Human Review and Approval¶
Which work requires sign-off¶
Any work classified as high risk under task-classification-and-routing.md requires explicit human sign-off before being treated as final: company policy, security controls, privacy practices, legal claims, financial models used for decisions, food-safety guidance, medical/nutrition claims, destructive migrations, and public product claims. This mirrors the list of things an AI agent may never independently approve in docs/governance/decision-rights.md.
Moderate-risk work does not require sign-off before proceeding but should be reviewable — see planning-and-work-logs.md.
How review is requested and recorded¶
- With a remote/PR workflow (once one exists — see docs/governance/open-questions.md, OQ-005): open a pull request and request review from the human with decision rights over the content (see docs/governance/decision-rights.md). The PR review itself is the record of approval.
- Without a remote/PR workflow (the current state of this repository): record the approval
explicitly in the relevant work log (see
planning-and-work-logs.md) — who approved, what was approved, and
when — or as an explicit note in the chat/session transcript that authorized the change, plus a
corresponding update to the document's
statusandlast_reviewedfields.
AI cannot self-approve¶
An AI agent must never set status: approved on a document it authored or substantially edited,
and must never treat its own output as final for high-risk categories without a recorded human
approval as described above. This is not a matter of confidence in the output's quality — it is a
structural rule: approval authority belongs to the human roles defined in
docs/governance/decision-rights.md, full stop.