// GLOSSARY -- POLICY ENFORCEMENT

What is Tool Call Approval?

2 min read Updated

Tool call approval is the gate applied to an individual tool call before it executes, resolving to one of three outcomes — auto-allow, prompt a human, or deny — based on human judgement, policy rules, or both.

WHY IT MATTERS

Every MCP client implements some version of this. Claude Code asks before running shell commands and offers "always allow" per tool; Cursor and other clients surface similar per-call prompts. The client shows the tool name and arguments, and the human approves or rejects. This is the human-in-the-loop control the MCP ecosystem leans on by default.

The problem is fatigue. An agent session can issue dozens of tool calls; humans asked to approve each one quickly stop reading the arguments and start clicking through. Worse, "always allow" decisions accumulate silently, so the effective policy becomes whatever a developer approved once, months ago, with no review. Approval prompts also only fire at the call boundary — they do nothing about attacks that work earlier, such as line jumping.

Deterministic policy resolves most of this. Instead of asking a human per call, a policy engine evaluates each tool call against written rules: read-only tools auto-allow, destructive tools deny or escalate, everything logged. Humans are reserved for the genuinely ambiguous cases, where their attention is still meaningful. The result is consistent — the same call gets the same answer regardless of who is running the agent or how tired they are.

Let policy decide which calls run automatically and which wait for a human — approval where it matters, no fatigue where it doesn't.

SET UP APPROVAL GATES →

Enforced before the call runs. Nothing to install.

HOW POLICYLAYER USES THIS

PolicyLayer moves the approval decision from the client to the gateway. Every tools/call routed through PolicyLayer is evaluated against the team's policy before it reaches the upstream server — allow, deny, or log — so the decision is deterministic, centrally defined, and identical across Claude Code, Cursor, Codex, and any other connected client. Client-side prompts remain available for cases policy escalates, but the bulk of calls are resolved by rule rather than by a human clicking through.

Read the policy-writing guide →

FREQUENTLY ASKED QUESTIONS

What is approval fatigue?
The tendency of humans asked to approve many tool calls to stop scrutinising them and approve reflexively. It turns a per-call human gate into a rubber stamp, which is why high-volume decisions are better handled by policy.
Should every tool call require human approval?
No. Reserving humans for ambiguous or high-impact calls and auto-resolving the rest by policy keeps human attention meaningful. Blanket prompting produces fatigue, not safety.
How do auto-allow, prompt, and deny differ?
Auto-allow executes the call without interaction, prompt pauses for a human decision, and deny blocks the call outright. A policy maps each tool or call pattern to one of the three.

FURTHER READING

Let agents act without letting them run wild.

Route your MCP servers through PolicyLayer and every tool call is checked against your policy before it runs — allow, deny, or require approval. Per-identity grants. Full audit log. Live in minutes.

SET UP APPROVAL GATES →

Free to start. No card required.

43,000+ MCP servers and 220,000+ tools scanned and risk-classified.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.