Permission model forces an unsafe binary (alarm fatigue vs. full bypass) — make risk-stratified approval available to individual users
Summary
For Bash commands, Claude Code effectively offers only two modes, with no usable middle ground:
- Default — a constant stream of permission prompts, the overwhelming majority harmless (
grep,find, read-only inspection). bypassPermissions— hand over the wheel entirely.
acceptEdits only covers a small filesystem whitelist. auto mode — the one classifier-driven, risk-stratified mode that is the missing middle — is gated behind Team/Enterprise org approval and unavailable to individual users.
I want to argue this is a safety design flaw, not just a UX annoyance, and that it has a well-documented theoretical basis.
Why this is a safety issue, not a preference
This is a textbook case of Lisanne Bainbridge's Ironies of Automation (1983):
- Vigilance decrement / approval fatigue. Humans are poor at monitoring for rare events in a stream of benign ones. After clicking "Allow" 200 times on harmless commands, the user is conditioned to approve — and that conditioning fires on the 201st command too, the one that happens to be destructive. The protective value of a prompt asymptotes to zero precisely because there are so many of them. The safeguard trains the user to defeat it.
> The risk isn't clicking Allow wrong once; it's clicking it so often that the one time it matters, it's already too late.
- Out-of-the-loop problem. The only escape — full bypass — removes context and situational awareness for exactly the rare, high-stakes moment when intervention is needed. Bainbridge: you ask the operator to take over in precisely the situation the automation has least prepared them for.
- Irony of the residual task. The system auto-approves the easy part (read-only, cleanly decomposed pipelines) and leaves the human the hardest judgments — exec wrappers, loops, mutating chains — without decision support.
Why this matters more, not less, over time
The solo operator — the "one-person company" — is a large and fast-growing share of users, and AI is precisely what makes that viable. Gating the only safe middle-ground mode behind Enterprise excludes exactly this emerging core user, leaving them to choose between alarm fatigue and no brakes.
Concrete requests
- Make a risk-stratified approval mode (the
autoclassifier, or equivalent) available to individual Pro/Max users — not just Enterprise. - Default to interrupting on consequence, not on novelty — suppress read-only noise so attention is reserved for genuinely impactful actions.
- Give prompts decision-relevant context (why is this risky?) rather than a bare command string, so they engage judgment instead of a reflex.
- Treat approval fatigue explicitly as a safety regression in the threat model.
This is the rare case where better UX and better safety are the same fix.
References
- Bainbridge, L. (1983). Ironies of Automation. Automatica, 19(6), 775–779.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗