Governance
The rubber stamp isn’t oversight.
Put a human in front of the AI, let them click approve, and the decision is no longer automated — that is the theory many institutions quietly operate on. European regulators have rejected it explicitly. Oversight that cannot be evidenced is oversight that never happened.
The rubber stamp, rejected.Under GDPR Article 22, a decision remains “solely automated” — with every consequence that carries — if the human involvement isn’t meaningful. Guidance is blunt: a reviewer who routinely applies the machine’s output without real influence over the outcome does not count. The human must have the authority and competence to change the decision, and must actually weigh it.
The AI Act raises the same bar.Article 14 of the EU AI Act requires human oversight to be effective: the overseers need the competence, the information, and the authority to intervene, up to stopping the system. A review nobody could act on fails the article by design.
What oversight must leave behind.If effectiveness is the standard, oversight becomes an evidence problem: who reviewed, with what information in front of them, what they decided, and why. A click leaves a timestamp. Effective oversight leaves a record — the reviewer’s identity, their rationale, their signature, bound to the decision itself. That record is the difference between oversight you claim and oversight you can prove.
The operational answer:route the decisions that matter to a human in the loop, capture the rationale at the moment of sign-off, sign it, and seal it into the same immutable trail as the decision. Oversight becomes what regulators mean by it: a control that exists because it can be shown. That is what we build into the path.
― basis: GDPR Art. 22 (EDPB guidance on meaningful human involvement) · EU AI Act Art. 14 · ISO/IEC 42001 (oversight controls)
Get Audit-Ready