MultiMail's five oversight modes give operators an explicit control plane for agent trust — from read-only observation to full autonomy — with audit trails and upgrade paths built in.
Most teams deploying AI agents on email face a binary choice: let the agent send freely (risky) or require human approval on everything (a bottleneck that erases the productivity gain). There's no operational model for phasing in autonomy as agents demonstrate reliability. The result is either unsafe production sends or a review queue that nobody actually reviews. Compliance frameworks like the EU AI Act and CAN-SPAM require documented human oversight for high-risk automated communications — but 'we prompt the model to be careful' doesn't satisfy an auditor.
MultiMail models agent email autonomy as a first-class policy decision. Each mailbox has an oversight_mode — one of five levels — that determines what the agent can do without human approval. You assign a mode when you create the mailbox, adjust it via API as trust is established, and get a full audit trail of every action and approval event. The mode is enforced server-side, so it can't be overridden by a misbehaving agent or a prompt injection attack.
Every MultiMail mailbox has an oversight_mode field — one of read_only, gated_all, gated_send, monitored, or autonomous. New mailboxes always start at gated_send; from there you downgrade to a stricter mode immediately (PATCH /v1/mailboxes/{id}) or request a higher-autonomy upgrade through the operator-approved upgrade flow. The mode is stored server-side and applies to all agent actions on that mailbox regardless of how the agent was instructed.
When the agent calls the send or reply endpoint (POST /v1/mailboxes/{mailbox_id}/send or POST /v1/mailboxes/{mailbox_id}/reply/{email_id}), MultiMail checks the mailbox mode before acting. In gated_send mode, reads execute immediately but sends are held in a pending queue. In monitored mode, sends execute and a notification is dispatched to the operator. The agent receives a status indicating whether the action was executed, queued, or blocked.
For gated modes, GET /v1/oversight/pending returns all actions awaiting approval. Reviewers call POST /v1/oversight/decide with action approve or reject. Approved messages are sent immediately; rejected messages are discarded and the decision is logged. Webhooks fire on both outcomes so downstream systems stay in sync.
The audit log captures every agent action, approval decision, and mode change. When a support agent has processed 500 inbound tickets without a false positive, you have evidence to justify upgrading from gated_send to monitored. Upgrades go through the operator-approved upgrade flow (request a code, then redeem it); downgrades to a stricter mode are an immediate PATCH. The new policy applies on the next action.
The mode ladder is designed to be climbed: read_only → gated_all → gated_send → monitored → autonomous. Each rung represents a documented, reversible trust decision. If behavior degrades — higher complaint rates, off-topic sends, approval queue anomalies — downgrade the mode via API. The change is instant and requires no redeployment.
Pick your platform, copy the prompt, and paste it to your AI agent — it sets up MultiMail and builds the whole flow. Nothing to fill in.
Oversight modes are enforced by the MultiMail API, not by instructions in the agent's system prompt. A prompt injection attack or a misconfigured agent cannot override the mode. The mailbox's oversight_mode is the source of truth.
Every agent action, mode change, and approval decision is logged with a timestamp and actor. The EU AI Act requires documented human oversight for high-risk automated systems; CAN-SPAM requires identifiable senders and opt-out handling. MultiMail's audit log gives you the paper trail both regulations expect.
Starting a new agent in gated_all mode costs nothing but reviewer time. As the agent proves reliable, upgrading to gated_send and then monitored is a single API call — no code changes, no redeployment, no downtime. Reverting is equally instant if behavior degrades.
In gated_send mode, agents can generate hundreds of pending sends without blocking. Reviewers process the queue in batches via GET /v1/oversight/pending and POST /v1/oversight/decide. Approved messages are delivered in the order they were queued, maintaining thread coherence even after delayed approval.
A single deployment can run multiple agents at different trust levels simultaneously. Your triage agent might be in monitored mode while your customer-facing reply agent stays in gated_send. Each mailbox carries its own mode independently.
Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a hosted MCP server. Formally verified in Lean 4.