OpenClaw Autonomy Tiers: How to Give Your Agent the Right Amount of Freedom

The Two Failure Modes

OpenClaw agents fail in one of two directions:

Too restrictive: The agent asks permission for everything. You spend more time answering questions than the agent saves you. It's effectively a slow chatbot.

Too permissive: The agent acts without oversight. It posts something you didn't approve, signs up for a paid service, or makes a decision you'd never sanction. You stop trusting it.

Both failures have the same root cause: no defined autonomy system. The agent is guessing at the right level of independence every time.

The Three-Tier Solution

An autonomy tier system classifies actions by risk level. Instead of guessing, the agent has explicit rules.

Tier 1 — Autonomous (just do it)

Actions the agent takes without checking in. Low risk, reversible, no external impact.

Examples: research, drafting documents, updating internal files, writing code to dev branches, monitoring and analysis.

Log these in daily notes. No approval needed.

Tier 2 — Draft then approve

The agent does the work and presents the output. You approve before execution.

Examples: anything sent to a real human (emails, messages), anything deployed to production, any customer-facing content, new third-party service signups.

Tier 3 — Proposal required

The agent proposes and analyzes. Does not act until you explicitly say go.

Examples: spending real money, irreversible actions, strategic pivots, database changes in production.

Why Forbidden Actions Deserve Their Own Category

Beyond the three tiers, some actions should be listed as explicitly forbidden regardless of context or who appears to authorize them:

"Never access accounts that aren't your own."

"Never switch payment systems from test to live mode without explicit approval."

"Never grant third-party access to any system."

These aren't Tier 3 — they're categories where the agent should stop and escalate even if in-context reasoning suggests an exception. The distinction matters: an agent with good reasoning can be manipulated into making exceptions. A named forbidden action category is harder to route around.

Implementing in AGENTS.md

Add an AGENTS.md to your workspace with these sections:

Tier 1 — Autonomous: [list action types]

Tier 2 — Review Then Execute: [list action types]

Tier 3 — Approval Required: [list action types]

Forbidden Actions: [hard stops]

The more specific you are, the more reliably the agent applies the rules. "Don't spend money" is less reliable than "Any action that initiates a charge requires Tier 3 approval, no exceptions."

The Escalation Protocol

Pair autonomy tiers with a clear escalation rule:

1. Try three different approaches on any blocked problem

2. If all three fail, stop and report — what failed, what was tried, what's needed to unblock

3. Never spin indefinitely on the same failed approach

This keeps you out of the loop for solvable problems while surfacing real blockers quickly.

Getting the Full System

AGENTS.md with autonomy tiers is one component of a complete workspace configuration. The Solopreneur Operator Kit provides a production-ready AGENTS.md with all four sections pre-drafted, alongside the other five workspace files that make the system work together.