MarketingPlaybook11 min readPublished July 7, 2026

Read-and-flag over GAQL · human sign-off on every write

Build a Paid Media Agent for Google Ads with sign-off

A build guide for a Google Ads ops agent that handles budget pacing, search-term triage and target audits — with the guardrail that makes it safe to run. The agent reads through GAQL and flags; a human approves every write. The differentiator is the sign-off layer, not the model.

DA
Digital Applied Team
Senior strategists · Paid media engineering
PublishedJul 7, 2026
Read time11 min
SourcesGoogle Ads API docs
Official Ads MCP server
3
read-only tools
no writes
Basic Access daily quota
15K
operations / day
ApplyRecommendation
1
API call to autonomy
the line not to cross
Ads TOS rewrite
Jul 1
2026 · automation clause

A paid media agent for Google Ads ops does not need to be autonomous to be useful — it needs to be trustworthy. This is a build guide for an agent that reads your account through the Google Ads Query Language (GAQL), runs three fixed checks, and stops to ask a human before anything changes. The differentiator is the guardrail, not the model.

The three workflows are the ones agencies already babysit by hand: budget pacing, search-term triage, and target or recommendation audits. Each is grounded in a real Google Ads API resource, so the read layer is concrete rather than aspirational. What makes this an engineering post rather than a manifesto is the boundary: Google's own RecommendationService is a single call away from applying changes for you, and this design deliberately stops short of it.

There is a timely reason this matters right now. Google applied a rewritten Ads Terms of Service to all accounts on July 1, 2026, expanding the automation authority it can exercise on your behalf — while explicitly keeping you responsible for reviewing what those tools generate. That contract change turns a sign-off layer from a nice-to-have into a compliance-shaped gap worth filling. This guide is evergreen; the news is context, not the load-bearing hook.

Key takeaways
  1. 01
    The guardrail is the product, not the model.A useful Google Ads ops agent reads and flags; a human approves every write. That single design decision is what separates a maintainable system from a compounding-error liability.
  2. 02
    GAQL through GoogleAdsService is the whole read layer.Search and SearchStream over resources like campaign_budget, search_term_view and RecommendationService give the agent everything it needs to pace budgets, triage terms and audit targets.
  3. 03
    ApplyRecommendation is one call from autonomy.Google exposes a real auto-apply path. An agent that queries recommendations is a single line of code from executing them — which is exactly the line the sign-off design is built to hold.
  4. 04
    The official Ads MCP server is read-only.Google's own Ads MCP server exposes three tools and, by its documentation, cannot modify bids, pause campaigns or create assets. It is a read companion, never the write layer.
  5. 05
    change_event logs the past; it does not gate the future.The audit-trail resource reports what already changed inside a bounded 30-day window. The approval gate has to live outside the Ads API, in your own Slack or email loop.

01The CaseWhy build this now.

On July 1, 2026, Google applied a rewritten Ads Terms of Service to every account automatically — no login prompt, no explicit acceptance step. The new language authorizes Google to format, select or generate targets, ads and destinations on the advertiser's behalf through automated program features. It is the first substantive rewrite of that automation authority in years, and we unpack the clause itself in our companion piece on Google's July TOS rewrite and what the AI clause means.

Here is the sentence that should shape your architecture: even as it expands what Google's tools may do automatically, the terms keep advertisers responsible for reviewing, approving, editing or removing any campaigns and ad assets those tools generate or modify. The platform expanded its authority to act and, in the same document, reaffirmed that the obligation to review sits with you. That is not a best practice anymore — it is written into the contract you are operating under.

An agent that reads the account, spots the changes worth acting on, and routes each one to a human for approval is the operational answer to that obligation. It is also just good engineering. The same enforcement direction shows up elsewhere in the platform — our note on Google's tCPA and tROAS target enforcement from August 17 is a concrete example of an automated behavior a target audit should be watching for.

The operative sentence
Google's July 2026 terms keep the advertiser responsible for reviewing, approving, editing, or removing any campaigns and ad assets its automated tools generate or modify. The platform holds the authority to act; you hold the obligation to review. A sign-off agent is the workflow that closes the gap between the two.

02ArchitectureA workflow with an agentic read layer, not an autopilot.

It is worth being precise about what you are building. In Anthropic's engineering framing, workflows are systems where language models and tools are orchestrated through predefined code paths, while agents are systems where the model dynamically directs its own process and tool use. An ops agent that runs three fixed checks and stops for a human is much closer to a workflow with an agentic read layer than to a fully autonomous agent — and that is a feature, not a limitation.

The same guidance recommends pausing for human feedback at checkpoints, particularly before irreversible or high-stakes actions, and warns that autonomy brings higher costs and the potential for compounding errors. In paid media, a wrong budget edit or a bad bidding-strategy switch is exactly the kind of high-stakes, hard-to-cleanly-undo action that belongs behind a checkpoint. The reflex to add autonomy should be resisted until it demonstrably improves outcomes — and missed pacing or search-term drift is solved by a read-and-flag loop without it.

Guidance worth quoting in full
“The autonomous nature of agents means higher costs, and the potential for compounding errors. We recommend extensive testing in sandboxed environments, along with the appropriate guardrails.” The point is not that autonomy is bad — it is that you should add it only where it clearly earns its keep, and pacing checks do not require it.

So the shape of the system is deliberate. A scheduled read layer polls the account. A rules layer decides what crosses a threshold. A drafting layer turns each crossing into a specific proposed action — a budget edit, a negative keyword, a recommendation to apply or dismiss. And a sign-off layer, living in Slack or email outside the Ads API, is where a human says yes before any mutate call is ever made. The model is doing the reading and the summarizing; the human is doing the deciding.

03Read LayerGAQL through GoogleAdsService is the whole read layer.

The Google Ads Query Language queries the API through GoogleAdsService's Search and SearchStream methods, returning GoogleAdsRow results with the resource attributes, segments and metrics you ask for. A basic anomaly or pacing query is as plain as SELECT campaign.id, metrics.impressions, segments.date FROM campaign with a WHERE filter — and the same shape extends to the two other resources this build needs. That is the entire read surface: three resources, one query language.

Google also ships an official, read-only Ads MCP server that is worth knowing about here. It exposes exactly three tools — list_accessible_customers, search (GAQL) and get_resource_metadata — and, by its own documentation, cannot modify bids, pause campaigns or create assets. If you want the read companion to this build wired into Claude or Gemini, our Google Ads MCP server setup guide walks through it. Treat it as a read layer only; the write path in this design never runs through it.

Budget pacing
campaign_budget
01

amount_micros holds the average daily budget Google spreads across the month (or total_amount_micros for a lifetime cap). Read it against actual metrics.cost_micros to see how pace is tracking.

vs metrics.cost_micros
Search-term triage
search_term_view
02

The search-term-level resource — search_term_view.search_term joined with metrics.ctr, cost_micros and impressions. This is the raw material for spotting a costly, non-converting query.

metrics.cost_micros · ctr
Target audit
RecommendationService
03

Surfaces machine-generated recommendation types — CAMPAIGN_BUDGET, KEYWORD and the *_OPT_IN bidding types — plus an optimization-score uplift figure the agent can summarize without applying anything.

optimization_score_uplift

One honest caveat on visibility. If your account leans on Performance Max, its search-terms reporting is rolling out but shows only a subset of terms that generated significant traffic — not the complete, query-level view standard Search campaigns provide. A newer source column does trace which surface a query came from, which is genuinely useful for flagging channel imbalances. Design the triage workflow to treat PMax coverage as partial, and it stays honest.

04WorkflowsThe three ops workflows.

None of these is a novel idea — agencies already run brittle, manual versions of them. The agent's job is to formalize existing best practice into a repeatable system with a consistent output: a flagged item and a proposed action, never a silent change. For the pacing thresholds, ground your idea of “normal” in real category data — our 2026 PPC benchmarks are a useful reference for what typical spend behavior looks like.

Workflow 01
Budget pacing check
campaign_budget · metrics.cost_micros

Compare spend so far against the average-daily-budget pace. When a campaign drifts meaningfully ahead of or behind pace, flag it in the daily digest with a proposed budget edit. Google's own anomaly pattern compares the current period against the same weekday's historical average.

Output: flag + draft budget edit
Workflow 02
Search-term triage
search_term_view · ctr · cost_micros

Scan for terms that cross a cost-with-no-conversion threshold. The agent drafts a negative keyword and shows the spend it would have saved from that term going forward. It never adds the negative itself.

Output: draft negative keyword
Workflow 03
Target audit
RecommendationService types

When a CAMPAIGN_BUDGET or a bidding *_OPT_IN recommendation appears, summarize what it would change and route it to a human to apply or dismiss. This is where signal quality matters most: good inputs, good outputs.

Output: draft apply / dismiss note

05Sign-Off MatrixWhere the agent's read stops and a human's write begins.

This is the architecture most “agentic PPC” content skips in favor of vague talk about guardrails. Below is the concrete version: for each workflow, exactly what the agent reads, what makes it flag, what it hands you, and the specific Google Ads API surface that your approved action ultimately calls. Every column traces to a real API resource — nothing here is invented.

The human sign-off matrix for a Google Ads ops agent: for each of the three workflows (budget pacing, search-term triage, target audit), the GAQL or API resource the agent reads, the condition that triggers a flag, the draft output the agent produces, and the Google Ads API service the human's approved write ultimately calls. Compiled from Google Ads API documentation.
WorkflowAgent readsTrigger to flagAgent outputHuman approves → API surface
The three ops workflows — read stops here, write starts on approval
Budget pacing checkcampaign_budget.amount_micros vs metrics.cost_microsSpend drifts off the average-daily-budget paceFlag in the daily digest + a draft budget editApprove → CampaignBudgetService mutate
Search-term triagesearch_term_view + metrics.ctr, cost_microsA term crosses a cost / no-conversion thresholdDraft negative keyword with the term and its costApprove → AdGroupCriterionService mutate
Target / recommendation auditRecommendationService (CAMPAIGN_BUDGET, *_OPT_IN)A budget or bidding-opt-in recommendation appearsDraft note summarizing what it would changeApprove → ApplyRecommendation / DismissRecommendation

Read the last column carefully. In all three workflows the agent produces a draft and nothing else. The mutate call — the actual write — only ever fires after a human clicks approve in the sign-off layer. The API services in that column are real, and the agent is fully capable of calling them. The design choice is to make it wait.

06The BoundaryThe one call that crosses the line.

ApplyRecommendation is a real, one-call auto-apply path that Google exposes. An ops agent that already queries RecommendationService to build its target-audit digest is a single line of code away from applying those recommendations automatically. That proximity is the whole reason the sign-off design exists: the capability to go autonomous is right there, and the engineering discipline is in choosing not to wire it up.

There is a practical failure mode that makes the case for a review loop concrete rather than theoretical. Practitioners report that auto-applied recommendations and opt-ins can quietly revert — you turn something off, walk through the whole review, and later find it turned back on. A one-time toggle is not a control; a human-approval loop with an audit trail is. So the sensible policy is to route Google's own recommendation types by reversibility and spend impact, and to never auto-apply the ones that move money or switch bidding strategy.

“Even sometimes after you turn it off and you go through the whole review, the campaign setup, you see it turned back on.”— Chris Ridley, Head of Paid Media, Evoluted
CAMPAIGN_BUDGET
Changes daily or lifetime spend

Reversible, but it moves money the moment it applies. The blast radius is your budget. Always route to a human — the digest can propose the number, a person confirms it.

Flag · never auto-apply
TARGET_CPA / TARGET_ROAS_OPT_IN
Switches the bidding strategy

Opting a campaign into a Smart Bidding strategy is not cleanly undone — it resets learning and reshapes delivery. This is the highest-stakes recommendation class and the one most prone to reverting.

Flag · never auto-apply
USE_BROAD_MATCH_KEYWORD
Expands match type

Broadening match type widens the query pool and the spend surface at once. Easy to reverse in theory, expensive if left unwatched. Draft it, show the projected reach change, wait for approval.

Flag · never auto-apply
KEYWORD
Adds suggested keywords

Lower stakes — new keywords are easy to pause and their spend is bounded by the same budget the pacing check watches. Still surface them for review, but this is the class you can process fastest.

Flag for quick review

07ConstraintsQuotas, rate limits, and how chatty your polling can be.

Two separate ceilings govern how a multi-account ops agent behaves. The first is a fixed daily operation quota tied to your developer token's access level. Every Get, Search/SearchStream and mutate counts as one operation; a single mutate request is capped at 10,000 operations, and some action-style requests at 100. Exceeding the daily cap returns RESOURCE_EXHAUSTED. The table below recomputes each tier's cap as a share of Basic Access so you can size a polling loop honestly.

Google Ads API daily operation quotas by developer-token access level, with each tier's cap recomputed as a share of the Basic Access cap. Basic Access allows 15,000 operations per day; Explorer Access allows 2,880 per day in production but 15,000 in test accounts; Standard Access removes the daily cap. Source: Google Ads API limits and quotas documentation.
Access tierDaily operation capShare of Basic capWhat it means for polling
Daily operation quotas by developer-token access level
Basic Access15,000 / day100%Comfortable headroom for a handful of accounts on an hourly read loop
Explorer Access · test accounts15,000 / day100%Same ceiling as Basic — build and load-test the loop here first
Explorer Access · production2,880 / day19.2%Roughly a fifth of Basic — batch reads and stretch the poll cadence
Standard AccessNo daily capDaily-quota constraint lifts; the QPS rate limit still applies

The second ceiling is separate from the daily quota: the API also rate-limits by queries per second, per customer ID and per developer token, using a token-bucket algorithm. There is no single published fixed QPS number — the exact ceiling varies with server load, and violations return RESOURCE_TEMPORARILY_EXHAUSTED. Do not hard-code a magic QPS constant; design for backoff instead. Google's own escalating mitigations are a ready-made checklist: cap concurrent tasks, batch operations into single mutate calls, add a client-side token-bucket rate limiter, and use message queues with coordinated backoff.

08Audit TrailAudit trail is not an approval gate.

The change_event resource is the audit-trail mechanism, and it is easy to over-claim. It returns exactly what changed on a resource — old value, new value, whether a UI or API client made the change, and which user made it, where that is visible in Change History. That is genuinely valuable for reconstructing what happened. But it is retrospective: it reports changes after the fact. It cannot block a change or require sign-off before one happens.

There is also a hard constraint on reach. A change_event query’s WHERE clause on change_date_time is required and must cover a window of at most 30 days within the past 30 days. So the audit trail is a rolling 30-day view unless you archive it yourself. The lesson for the architecture is clean: use change_event to verify that approved changes landed and to catch anything that changed without going through your loop — but build the actual approval gate outside the Ads API, in the Slack or email sign-off step where a human says yes before the mutate ever runs.

The distinction that keeps you honest
change_event logs what already happened, inside a bounded 30-day window. It is not a prospective control. The gate that requires human approval before a write has to live in your own workflow — the Ads API gives you the audit trail, not the veto.

09ConclusionBuild the guardrail first.

The shape of a paid media agent worth running

The differentiator is the sign-off layer, not the model.

A Google Ads ops agent is not hard to build. GAQL through GoogleAdsService gives you a clean read layer over campaign_budget, search_term_view and RecommendationService, and three fixed workflows — pacing, triage, audit — cover the drudgery agencies already do by hand. The interesting engineering is not in the reading. It is in deciding, deliberately, where the reading stops and a human's write begins.

That decision has a real edge to it. ApplyRecommendation is one call from autonomy, auto-applied changes can quietly revert, and change_event tells you what happened but never blocks it. Put those facts together and the safe architecture writes itself: the agent drafts, a human approves, and the audit trail confirms. The model does the reading; the person does the deciding.

The timing makes it more than a preference. Google's July 2026 terms expanded what its automation may do while keeping the obligation to review squarely on the advertiser. A read-and-flag agent with human sign-off is the operational answer to that obligation — and the version of “agentic PPC” that a serious team can actually run in production — the kind of build our paid media practice ships. Build the guardrail first, and the rest is plumbing.

Put a sign-off agent on your Google Ads

A Google Ads agent your team can actually trust in production.

We design and operate paid media agents with the guardrail built in — read-and-flag over GAQL, human sign-off on every write, and audit trails that hold up. Grounded in the Google Ads API, delivered in days not quarters.

Free consultationExpert guidanceTailored solutions
What we work on

Paid media agent engagements

  • Read-and-flag agents over the Google Ads API
  • Budget pacing, search-term triage, target audits
  • Human sign-off loops in Slack or email
  • Recommendation risk-tiering by reversibility
  • Governance for platform automation authority
FAQ · Paid media agent build

The questions teams ask before they build.

It is a system that reads a Google Ads account through the Google Ads Query Language (GAQL), runs a fixed set of operational checks, and produces flagged items with proposed actions for a human to approve. In this build it handles three workflows: budget pacing, search-term triage, and target or recommendation audits. Crucially, it is a read-and-flag design, not an autonomous bidder — the agent drafts a budget edit, a negative keyword or a recommendation summary, and a person approves before any change is written. That framing matters: the agent is closer to a workflow with an agentic read layer than to a fully autonomous agent, which keeps it maintainable and auditable.