Automated decision pipelines often contain human review steps, but the presence of a reviewer does not prove meaningful oversight. A reviewer may see only a score, approve under throughput pressure, and leave behind no evidence of what was considered.
The Decision Control System is a minimal control layer for decisions that require human oversight. It does three things:
- Holds eligible decisions before outcome release
- Structures what the reviewer must see and access
- Records the review as decision evidence, not as a timestamp
Oversight is not a control unless it is enforced, structured, and recorded.
Conceptual Structure
The DCS has three primitives:
| Primitive | Purpose |
|---|---|
| Decision Gate | Determines whether oversight is required and holds the decision in pending state |
| Human Review Session | Defines and records the information surface presented to the reviewer |
| Decision Provenance Record | Seals the review pathway, context reference, reviewer action, and integrity evidence |
Relationship to the Decision Record
The Decision Record is the system of record for the decision itself. The DCS extends it by adding linked oversight records where human review is required.
Fields needed to classify, query, and retrieve the decision belong in the Decision Record. Fields needed to prove the oversight process belong in DCS-linked records.
The Decision Record intervention block stores oversight status and references:
"intervention": {
"is_human_reviewed": true,
"oversight_required": true,
"oversight_pathway": "decision_control_system_v0",
"gate_id": "uuid",
"review_session_id": "uuid",
"provenance_record_id": "uuid",
"reviewer_id": "string",
"review_timestamp": "ISO8601",
"action": "confirmed | overridden | escalated",
"all_required_accessed": true,
"minimum_time_met": true
}The full gate, session, context, and provenance evidence remains outside the core Decision Record and is retrieved through these references.
Minimal Schema (v0)
1. Decision Gate
The Decision Gate evaluates a candidate decision before outcome release. If trigger criteria match, the decision enters pending state and cannot be released until the required review path is complete.
{
"gate_id": "uuid",
"decision_id": "uuid",
"gate_state": "passed | pending | under_review | escalated | bypassed | released",
"gate_triggered": true,
"trigger_reasons": [
"model_score_band",
"subject_value_threshold",
"model_uncertainty",
"vulnerability_flag",
"rule_conflict",
"model_staleness"
],
"review_required": true,
"auto_escalation_required": false,
"evaluated_at": "ISO8601",
"bypass": {
"bypassed": false,
"bypass_record_id": "optional",
"reason_code": "optional"
}
}- A triggered gate holds the decision before outcome release.
- A bypass must generate an exception record.
- A release without a required review record emits a control failure event.
2. Human Review Session
The Human Review Session defines the Decision Review Context: the information surfaces the reviewer must access before an action becomes available.
{
"review_session_id": "uuid",
"decision_id": "uuid",
"gate_id": "uuid",
"reviewer_id": "string",
"reviewer_role": "string",
"session_opened_at": "ISO8601",
"context_snapshot_id": "uuid",
"surfaces": [
{
"surface_type": "subject_context | subject_history | model_output | model_reasoning | model_reliability | alternative_outcomes",
"required": true,
"accessed": false,
"first_accessed_at": "optional",
"duration_seconds": 0
}
],
"all_required_accessed": false,
"minimum_time_met": false,
"action_unlocked_at": "optional",
"escalation_triggered": false,
"escalation_reason": "optional"
}- A surface counts as accessed only when the reviewer actively opens it.
- Required surfaces that are absent or unavailable block action unlock.
- The gate rejects an action where
all_required_accessedorminimum_time_metis false.
3. Decision Provenance Record
The Decision Provenance Record is the sealed evidence object for a reviewed decision. It links the gate, review session, context snapshot, reviewer action, and integrity evidence.
{
"provenance_id": "uuid",
"decision_id": "uuid",
"gate_id": "uuid",
"review_session_id": "uuid",
"context_snapshot_id": "uuid",
"review": {
"reviewer_id": "string",
"reviewer_role": "string",
"session_started_at": "ISO8601",
"session_duration_seconds": 0,
"surfaces_accessed": ["string"],
"surfaces_not_accessed": ["string"],
"all_required_accessed": false,
"minimum_time_met": false
},
"action": {
"taken_at": "ISO8601",
"decision": "confirmed | overridden | escalated",
"notes": "optional",
"uncertainty_flagged": false
},
"immutability": {
"record_hash": "sha256:...",
"hash_algorithm": "SHA-256",
"sealed_at": "ISO8601"
},
"retention": {
"retain_until": "date",
"policy": "string",
"jurisdiction": "string"
}
}- The provenance record is sealed when the reviewer submits an action.
- The sealed record cannot be modified without producing a hash mismatch.
- A released decision without a sealed provenance record emits an absence event.
all_required_accessed: falseis valid evidence of inadequate review, not a malformed record.
Event Model
The DCS emits events at control boundaries so that missing review evidence is detectable.
| Event | Meaning |
|---|---|
gate.triggered | Oversight criteria matched |
gate.bypassed | Gate bypass invoked with exception path |
gate.control_failure | Gate released without required review or exception evidence |
session.opened | Reviewer opened the review session |
session.surface_accessed | Reviewer accessed a required or optional surface |
session.action_unlocked | Required access and minimum time conditions were met |
session.action_taken | Reviewer confirmed, overrode, or escalated |
provenance.sealed | Review evidence was sealed |
provenance.absent | Decision released without sealed provenance |
provenance.hash_mismatch | Retrieved record failed integrity verification |
Audit Projection
The DCS does not make the audit trail a separate source of truth. An audit trail is a formatted projection of the Decision Provenance Record and its linked context snapshot.
{
"decision_id": "uuid",
"outcome": "approved | denied | escalated",
"reviewer_id": "string",
"review_context_snapshot_id": "uuid",
"total_review_time_seconds": 0,
"surfaces_accessed": ["string"],
"surfaces_not_accessed": ["string"],
"all_required_accessed": false,
"minimum_time_met": false,
"evidence_completeness": "complete | incomplete | absent",
"provenance_record_id": "uuid",
"sealed_at": "ISO8601"
}evidence_completeness is derived from the linked records:
complete: sealed provenance exists, required surfaces were accessed, and hash verification passesincomplete: sealed provenance exists, but required access or timing conditions were not metabsent: no sealed provenance record resolves to the decision
What This Enables
1. Meaningful Oversight
The human reviewer is placed before outcome release and given a defined review context.
2. Review Evidence
The organisation can show what the reviewer saw, what they accessed, how long they spent, and what action they took.
3. Queryable Accountability
Oversight quality can be queried across the decision population through fields such as oversight_required, all_required_accessed, minimum_time_met, and provenance_record_id.
4. Dispute Readiness
A challenge does not require reconstructing the review from service logs. The audit trail is projected from sealed decision evidence.
5. Control Failure Detection
A missing provenance record, failed hash check, or bypass without exception evidence is visible as a control failure.