Control AI Email Autonomy as a Policy, Not a Prompt

MultiMail's five oversight modes give operators an explicit control plane for agent trust — from read-only observation to full autonomy — with audit trails and upgrade paths built in.


Why this matters

Most teams deploying AI agents on email face a binary choice: let the agent send freely (risky) or require human approval on everything (a bottleneck that erases the productivity gain). There's no operational model for phasing in autonomy as agents demonstrate reliability. The result is either unsafe production sends or a review queue that nobody actually reviews. Compliance frameworks like the EU AI Act and CAN-SPAM require documented human oversight for high-risk automated communications — but 'we prompt the model to be careful' doesn't satisfy an auditor.


How MultiMail solves this

MultiMail models agent email autonomy as a first-class policy decision. Each mailbox has an oversight_mode — one of five levels — that determines what the agent can do without human approval. You assign a mode when you create the mailbox, adjust it via API as trust is established, and get a full audit trail of every action and approval event. The mode is enforced server-side, so it can't be overridden by a misbehaving agent or a prompt injection attack.

1

Every mailbox starts at gated_send, then you adjust the mode

Every MultiMail mailbox has an oversight_mode field — one of read_only, gated_all, gated_send, monitored, or autonomous. New mailboxes always start at gated_send; from there you downgrade to a stricter mode immediately (PATCH /v1/mailboxes/{id}) or request a higher-autonomy upgrade through the operator-approved upgrade flow. The mode is stored server-side and applies to all agent actions on that mailbox regardless of how the agent was instructed.

2

Agent actions are gated or logged according to the mode

When the agent calls the send or reply endpoint (POST /v1/mailboxes/{mailbox_id}/send or POST /v1/mailboxes/{mailbox_id}/reply/{email_id}), MultiMail checks the mailbox mode before acting. In gated_send mode, reads execute immediately but sends are held in a pending queue. In monitored mode, sends execute and a notification is dispatched to the operator. The agent receives a status indicating whether the action was executed, queued, or blocked.

3

Human reviewers process the approval queue

For gated modes, GET /v1/oversight/pending returns all actions awaiting approval. Reviewers call POST /v1/oversight/decide with action approve or reject. Approved messages are sent immediately; rejected messages are discarded and the decision is logged. Webhooks fire on both outcomes so downstream systems stay in sync.

4

Monitor behavior and adjust the policy

The audit log captures every agent action, approval decision, and mode change. When a support agent has processed 500 inbound tickets without a false positive, you have evidence to justify upgrading from gated_send to monitored. Upgrades go through the operator-approved upgrade flow (request a code, then redeem it); downgrades to a stricter mode are an immediate PATCH. The new policy applies on the next action.

5

Expand autonomy incrementally as trust is earned

The mode ladder is designed to be climbed: read_only → gated_all → gated_send → monitored → autonomous. Each rung represents a documented, reversible trust decision. If behavior degrades — higher complaint rates, off-topic sends, approval queue anomalies — downgrade the mode via API. The change is instant and requires no redeployment.


Try it with your agent

Pick your platform, copy the prompt, and paste it to your AI agent — it sets up MultiMail and builds the whole flow. Nothing to fill in.

1. Prepare MultiMail: read https://multimail.dev/llms.txt, connect the MCP server, create a free inbox for this workflow, and set up a verified sender. 2. In Zapier, create a Zap that triggers from the real app event that starts agent email work for your team, such as a new Salesforce lead, new Zendesk ticket, new HubSpot deal stage change, or new form submission; use Zapier's built-in trigger for that app and pass the record details to the agent. 3. For each triggered item, draft the needed customer email, personalize it from the Zap fields, classify the risk level, check for unsubscribe or compliance requirements where relevant, and decide whether it should be sent now, scheduled, or held for review. 4. Use MultiMail oversight mode gated_send so every outbound message is composed and logged by the agent but requires human approval before sending. 5. Ask me only for the Zapier connection credentials, the triggering app credentials, brand voice, sender identity, and approval owner needed to go live.

What you get

Enforcement is server-side, not prompt-side

Oversight modes are enforced by the MultiMail API, not by instructions in the agent's system prompt. A prompt injection attack or a misconfigured agent cannot override the mode. The mailbox's oversight_mode is the source of truth.

Audit trail for EU AI Act and CAN-SPAM compliance

Every agent action, mode change, and approval decision is logged with a timestamp and actor. The EU AI Act requires documented human oversight for high-risk automated systems; CAN-SPAM requires identifiable senders and opt-out handling. MultiMail's audit log gives you the paper trail both regulations expect.

Incremental trust reduces deployment risk

Starting a new agent in gated_all mode costs nothing but reviewer time. As the agent proves reliable, upgrading to gated_send and then monitored is a single API call — no code changes, no redeployment, no downtime. Reverting is equally instant if behavior degrades.

Approval queue handles high-volume gracefully

In gated_send mode, agents can generate hundreds of pending sends without blocking. Reviewers process the queue in batches via GET /v1/oversight/pending and POST /v1/oversight/decide. Approved messages are delivered in the order they were queued, maintaining thread coherence even after delayed approval.

Separate modes per mailbox, per agent

A single deployment can run multiple agents at different trust levels simultaneously. Your triage agent might be in monitored mode while your customer-facing reply agent stays in gated_send. Each mailbox carries its own mode independently.


Recommended oversight mode

Recommended
gated_send
gated_send is the right default for most agent email deployments because it balances operational safety with throughput. The agent can read and classify inbound email autonomously — which is where most of the volume and latency sensitivity lives — while outbound sends are held for human review. This prevents the most consequential failure mode (an agent sending incorrect, off-brand, or compliance-violating email to real recipients) without requiring approval on every read operation. Once the agent has a 30-day track record with low complaint rates and high reviewer approval rates, upgrading to monitored is a single API call.

Common questions

Can an agent change its own oversight mode?
No. Oversight modes can only be changed by API calls authenticated with an operator-level token (mm_live_... or mm_test_... tokens scoped to mailbox management). Agent tokens scoped to email operations cannot modify the oversight_mode field. This boundary is enforced server-side.
What happens to pending messages if I downgrade the mode?
Messages already in the pending queue are not affected by a mode change — they remain in the queue until approved or rejected. The new mode applies only to actions the agent takes after the change. If you want to cancel all pending sends simultaneously, call POST /v1/mailboxes/{mailbox_id}/emails/{email_id}/cancel on each pending item before downgrading.
How long do messages stay in the pending queue before expiring?
By default, pending messages expire after 72 hours if not acted on. Expired messages are cancelled and logged. You can configure a custom expiry per mailbox (minimum 1 hour, maximum 30 days) when creating or updating the mailbox. The agent receives an email.expired webhook event when a pending message times out.
Does monitored mode still send a notification to the operator on every send?
Yes. In monitored mode, the agent's send executes immediately, but the operator receives an oversight copy: monitored mode BCCs the configured oversight address on every outbound message, and message.sent/message.delivered webhook events fire if you have subscribed to them. If no oversight copy or webhook is configured, monitored mode behaves like autonomous mode — the sends execute without any operator visibility. Configure the oversight BCC (and a webhook subscription) when using monitored mode.
How do I demonstrate compliance with the EU AI Act's human oversight requirements?
The EU AI Act requires that high-risk AI systems maintain meaningful human oversight and that operators can intervene. MultiMail's audit log provides a timestamped record of every agent action and every human approval or rejection decision. You can export this log via the API for inclusion in conformity assessments. Using gated_all or gated_send mode for customer-facing communications creates a documented human-in-the-loop for each outbound message.
Can I set different oversight modes for inbound processing versus outbound sending?
Oversight modes apply at the mailbox level and govern all operations on that mailbox. If you need different policies for inbound triage versus outbound replies, use two mailboxes: one in read_only or monitored mode for the agent that reads and classifies, and one in gated_send mode for the agent that drafts replies. Both mailboxes can share the same underlying domain.
What does the agent receive when its send is blocked or queued?
The send and reply responses include a status field. In gated modes, the response is a 202 with status "pending_scan" along with the message id and thread_id, plus a human-readable message explaining it is held for approval. In read_only mode, the response is a 403 with an error field explaining the oversight_mode constraint. Agents should check the status field and handle the pending case explicitly rather than assuming immediate delivery.

Explore more use cases

The only agent email with a verifiable sender

Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a hosted MCP server. Formally verified in Lean 4.