Human Review Gate Definitions
Purpose
Defines mandatory human review checkpoints in the AI development lifecycle with criteria and escalation procedures.
Related Controls
1. Purpose
Explain why human review gates exist and when they are triggered.
Human review gates are mandatory checkpoints in the AI system lifecycle where human judgment is required before proceeding to the next phase. These gates ensure that AI outputs, decisions, and deployments receive appropriate human oversight proportional to their risk.
Document Owner: [ROLE TITLE], [DEPARTMENT]
Effective Date: [DATE]
Applies To: All AI systems at [ORGANIZATION NAME] — development, testing, deployment, and production operation
2. Gate Definitions
Define each review gate with its trigger, reviewer, and pass criteria.
| Gate | Phase | Trigger | Reviewer | Pass Criteria | Max Wait |
|---|---|---|---|---|---|
| G1: Design Review | Design | Before development begins | AI Program Lead + Security | Architecture approved, risks identified, data classification confirmed | 5 days |
| G2: Code Review | Build | PR/MR submitted | Peer Engineer + Security Champion | Code review checklist complete, all critical items pass | 2 days |
| G3: Security Review | Test | Before staging deployment | Security Team | Threat model reviewed, security tests pass, no critical/high vulns | 5 days |
| G4: Pre-Production | Deploy | Before production deployment | System Owner + Operations | Deployment readiness checklist complete, rollback plan tested | 3 days |
| G5: Output Review | Operate | AI generates customer-facing output | Content Reviewer / Domain Expert | Output is accurate, appropriate, and aligned with brand guidelines | Real-time |
| G6: Decision Review | Operate | AI recommends action with material impact | Authorized Decision-Maker | Recommendation reviewed, alternatives considered, decision documented | Per SLA |
3. Gate Bypass Procedure
Define when and how gates can be bypassed in emergencies.
When Bypass Is Permitted
Gate bypass is only permitted when all of the following conditions are met:
- A production incident is in progress (Severity 1 or 2)
- The fix is time-critical (delay causes ongoing harm)
- The bypass is approved by the AI Program Lead or CISO
- A compensating review is scheduled within 24 hours
Bypass Documentation
Every bypass must be documented with:
- Gate bypassed: [Gate ID]
- Reason: [Description of emergency]
- Approved by: [Name, Title]
- Compensating review deadline: [Date/time]
- Actual compensating review completed: [Date/time]
Bypass Limits
- No more than 2 gate bypasses per system per quarter
- Bypass of G1 (Design Review) is never permitted
- All bypasses are reported to the AI Governance Committee in the next meeting
4. Escalation & Disputes
Define what happens when a gate reviewer rejects progression.
Rejection Process
When a gate reviewer rejects progression:
- Reviewer documents specific reasons for rejection with actionable remediation steps
- Development team addresses all rejection items
- Team resubmits for review with evidence of remediation
- If team disagrees with rejection, escalate to AI Program Lead within 2 business days
Escalation Path
- First level: AI Program Lead mediates between reviewer and team
- Second level: AI Governance Committee reviews and makes binding decision
- Documentation: All escalations and decisions are logged in the project record
Review SLA Violations
If a gate reviewer does not complete their review within the Max Wait time, the AI Program Lead may assign an alternate reviewer. Chronic SLA violations are reported to the reviewer's management.