Multi-Stage Approvals

Overview

Multi-stage approvals provide layered human oversight for AI agent actions. When an action requires multiple approvals, it must pass through each stage sequentially, with different approvers at each level. This ensures separation of duties and prevents any single person from authorizing high-risk operations.

Multi-stage workflows are essential for compliance with SOC 2, PCI-DSS, SOX, and other frameworks that mandate segregation of duties.

Key Features

• Sequential Stages: Up to 5 approval levels per workflow
• Separation of Duties: Different approvers required at each stage
• Stage-Specific SLAs: Individual timeout per stage
• Partial Approval Tracking: Monitor progress through approval chain
• Stage Rollback: Return to previous stage on rejection
• Audit Trail: Complete history of all stage transitions

How It Works

Multi-Stage Execution Flow

Action Submitted (Risk Score: 95)
            |
            v
+------------------------+
| Stage 1: Security Team |
| Approver: security@    |
| SLA: 30 minutes        |
+------------------------+
            |
       Approved
            v
+------------------------+
| Stage 2: Senior Review |
| Approver: senior@      |
| SLA: 30 minutes        |
+------------------------+
            |
       Approved
            v
+------------------------+
| Stage 3: Executive     |
| Approver: executive@   |
| SLA: 30 minutes        |
+------------------------+
            |
       Approved
            v
+------------------------+
| Action Executed        |
+------------------------+

Stage States

State	Description
pending	Awaiting approval at current stage
approved	Current stage approved, moving to next
rejected	Stage rejected, workflow terminated
escalated	SLA exceeded, escalated to backup
completed	All stages approved, action executed

Configuration

Default Multi-Stage Configuration

Critical risk actions (score 90-100) use a 3-stage workflow:

{
  "id": "risk_90_100",
  "name": "Critical Risk (90-100)",
  "approval_levels": 3,
  "stages": [
    {
      "level": 1,
      "name": "Security Review",
      "approvers": ["security@company.com"],
      "sla_minutes": 30,
      "required_role": "security_analyst"
    },
    {
      "level": 2,
      "name": "Senior Approval",
      "approvers": ["senior@company.com"],
      "sla_minutes": 30,
      "required_role": "senior_engineer"
    },
    {
      "level": 3,
      "name": "Executive Sign-off",
      "approvers": ["executive@company.com"],
      "sla_minutes": 30,
      "required_role": "executive"
    }
  ],
  "total_timeout_hours": 2
}

Configure Approval Levels

curl -X POST "https://api.ascend.ai/api/authorization/workflow-config" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "workflow_id": "risk_70_89",
    "updates": {
      "approval_levels": 3,
      "approvers": [
        "security@company.com",
        "engineering-lead@company.com",
        "director@company.com"
      ]
    }
  }'

Usage Examples

Check Approval Progress

curl -X GET "https://api.ascend.ai/api/actions/123/approval-status" \
  -H "Authorization: Bearer $TOKEN"

Response:

{
  "action_id": 123,
  "workflow_id": "risk_90_100",
  "current_stage": 2,
  "total_stages": 3,
  "stage_history": [
    {
      "stage": 1,
      "name": "Security Review",
      "status": "approved",
      "approver": "security@company.com",
      "approved_at": "2026-01-20T14:00:00Z",
      "comment": "Security review complete, no concerns"
    },
    {
      "stage": 2,
      "name": "Senior Approval",
      "status": "pending",
      "assigned_to": "senior@company.com",
      "sla_deadline": "2026-01-20T14:30:00Z"
    }
  ],
  "overall_status": "in_progress",
  "estimated_completion": "2026-01-20T15:00:00Z"
}

Approve Current Stage

curl -X POST "https://api.ascend.ai/api/actions/123/approve" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "comment": "Stage 2 approved - engineering requirements verified"
  }'

Reject at Any Stage

curl -X POST "https://api.ascend.ai/api/actions/123/deny" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "reason": "Action violates change freeze policy",
    "stage": 2
  }'

Note: Rejection at any stage terminates the entire workflow.

Separation of Duties

Enforcement Rules

The system enforces separation of duties:

1. Different Approvers: The same person cannot approve multiple stages
2. Role Requirements: Each stage can require specific roles
3. Department Separation: Cross-department approval can be required
4. Conflict Detection: System blocks approvers with conflicts of interest

Conflict Examples

Blocked Scenario:
- User A submitted the action
- User A cannot approve any stage

Blocked Scenario:
- User B approved Stage 1
- User B cannot approve Stage 2 or 3

Allowed Scenario:
- User B approved Stage 1
- User C (different person) approves Stage 2
- User D (different person) approves Stage 3

Configure Separation Rules

curl -X POST "https://api.ascend.ai/api/authorization/workflow-config" \
  -H "Authorization: Bearer $TOKEN" \
  -H "Content-Type: application/json" \
  -d '{
    "workflow_id": "risk_90_100",
    "updates": {
      "separation_of_duties": {
        "require_different_approvers": true,
        "require_different_departments": false,
        "block_self_approval": true,
        "minimum_unique_approvers": 3
      }
    }
  }'

Stage Configuration Options

Per-Stage Settings

Setting	Description	Default
name	Stage display name	"Stage N"
approvers	List of eligible approvers	Required
sla_minutes	Time limit for this stage	60
required_role	Role required to approve	None
required_department	Department required	None
escalation_target	Who to escalate to	Next in list

Example: Custom Stage Configuration

{
  "stages": [
    {
      "level": 1,
      "name": "Technical Review",
      "approvers": ["tech-lead@company.com", "architect@company.com"],
      "sla_minutes": 60,
      "required_role": "tech_lead",
      "escalation_target": "engineering-director@company.com"
    },
    {
      "level": 2,
      "name": "Security Validation",
      "approvers": ["security@company.com", "infosec@company.com"],
      "sla_minutes": 45,
      "required_role": "security_analyst",
      "required_department": "Security"
    },
    {
      "level": 3,
      "name": "Business Approval",
      "approvers": ["product-owner@company.com", "director@company.com"],
      "sla_minutes": 30,
      "required_role": "director"
    }
  ]
}

Monitoring Multi-Stage Workflows

Dashboard Metrics

Track multi-stage workflow performance:

• Stage Completion Time: Average time per stage
• Bottleneck Detection: Identify slow stages
• Rejection Rates by Stage: Where approvals fail
• Escalation Frequency: How often SLAs are missed

Alerts

Configure alerts for:

• Actions stuck at a stage longer than SLA
• High rejection rates at specific stages
• Approvers with excessive pending items
• Workflows with repeated escalations

Best Practices

1. Match Levels to Risk: Higher risk = more approval stages
2. Balance Speed and Safety: Don't add stages that slow critical operations unnecessarily
3. Train Approvers: Ensure each stage's approvers understand their responsibilities
4. Monitor Bottlenecks: Track which stages cause delays
5. Plan for Absences: Ensure each stage has multiple eligible approvers
6. Document Requirements: Clear criteria for what each stage should verify

Related

• Approval Workflows Overview - Understanding workflows
• Workflow Configuration - Setting up workflows
• SLA and Escalation - Timeout management
• Emergency Override - Bypassing approval chains