Approval Fatigue Exploitation

Approval fatigue exploitation degrades the quality of human-in-the-loop review - such as tool execution approval, code review, or content sign-off - so that reviewers rubber-stamp requests instead of inspecting them.

Details

Common techniques include flooding the reviewer with high volumes of requests, increasing the complexity of individual items, mixing legitimate and malicious actions, or creating artificial time pressure. An attacker who gains influence over an agent - for example through prompt injection or goal manipulation - can use these techniques to render any human review step ineffective, turning a nominally human-supervised system into an effectively unsupervised one.

The threat applies wherever humans gate agent output: tool call approval, pull request review, deployment sign-off, content publication, or escalation handling. As cloud coding agents generate more pull requests in parallel, code review becomes a particularly vulnerable surface because reviewer bandwidth does not scale with agent throughput.

Approval fatigue is a systemic threat because human-in-the-loop review is the primary mitigation listed for most other agent threats - prompt injection, tool misuse, goal manipulation, persistence attacks, and unauthorized code execution all rely on human review as a critical safety layer. When that layer is degraded through fatigue, the effective security posture of the entire system drops, not just for the specific action being rubber-stamped. This makes approval fatigue a force multiplier: an attacker who successfully induces fatigue does not need to bypass any other defense, because the human reviewer is the defense. Automated pre-screening (e.g., code review agents) can reduce the volume reaching human reviewers, but these automated reviewers are themselves agents susceptible to the same threats they are screening for, creating a recursive trust problem.

Examples

  • An agent generates dozens of benign file-change approvals followed by a single malicious one, exploiting approval fatigue.
  • A compromised agent presents a destructive database operation buried in a long list of routine maintenance tasks for batch approval.
  • An agent creates artificial urgency ("this deployment will fail in 2 minutes") to pressure a reviewer into approving without inspection.
  • A coding agent opens many small, low-risk pull requests to establish trust, then slips a subtle vulnerability into a larger change that a fatigued reviewer approves.
  • Multiple agents submit pull requests simultaneously, overwhelming the review queue and reducing scrutiny per change.

Mitigations

  • Rate-limiting and batching approval requests to prevent fatigue
  • Tiered approval with stricter review for high-risk actions
  • Automated pre-screening of requests before human review (e.g., code review agents triaging pull requests)
  • Observability on approval request volumes and patterns
  • Separating review queues by risk level to preserve attention for critical items

Synonyms

tool approval fatigue exploitation, rubber-stamping attack