How Decisions Are Made

Buyer-facing logic for risk classification, governance routing, evidence requirements, reviewer assignment, overrides, and residual-risk treatment.

Defensibility Layer

Risk classification inputs

Each AI use case is classified through observable risk triggers, not vague subjective scoring.

InputExample triggerEffect
Impact domainEmployment, credit, healthcare, safetyHigh-risk signal
Personal dataCandidate profile and assessment dataDPIA required
AutonomyAutomated recommendation or actionOversight required
AudienceCustomer, employee, candidate, publicTransparency required
ReversibilityDecision hard to reverseEscalate route

Evidence requirement rules

TriggerEvidence RequiredReviewer
Personal dataDPIA, data lineage, retention policyDPO
Employment impactFairness test, appeal process, human oversight planHR Risk + Legal
External user impactTransparency notice, complaint path, monitoring planLegal + Compliance
Agent tool accessPermission matrix, action log, kill-switch testSecurity