Governance functions
The NIST AI Risk Management Framework organises AI risk work around Govern, Map, Measure, and Manage. Human review belongs in all four: responsibility, workflow context, quality checks, and corrective action.
Most organisations say they keep a human in the loop. Fewer can explain what that human is supposed to do, what evidence they review, how much authority they have, and when they must stop the process.
That gap matters. Human review is often the difference between a useful AI workflow and an accountability theatre. A person who rubber-stamps output is not oversight. A person who lacks context, time, training, or authority is not meaningful oversight either.
Start with the decision, not the model
The right review pattern depends on the decision being supported. A spelling suggestion does not require the same oversight as a hiring shortlist, credit assessment, legal memo, clinical triage note, insurance recommendation, or customer complaint response.
Ask four questions:
- What decision or work product does the AI influence?
- Who could be affected if the output is wrong?
- What evidence does the reviewer need?
- Can the reviewer change, reject, or escalate the output?
If the answer to the fourth question is no, the organisation has review theatre, not review.
Three levels of human review
Level 1: Output review
The user checks the AI output before using it. This is appropriate for low-risk productivity support, drafting, brainstorming, and internal summaries.
The reviewer should check factual accuracy, tone, missing context, and whether the output is suitable for the audience.
Level 2: Evidence review
The reviewer compares the output against source material: contracts, policies, transcripts, datasets, emails, research files, or system logs.
This is necessary when the AI summarizes, classifies, extracts, ranks, or recommends based on source documents.
Level 3: Decision review
The reviewer evaluates the whole decision path: input, model output, context, business rule, affected person, and final action.
This is required when an AI-assisted workflow affects rights, access, obligations, money, health, safety, employment, or reputation.
Design review into the workflow
Human review should not be an afterthought. It needs a place in the workflow:
- trigger: when review is required;
- reviewer: who reviews;
- standard: what they check;
- evidence: what they see;
- authority: what they can change;
- record: what gets documented;
- escalation: when the matter moves to a higher level.
The OECD AI Principles emphasise human-centred values, transparency, robustness, and accountability. Those ideas only become operational when review responsibilities are built into the actual workflow.
What to do next
Pick one AI-assisted workflow and draw it from input to final action. Mark where the AI contributes and where a human can intervene. Then define the review standard in one paragraph. This is often enough to reveal whether oversight is real or ceremonial.