A paid media agent for Google Ads ops does not need to be autonomous to be useful — it needs to be trustworthy. This is a build guide for an agent that reads your account through the Google Ads Query Language (GAQL), runs three fixed checks, and stops to ask a human before anything changes. The differentiator is the guardrail, not the model.
The three workflows are the ones agencies already babysit by hand: budget pacing, search-term triage, and target or recommendation audits. Each is grounded in a real Google Ads API resource, so the read layer is concrete rather than aspirational. What makes this an engineering post rather than a manifesto is the boundary: Google's own RecommendationService is a single call away from applying changes for you, and this design deliberately stops short of it.
There is a timely reason this matters right now. Google applied a rewritten Ads Terms of Service to all accounts on July 1, 2026, expanding the automation authority it can exercise on your behalf — while explicitly keeping you responsible for reviewing what those tools generate. That contract change turns a sign-off layer from a nice-to-have into a compliance-shaped gap worth filling. This guide is evergreen; the news is context, not the load-bearing hook.
- 01The guardrail is the product, not the model.A useful Google Ads ops agent reads and flags; a human approves every write. That single design decision is what separates a maintainable system from a compounding-error liability.
- 02GAQL through GoogleAdsService is the whole read layer.Search and SearchStream over resources like campaign_budget, search_term_view and RecommendationService give the agent everything it needs to pace budgets, triage terms and audit targets.
- 03ApplyRecommendation is one call from autonomy.Google exposes a real auto-apply path. An agent that queries recommendations is a single line of code from executing them — which is exactly the line the sign-off design is built to hold.
- 04The official Ads MCP server is read-only.Google's own Ads MCP server exposes three tools and, by its documentation, cannot modify bids, pause campaigns or create assets. It is a read companion, never the write layer.
- 05change_event logs the past; it does not gate the future.The audit-trail resource reports what already changed inside a bounded 30-day window. The approval gate has to live outside the Ads API, in your own Slack or email loop.
01 — The CaseWhy build this now.
On July 1, 2026, Google applied a rewritten Ads Terms of Service to every account automatically — no login prompt, no explicit acceptance step. The new language authorizes Google to format, select or generate targets, ads and destinations on the advertiser's behalf through automated program features. It is the first substantive rewrite of that automation authority in years, and we unpack the clause itself in our companion piece on Google's July TOS rewrite and what the AI clause means.
Here is the sentence that should shape your architecture: even as it expands what Google's tools may do automatically, the terms keep advertisers responsible for reviewing, approving, editing or removing any campaigns and ad assets those tools generate or modify. The platform expanded its authority to act and, in the same document, reaffirmed that the obligation to review sits with you. That is not a best practice anymore — it is written into the contract you are operating under.
An agent that reads the account, spots the changes worth acting on, and routes each one to a human for approval is the operational answer to that obligation. It is also just good engineering. The same enforcement direction shows up elsewhere in the platform — our note on Google's tCPA and tROAS target enforcement from August 17 is a concrete example of an automated behavior a target audit should be watching for.
02 — ArchitectureA workflow with an agentic read layer, not an autopilot.
It is worth being precise about what you are building. In Anthropic's engineering framing, workflows are systems where language models and tools are orchestrated through predefined code paths, while agents are systems where the model dynamically directs its own process and tool use. An ops agent that runs three fixed checks and stops for a human is much closer to a workflow with an agentic read layer than to a fully autonomous agent — and that is a feature, not a limitation.
The same guidance recommends pausing for human feedback at checkpoints, particularly before irreversible or high-stakes actions, and warns that autonomy brings higher costs and the potential for compounding errors. In paid media, a wrong budget edit or a bad bidding-strategy switch is exactly the kind of high-stakes, hard-to-cleanly-undo action that belongs behind a checkpoint. The reflex to add autonomy should be resisted until it demonstrably improves outcomes — and missed pacing or search-term drift is solved by a read-and-flag loop without it.
So the shape of the system is deliberate. A scheduled read layer polls the account. A rules layer decides what crosses a threshold. A drafting layer turns each crossing into a specific proposed action — a budget edit, a negative keyword, a recommendation to apply or dismiss. And a sign-off layer, living in Slack or email outside the Ads API, is where a human says yes before any mutate call is ever made. The model is doing the reading and the summarizing; the human is doing the deciding.
03 — Read LayerGAQL through GoogleAdsService is the whole read layer.
The Google Ads Query Language queries the API through GoogleAdsService's Search and SearchStream methods, returning GoogleAdsRow results with the resource attributes, segments and metrics you ask for. A basic anomaly or pacing query is as plain as SELECT campaign.id, metrics.impressions, segments.date FROM campaign with a WHERE filter — and the same shape extends to the two other resources this build needs. That is the entire read surface: three resources, one query language.
Google also ships an official, read-only Ads MCP server that is worth knowing about here. It exposes exactly three tools — list_accessible_customers, search (GAQL) and get_resource_metadata — and, by its own documentation, cannot modify bids, pause campaigns or create assets. If you want the read companion to this build wired into Claude or Gemini, our Google Ads MCP server setup guide walks through it. Treat it as a read layer only; the write path in this design never runs through it.
campaign_budget
amount_micros holds the average daily budget Google spreads across the month (or total_amount_micros for a lifetime cap). Read it against actual metrics.cost_micros to see how pace is tracking.
search_term_view
The search-term-level resource — search_term_view.search_term joined with metrics.ctr, cost_micros and impressions. This is the raw material for spotting a costly, non-converting query.
RecommendationService
Surfaces machine-generated recommendation types — CAMPAIGN_BUDGET, KEYWORD and the *_OPT_IN bidding types — plus an optimization-score uplift figure the agent can summarize without applying anything.
One honest caveat on visibility. If your account leans on Performance Max, its search-terms reporting is rolling out but shows only a subset of terms that generated significant traffic — not the complete, query-level view standard Search campaigns provide. A newer source column does trace which surface a query came from, which is genuinely useful for flagging channel imbalances. Design the triage workflow to treat PMax coverage as partial, and it stays honest.
04 — WorkflowsThe three ops workflows.
None of these is a novel idea — agencies already run brittle, manual versions of them. The agent's job is to formalize existing best practice into a repeatable system with a consistent output: a flagged item and a proposed action, never a silent change. For the pacing thresholds, ground your idea of “normal” in real category data — our 2026 PPC benchmarks are a useful reference for what typical spend behavior looks like.
Budget pacing check
Compare spend so far against the average-daily-budget pace. When a campaign drifts meaningfully ahead of or behind pace, flag it in the daily digest with a proposed budget edit. Google's own anomaly pattern compares the current period against the same weekday's historical average.
Search-term triage
Scan for terms that cross a cost-with-no-conversion threshold. The agent drafts a negative keyword and shows the spend it would have saved from that term going forward. It never adds the negative itself.
Target audit
When a CAMPAIGN_BUDGET or a bidding *_OPT_IN recommendation appears, summarize what it would change and route it to a human to apply or dismiss. This is where signal quality matters most: good inputs, good outputs.
05 — Sign-Off MatrixWhere the agent's read stops and a human's write begins.
This is the architecture most “agentic PPC” content skips in favor of vague talk about guardrails. Below is the concrete version: for each workflow, exactly what the agent reads, what makes it flag, what it hands you, and the specific Google Ads API surface that your approved action ultimately calls. Every column traces to a real API resource — nothing here is invented.
| Workflow | Agent reads | Trigger to flag | Agent output | Human approves → API surface |
|---|---|---|---|---|
| The three ops workflows — read stops here, write starts on approval | ||||
| Budget pacing check | campaign_budget.amount_micros vs metrics.cost_micros | Spend drifts off the average-daily-budget pace | Flag in the daily digest + a draft budget edit | Approve → CampaignBudgetService mutate |
| Search-term triage | search_term_view + metrics.ctr, cost_micros | A term crosses a cost / no-conversion threshold | Draft negative keyword with the term and its cost | Approve → AdGroupCriterionService mutate |
| Target / recommendation audit | RecommendationService (CAMPAIGN_BUDGET, *_OPT_IN) | A budget or bidding-opt-in recommendation appears | Draft note summarizing what it would change | Approve → ApplyRecommendation / DismissRecommendation |
Read the last column carefully. In all three workflows the agent produces a draft and nothing else. The mutate call — the actual write — only ever fires after a human clicks approve in the sign-off layer. The API services in that column are real, and the agent is fully capable of calling them. The design choice is to make it wait.
06 — The BoundaryThe one call that crosses the line.
ApplyRecommendation is a real, one-call auto-apply path that Google exposes. An ops agent that already queries RecommendationService to build its target-audit digest is a single line of code away from applying those recommendations automatically. That proximity is the whole reason the sign-off design exists: the capability to go autonomous is right there, and the engineering discipline is in choosing not to wire it up.
There is a practical failure mode that makes the case for a review loop concrete rather than theoretical. Practitioners report that auto-applied recommendations and opt-ins can quietly revert — you turn something off, walk through the whole review, and later find it turned back on. A one-time toggle is not a control; a human-approval loop with an audit trail is. So the sensible policy is to route Google's own recommendation types by reversibility and spend impact, and to never auto-apply the ones that move money or switch bidding strategy.
“Even sometimes after you turn it off and you go through the whole review, the campaign setup, you see it turned back on.”— Chris Ridley, Head of Paid Media, Evoluted
Changes daily or lifetime spend
Reversible, but it moves money the moment it applies. The blast radius is your budget. Always route to a human — the digest can propose the number, a person confirms it.
Switches the bidding strategy
Opting a campaign into a Smart Bidding strategy is not cleanly undone — it resets learning and reshapes delivery. This is the highest-stakes recommendation class and the one most prone to reverting.
Expands match type
Broadening match type widens the query pool and the spend surface at once. Easy to reverse in theory, expensive if left unwatched. Draft it, show the projected reach change, wait for approval.
Adds suggested keywords
Lower stakes — new keywords are easy to pause and their spend is bounded by the same budget the pacing check watches. Still surface them for review, but this is the class you can process fastest.
07 — ConstraintsQuotas, rate limits, and how chatty your polling can be.
Two separate ceilings govern how a multi-account ops agent behaves. The first is a fixed daily operation quota tied to your developer token's access level. Every Get, Search/SearchStream and mutate counts as one operation; a single mutate request is capped at 10,000 operations, and some action-style requests at 100. Exceeding the daily cap returns RESOURCE_EXHAUSTED. The table below recomputes each tier's cap as a share of Basic Access so you can size a polling loop honestly.
| Access tier | Daily operation cap | Share of Basic cap | What it means for polling |
|---|---|---|---|
| Daily operation quotas by developer-token access level | |||
| Basic Access | 15,000 / day | 100% | Comfortable headroom for a handful of accounts on an hourly read loop |
| Explorer Access · test accounts | 15,000 / day | 100% | Same ceiling as Basic — build and load-test the loop here first |
| Explorer Access · production | 2,880 / day | 19.2% | Roughly a fifth of Basic — batch reads and stretch the poll cadence |
| Standard Access | No daily cap | — | Daily-quota constraint lifts; the QPS rate limit still applies |
The second ceiling is separate from the daily quota: the API also rate-limits by queries per second, per customer ID and per developer token, using a token-bucket algorithm. There is no single published fixed QPS number — the exact ceiling varies with server load, and violations return RESOURCE_TEMPORARILY_EXHAUSTED. Do not hard-code a magic QPS constant; design for backoff instead. Google's own escalating mitigations are a ready-made checklist: cap concurrent tasks, batch operations into single mutate calls, add a client-side token-bucket rate limiter, and use message queues with coordinated backoff.
08 — Audit TrailAudit trail is not an approval gate.
The change_event resource is the audit-trail mechanism, and it is easy to over-claim. It returns exactly what changed on a resource — old value, new value, whether a UI or API client made the change, and which user made it, where that is visible in Change History. That is genuinely valuable for reconstructing what happened. But it is retrospective: it reports changes after the fact. It cannot block a change or require sign-off before one happens.
There is also a hard constraint on reach. A change_event query’s WHERE clause on change_date_time is required and must cover a window of at most 30 days within the past 30 days. So the audit trail is a rolling 30-day view unless you archive it yourself. The lesson for the architecture is clean: use change_event to verify that approved changes landed and to catch anything that changed without going through your loop — but build the actual approval gate outside the Ads API, in the Slack or email sign-off step where a human says yes before the mutate ever runs.
change_event logs what already happened, inside a bounded 30-day window. It is not a prospective control. The gate that requires human approval before a write has to live in your own workflow — the Ads API gives you the audit trail, not the veto.09 — ConclusionBuild the guardrail first.
The differentiator is the sign-off layer, not the model.
A Google Ads ops agent is not hard to build. GAQL through GoogleAdsService gives you a clean read layer over campaign_budget, search_term_view and RecommendationService, and three fixed workflows — pacing, triage, audit — cover the drudgery agencies already do by hand. The interesting engineering is not in the reading. It is in deciding, deliberately, where the reading stops and a human's write begins.
That decision has a real edge to it. ApplyRecommendation is one call from autonomy, auto-applied changes can quietly revert, and change_event tells you what happened but never blocks it. Put those facts together and the safe architecture writes itself: the agent drafts, a human approves, and the audit trail confirms. The model does the reading; the person does the deciding.
The timing makes it more than a preference. Google's July 2026 terms expanded what its automation may do while keeping the obligation to review squarely on the advertiser. A read-and-flag agent with human sign-off is the operational answer to that obligation — and the version of “agentic PPC” that a serious team can actually run in production — the kind of build our paid media practice ships. Build the guardrail first, and the rest is plumbing.