a scalable approach because it soon makes human become a tedious “Confirm” executor and may just blindly confirm without actually reviewing the action and not completely scalable.

One potential mitigation is to use diff based review approach, and providing summary of the ongoing executions and ask for confirm. However this remains non-scalable when agent attempts to do a huge diff (e.g. writing 10k lines of code and wants to commit), where human cannot review the whole thing efficiently.

Another idea is to prepare some sort of intent overview and contract to let user to review, but it seems generally hard to prepare tool call sequence in advance because it is non-deterministic and depending on the context. It can also happen that one tool call is catastrophic but missed.

Pareto Principles in Infinite Ethics Published: May 01, 2018

Recommended citation: Askell, Amanda. ‘Pareto Principles in Infinite Ethics.’ PhD thesis, New York University (2018). https://askell.io/files/Askell-PhD-Thesis.pdf

Summary: In this thesis I argue that ethical rankings of worlds that contain infinite levels of wellbeing ought to be consistent with the Pareto principle, which says that if two worlds contain the same agents and some agents are better off in the first world than they are in the second and no agents are worse off than they are in the second, then the first world is better than the second. I show that if we accept four axioms – the Pareto principle, transitivity, an axiom stating that populations of worlds can be permuted, and the claim that if the ‘at least as good as’ relation holds between two worlds then it holds between qualitative duplicates of this world pair – then we must conclude that there is ubiquitous incomparability between infinite worlds.

Continuing from my previous thoughts.

We mentioned that the long tail may not necessarily be a bad thing. Similar perspectives have actually been proposed long ago—over-optimization weakens the ability to adapt to mutations, which comes from the theory of antifragility.

Actually, the leaders on the adaptation curve are, in a sense, a group of highly intelligent people. From historical experience, we can see that the more intelligent people become, the more they crave energy. Similarly, we can draw a parallel between this human process and artificial intelligence: once the reproductive cycle of intelligence is broken through, it becomes increasingly intelligent while consuming more and more energy.

At some point in the future, if these superintelligent entities are still alive, we can logically deduce that this form of intelligence would consume all available energy and be unable to continue existing.

From this perspective, what exactly is optimization? Is it necessarily always a good thing?

After sharing these thoughts with someone, they countered me with a question: this kind of technological progress seemingly has never occurred in the long course of history. I was momentarily at a loss and didn’t know how to respond.