Start restricted, build confidence, increase autonomy — without ever losing control of what your agent sends.
Most teams deploy AI email agents at one of two extremes: fully autonomous (where mistakes go out unreviewed) or fully gated (where human bottlenecks kill the automation value). Neither is right. The real challenge is building a path from zero trust to earned autonomy — where the agent proves its judgment on low-risk tasks before you give it control over high-stakes communication. Without a structured framework, teams either over-restrict their agents indefinitely or flip to autonomous too early and ship an embarrassing or non-compliant email to a real customer.
MultiMail exposes five oversight modes — read_only, gated_all, gated_send, monitored, and autonomous — that map directly to your agent's demonstrated reliability. You configure the mode per mailbox, not globally, so a single agent can operate autonomously on internal routing while staying gated on customer-facing sends. Every mode produces an audit log. Approvals flow through the list_pending and decide_email endpoints so your review UI integrates with existing tooling. When an agent's approval rate hits your threshold, promote it by updating the mailbox oversight_mode — no code changes, no restart.
Classify each email workflow by blast radius. Customer-facing sends, billing notifications, and compliance-triggered messages are high-risk. Internal routing, status digests, and read-only monitoring are low-risk. Assign a starting oversight mode based on that classification — not on how capable you think the model is.
Call POST /create_mailbox with oversight_mode set to your chosen level. Each mailbox gets its own mode, so you can give the same agent restrictive settings on [email protected] and looser settings on [email protected]. The mode is enforced server-side — your agent code needs no conditional logic per environment.
Let the agent operate normally. In gated_send mode, outbound messages queue for human review via list_pending while reads remain unrestricted. In gated_all mode, both reads and sends require approval. The audit log records every action — what the agent attempted, what was approved, what was rejected — giving you the behavioral data to make a promotion decision.
Fetch pending messages with GET /list_pending and inspect each drafted message. Use POST /decide_email with action: 'approve' or 'reject' to release or block delivery. Track your approval-to-rejection ratio across decisions. An approval rate above 95% over 50+ decisions is a reasonable threshold for promotion to monitored mode.
When the agent's track record supports it, update the mailbox oversight_mode. Move gated_send to monitored, then monitored to autonomous as confidence grows. Each promotion takes effect immediately on the next API call. If behavior degrades after a promotion, demote the mailbox in one API call and the gate reactivates instantly.
The audit log satisfies EU AI Act Article 14 requirements for human oversight of automated decision-making systems, and provides the CAN-SPAM delivery and opt-out record required for bulk sends. Every decide_email action is timestamped and attributed to the reviewer's API token. Export per-mailbox logs for compliance reviews.
Pick your platform, copy the prompt, and paste it to your AI agent — it sets up MultiMail and builds the whole flow. Nothing to fill in.
Oversight modes apply to individual mailboxes, not globally per agent. One agent can operate autonomously on [email protected] while staying fully gated on [email protected] — without any conditional logic in the agent code.
Every action — send attempt, approval, rejection, read — is logged with timestamp and API token attribution. EU AI Act Article 14 requires human oversight mechanisms for high-risk AI systems; the audit log provides the required paper trail. CAN-SPAM requires honoring opt-outs; the log records all delivery decisions.
Updating oversight_mode via the API takes effect on the next request. If an agent starts drafting inappropriate messages after a promotion, demote the mailbox in one API call and the gate reactivates immediately — no deployment, no rollback, no restart required.
list_pending returns structured JSON you can render in an existing admin dashboard, Slack app, or ticketing workflow. decide_email accepts the approval or rejection from any HTTP client. You are not required to use a MultiMail UI — the endpoints are the oversight layer.
The claim that gated_send blocks delivery until a decide_email approval is not a policy — it is a formally proven property of the system, verified in Lean 4 proofs published with each release. An agent calling send_email on a gated mailbox receives a 202 Accepted with a pending message ID; the message is queued, not delivered, and no API parameter can bypass that.
Email infrastructure built for AI agents. Verifiable identity, graduated oversight, and a hosted MCP server. Formally verified in Lean 4.