Permission model forces an unsafe binary (alarm fatigue vs. full bypass) — make risk-stratified approval available to individual users

Resolved 💬 2 comments Opened Jun 13, 2026 by Harry18tillIdie Closed Jun 17, 2026

Summary

For Bash commands, Claude Code effectively offers only two modes, with no usable middle ground:

  1. Default — a constant stream of permission prompts, the overwhelming majority harmless (grep, find, read-only inspection).
  2. bypassPermissions — hand over the wheel entirely.

acceptEdits only covers a small filesystem whitelist. auto mode — the one classifier-driven, risk-stratified mode that is the missing middle — is gated behind Team/Enterprise org approval and unavailable to individual users.

I want to argue this is a safety design flaw, not just a UX annoyance, and that it has a well-documented theoretical basis.

Why this is a safety issue, not a preference

This is a textbook case of Lisanne Bainbridge's Ironies of Automation (1983):

  • Vigilance decrement / approval fatigue. Humans are poor at monitoring for rare events in a stream of benign ones. After clicking "Allow" 200 times on harmless commands, the user is conditioned to approve — and that conditioning fires on the 201st command too, the one that happens to be destructive. The protective value of a prompt asymptotes to zero precisely because there are so many of them. The safeguard trains the user to defeat it.

> The risk isn't clicking Allow wrong once; it's clicking it so often that the one time it matters, it's already too late.

  • Out-of-the-loop problem. The only escape — full bypass — removes context and situational awareness for exactly the rare, high-stakes moment when intervention is needed. Bainbridge: you ask the operator to take over in precisely the situation the automation has least prepared them for.
  • Irony of the residual task. The system auto-approves the easy part (read-only, cleanly decomposed pipelines) and leaves the human the hardest judgments — exec wrappers, loops, mutating chains — without decision support.

Why this matters more, not less, over time

The solo operator — the "one-person company" — is a large and fast-growing share of users, and AI is precisely what makes that viable. Gating the only safe middle-ground mode behind Enterprise excludes exactly this emerging core user, leaving them to choose between alarm fatigue and no brakes.

Concrete requests

  1. Make a risk-stratified approval mode (the auto classifier, or equivalent) available to individual Pro/Max users — not just Enterprise.
  2. Default to interrupting on consequence, not on novelty — suppress read-only noise so attention is reserved for genuinely impactful actions.
  3. Give prompts decision-relevant context (why is this risky?) rather than a bare command string, so they engage judgment instead of a reflex.
  4. Treat approval fatigue explicitly as a safety regression in the threat model.

This is the rare case where better UX and better safety are the same fix.

References

  • Bainbridge, L. (1983). Ironies of Automation. Automatica, 19(6), 775–779.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗