Human Oversight Classification Rationale Log
Require documented rationale for each decision to classify an agentic AI action as requiring human-in-the-loop (HITL) or human-on-the-loop (HOTL) oversight, creating an auditable record of the reasoning behind oversight design choices.
Objective
Ensure human oversight requirements for agentic AI systems are not set arbitrarily or eroded informally over time, by requiring documented justification for the oversight classification assigned to each consequential action category and maintaining that rationale alongside the classification.
Maturity Levels
Initial
Human oversight requirements for agent actions are set informally, typically by engineering teams, with no documented rationale. Changes to oversight requirements are made without governance review.
Developing
Human-in-the-loop requirements are documented in system design documents but without explicit rationale. The criteria for classifying an action as HITL vs. HOTL are not defined.
Defined
For each consequential action category in an agent's scope, the oversight classification (HITL, HOTL, or automated) is documented alongside the rationale for that classification. Rationale references the action's reversibility, risk level, regulatory requirements, and risk appetite. The log is reviewed as part of the deployment readiness assessment.
Managed
The oversight classification rationale log is reviewed when the agent's scope changes or when a Severity 3+ incident occurs involving an action in the automated or HOTL category. Changes to oversight classification are logged with the updated rationale and sign-off.
Optimizing
The oversight rationale log feeds into the agentic autonomy expansion criteria process (AGT-017): before removing a human approval gate, the original rationale for requiring it must be reviewed and explicitly addressed. External auditors use the log as evidence of oversight governance.
Evidence Requirements
What an auditor or assessor would expect to see for this control.
- —Oversight classification rationale log for each production agent, covering all consequential action categories with HITL/HOTL/automated classification and documented rationale.
- —Evidence of governance sign-off for any HOTL or automated classifications.
- —Log of classification changes with updated rationale and sign-off for the past 12 months.
Implementation Notes
Relationship to human approval gates
The human approval gate control (AGT-005) specifies that consequential or irreversible agent actions must route to a human reviewer. This control addresses a different question: why was the oversight classification assigned in the first place? Without documented rationale, oversight requirements can erode informally over time as "low-traffic" approval queues are deprioritized, reviewers become rubber-stampers, or engineers remove gates for performance reasons without governance awareness.
HITL vs. HOTL: what the distinction means
Human-in-the-loop (HITL): A human must review and approve the action before it is executed. The agent cannot proceed without human confirmation. Used for irreversible actions, high-value transactions, decisions affecting individual rights, and situations where the cost of error is high.
Human-on-the-loop (HOTL): The agent can execute the action without prior human approval, but a human monitors agent actions and can intervene. Used for actions that are reversible, lower-stakes, or where the value of speed outweighs the risk of a pre-execution pause.
Automated: No human review required. Used only for actions that are low-risk, fully reversible, and where the agent's track record is sufficient to justify automation.
What the rationale should cover
For each action category classified as HOTL or automated (i.e., not HITL), the rationale should address:
- Reversibility: Why is this action considered reversible? What is the reversal procedure and time window?
- Risk level: What is the maximum harm from a single erroneous execution? How was this assessed?
- Regulatory requirements: Does any applicable regulation or guidance require HITL for this action type? If not, document that review.
- Risk appetite alignment: Does this classification align with the organization's documented AI risk appetite?
- Track record prerequisite: For automated classifications, what operating track record was required before automation was approved?
Maintaining the log
The log should be a living document attached to the agent's deployment record. When an oversight classification changes, the old entry should be preserved (not overwritten) alongside the updated entry and the reason for the change.
Example Implementation
Oversight Classification Rationale Log — Customer Refund Processing Agent
Version: 1.2 | Last reviewed: 2026-06-01 | Reviewed by: J. Reyes (technical), C. Müller (governance)
| Action category | Classification | Rationale | Risk appetite alignment | Regulatory review | Sign-off date |
|---|---|---|---|---|---|
| Refund ≤$100 | Automated | Reversible within 24h via reversal endpoint. Maximum per-action financial exposure $100. Agent operating 60 days with zero errors in this category. | Within appetite (financial risk tolerance: auto-approve ≤$250 with clean track record) | No regulation requires HITL for refunds of this size in applicable jurisdictions | 2026-03-01 |
| Refund $101–$500 | HOTL | Reversible within 24h but higher financial exposure. Monitor queue reviewed every 4 hours. Alert if >5 refunds in 1 hour. | Within appetite | No regulatory HITL requirement | 2026-05-15 |
| Refund >$500 | HITL | Financial exposure exceeds auto-approval threshold. Risk of coordinated manipulation at this tier. | Required by risk appetite (financial tolerance: HITL for amounts >$500) | No regulatory requirement but aligns with financial services industry practice | 2026-06-01 |
| Refund reversal (correcting a prior refund error) | HITL | Irreversible double-transaction risk. High potential for confusion and customer impact. | Conservative: HITL for all reversal actions regardless of amount | — | 2026-06-01 |
| Account flag for fraud review | HITL | Affects customer relationship; potential discrimination or false positive risk. Legal review found HITL required for consequential account actions under CRA. | Required by risk appetite (zero tolerance for unreviewed consequential decisions affecting individual rights) | CRA compliance review recommends HITL | 2026-06-01 |