AI Governance Institute logo
AI Governance Institute

Practical Governance for Enterprise AI

Human Oversight
HOC · Human OversightHOC-002Medium effortAgent-relevant

Human Approval Gate for Consequential AI Decisions

Require a qualified human to review and approve AI-generated recommendations before they produce irreversible or high-stakes outcomes.

Objective

Preserve meaningful human control over AI outputs in contexts where errors cause significant harm to individuals or the organization.

Maturity Levels

1

Initial

Approval requirements are undefined; humans review AI outputs inconsistently with no documented criteria.

2

Developing

High-risk use cases are identified informally; approval steps exist in some workflows but are not standardized.

3

Defined

Approval gates are documented in process workflows with clear criteria, mandatory triggers, and defined review SLAs.

4

Managed

Approval rates, override frequency, and turnaround times are tracked and reported to governance bodies.

5

Optimizing

Override decisions feed back into model improvement; approval thresholds are tuned based on observed outcomes.

Evidence Requirements

What an auditor or assessor would expect to see for this control.

  • Approval workflow configuration showing trigger conditions, gated decision types, and review SLA
  • Audit logs for a sample period showing reviewer ID, timestamp, decision (approve/modify/reject), and rationale code for each gated decision
  • SLA compliance report showing actual review turnaround times vs. defined SLA
  • Override rate report disaggregated by reviewer, team, and use case over a defined period
  • Deployment configuration or integration test results confirming the gate applies to all systems meeting trigger criteria

Implementation Notes

Key steps

  • Define which risk tiers (per HOC-001) require approval gates — without tiers, everything gets escalated or nothing does.
  • Capture reviewer identity, timestamp, any override rationale, and the final decision alongside the AI output for audit purposes.
  • For agents: approval gates must be synchronous — async approval creates race conditions in multi-step workflows where the agent can act before approval is received.
  • Track automation bias: a near-zero override rate is a red flag that reviewers are rubber-stamping, not reviewing.

Example Implementation

Health insurer routing AI-assisted claims triage for adjuster review

Approval Gate Configuration — Claims Triage System

Trigger conditions (any of the following requires human approval before action):

  • AI confidence score < 0.85
  • Claim value > $50,000
  • Claimant has open dispute on record
  • AI recommendation = Deny

Review SLA: 4 business hours

Reviewer role: Licensed claims adjuster, Level II or above

Required log fields: reviewer_id · review_timestamp · decision (approve / modify / reject) · rationale_code · modified_output (if applicable)

Rationale codes: CONF_LOW | MISSING_DOC | POLICY_CONFLICT | FACTUAL_ERROR | OTHER

Control Details

Control ID
HOC-002
Typical owner
AI Governance Team / Business Line Risk Owner
Implementation effort
Medium effort
Agent-relevant
Yes

Tags

human oversightapproval workflowhigh-risk AIaudit trail

Mapped Regulations

NIST AI 600-1 Generative AI Profile

Related Controls

HOC-001AI System Risk ClassificationALC-001AI Decision LoggingHOC-004Automation Bias Prevention

Related Playbook

What does meaningful human oversight look like for high-risk AI decisions?How do we ensure human-in-the-loop review is actually effective?