Skip to content

Human Review and Approval

Which work requires sign-off

Any work classified as high risk under task-classification-and-routing.md requires explicit human sign-off before being treated as final: company policy, security controls, privacy practices, legal claims, financial models used for decisions, food-safety guidance, medical/nutrition claims, destructive migrations, and public product claims. This mirrors the list of things an AI agent may never independently approve in docs/governance/decision-rights.md.

Moderate-risk work does not require sign-off before proceeding but should be reviewable — see planning-and-work-logs.md.

How review is requested and recorded

  • With a remote/PR workflow (once one exists — see docs/governance/open-questions.md, OQ-005): open a pull request and request review from the human with decision rights over the content (see docs/governance/decision-rights.md). The PR review itself is the record of approval.
  • Without a remote/PR workflow (the current state of this repository): record the approval explicitly in the relevant work log (see planning-and-work-logs.md) — who approved, what was approved, and when — or as an explicit note in the chat/session transcript that authorized the change, plus a corresponding update to the document's status and last_reviewed fields.

AI cannot self-approve

An AI agent must never set status: approved on a document it authored or substantially edited, and must never treat its own output as final for high-risk categories without a recorded human approval as described above. This is not a matter of confidence in the output's quality — it is a structural rule: approval authority belongs to the human roles defined in docs/governance/decision-rights.md, full stop.


Report an issue about this page