Human Oversight of AI Decisions: When Review Is Required and How to Design It

People say they don't trust AI; their behavior says they do

Ayanna Howard's research, surfaced in the 2026 Deloitte Tech Trends report, identifies the measurement principle every CEO building an oversight protocol should know. "When surveyed, participants said they didn't trust the systems because they had seen them make errors. But when we analyzed their actual behaviors, we saw something different. Their actions showed they did trust the robot." Stated trust and behavioral trust diverge, and they diverge in the direction that hurts.

Two recent studies make the same point in AI-assisted work. METR (Becker et al., July 2025, arXiv 2507.09089) measured 16 experienced open-source developers using Cursor Pro with Claude 3.5 and 3.7 Sonnet on 246 real issues from large repositories. The developers averaged 19% LONGER to completion with AI than without. Their self-estimates after the study: 20% faster. Their pre-study forecast: 24% faster. Aalto University (Welsch et al., "AI makes you smarter but none the wiser," published online October 27, 2025; print Computers in Human Behavior, Vol. 175, article 108779) ran two studies (Study 1 N=246 LSAT-style logical reasoning items; Study 2 N=452 replication) and found AI users overestimated their performance by 4 points while their actual performance rose by 3 points. The Dunning-Kruger curve flattened and partially reversed. Higher self-rated AI literacy correlated with LOWER metacognitive accuracy.

Stanford HAI's 2026 AI Index shows the institutional consequence: AI incidents rose 55% year-over-year in 2025 (233 to 362 documented). Separate McKinsey survey data cited in related AI Index coverage shows self-rated "excellent" AI incident-response capability falling from 28% to 18% over the same period. The self-report gauge that sets most oversight bars is the gauge least correlated with what is happening in production.

The structural read: an oversight system built on self-report ("ask the team if they are checking the AI") is designing for the wrong number. The team will report careful review whether or not careful review is happening. The instrument that catches what is actually happening is behavioral: override rate by reviewer, time-to-decision distribution, override-to-correct-call rate. IBM's 2025 Cost of a Data Breach Report found the average enterprise breach took 241 days end-to-end: 158 days to identify and 83 days to contain. By contrast, EU AI Act Article 73 sets serious-incident reporting windows for high-risk AI systems that can run as short as two days for the most severe or widespread events and generally no later than fifteen days. These are not identical regimes (cybersecurity breach lifecycle versus AI Act incident reporting), but they point to the same operational problem: oversight has to detect trouble much faster than traditional governance cycles usually do.

Three oversight modes: what they mean and when each fits

Three design patterns cover the operational space. Each one is appropriate in a defined zone; mismatched modes produce either theater (oversight without protection) or bottleneck (review at the cost of throughput).

Human-in-the-loop (HITL). The AI system pauses at a defined checkpoint and waits for human approval before taking an action. The human is the active decision authority; the AI is a recommendation engine. Use HITL for high-stakes, irreversible, or consequential decisions. EU AI Act Article 14 and Colorado AI Act SB 24-205 both push the highest-risk AI deployments toward this mode.

Human-on-the-loop (HOTL). The AI acts autonomously and the human monitors outputs in real time, with authority to intervene before, during, or shortly after the action. Use HOTL for medium-stakes decisions where speed is load-bearing and reversal is possible within a usable window. Customer service AI drafts that auto-route, AI-flagged anomalies in financial data routed to an analyst, content-moderation pre-screening with override authority.

Human-out-of-the-loop (HOOTL). The AI acts autonomously and the human reviews aggregate outcomes after the fact, often through a sample audit or a dashboard. Use HOOTL for low-stakes, high-volume, easily reversible decisions where individual review would destroy the productivity case for the system. Inbox triage, meeting transcript summaries, internal draft content pending human edit.

The structural mistake is one mode for everything. HITL universally collapses the productivity case; HOOTL universally leaves consequential decisions unsupervised. The discipline is the matrix.

The decision authority matrix every CEO needs

Map every AI deployment in the company to one cell of this 3x3 grid. Row: low / medium / high stakes. Column: reversible / costly to reverse / irreversible. Each cell maps to a default oversight mode.

The bottom row crosses the kind of consequential-decision threshold Colorado has been trying to regulate. Colorado's original SB 24-205 required deployers to give consumers an opportunity to appeal adverse consequential decisions through human review when technically feasible. Enforcement was paused on April 27, 2026 (xAI v. Weiser, with DOJ intervening), and SB 26-189 has since advanced as a repeal-and-replace bill focused on automated decision-making technology. SB 26-189 passed the Senate May 7, 2026 and the House May 9, 2026 and is pending Governor Polis' signature. The replacement bill moves the operative date to January 1, 2027 and gives consumers a right to request meaningful human review and reconsideration after an adverse covered decision. EU AI Act Article 14 is the key human-oversight provision for high-risk AI systems, but the high-risk compliance timeline is in transition (EU countries and lawmakers reached a provisional agreement in May 2026 to delay enforcement of high-risk system rules; companies serving EU markets should still design toward Article 14 while tracking the revised implementation dates). The practical takeaway for Indiana operators: the June 30, 2026 clock is no longer the urgent date, but the appeal-and-review architecture is still the right design for consequential decisions. AI Law Tracker maintains the canonical real-time view of governance regulation across federal and state jurisdictions; the matrix above is how an operator translates that legal surface into an operational protocol.

Indiana operators: how this applies in-state

Healthcare. Indiana University and Eli Lilly signed a five-year $40M agreement in December 2025 to build AI-enabled clinical trial infrastructure across the IU Health and Lilly research network. IU Health, Community Health Network, Eskenazi, Parkview, and Eli Lilly all operate inside FDA Software-as-a-Medical-Device guidance, IRB review, and HIPAA, which impose human-review requirements that exceed anything in the consumer AI Act conversation. Indiana CEOs in adjacent industries often look at healthcare's documented override and audit protocols as the closest mature reference for their own oversight design.

Hiring. Large Indiana employers in manufacturing, life sciences, technology, and logistics are likely candidates for AI-assisted hiring workflows because of their hiring volume, applicant volume, and enterprise HR software stacks. Unless they publish their tooling and override practices, outside observers should treat the risk as a governance question, not a confirmed tooling claim. The Harvard Business School / Accenture report "Hidden Workers: Untapped Talent" (Fuller, Raman, Sage-Gavin, Hines, September 2021) surveyed 8,000 hidden workers and over 2,250 executives across the US, UK, and Germany; 88% of executives surveyed agreed that qualified high-skills candidates are screened out of their hiring funnel because they do not match the exact criteria established by the job description. Stanford research published October 2025 (Guilbeault et al., 34,500 LLM-generated resumes across 54 occupations) found AI resume screeners gave older male candidates higher ratings than identical-experience female and younger candidates. Indiana mid-market employers using AI screeners need an oversight protocol now: SB 26-189 in Colorado is reshaping the consumer-appeal regime, EU AI Act high-risk obligations are in transition with enforcement timing being revised, and many Indiana employers serve Colorado and EU markets directly.

Legal and state government. Indiana State Bar has published commentary on generative AI but has not issued formal ethics guidance; Indiana lawyers default to ABA Formal Opinion 512 (2024) and Indiana Rule 5.1 (supervisory responsibility extends to associates' AI-assisted work). Governor Braun launched the IN AI initiative April 28, 2026, executed through the CEOs of Indiana Corporate Partnership (CICP). The Management Performance Hub maintains a separate AI governance track for state agencies, including the AI Readiness Questionnaire and a three-tier risk classification (High / Moderate / Low). The full Indiana AI Legislation 2026 Guide has the complete jurisdictional read.

People who use AI report feeling more accurate, faster, and more confident, while the data shows the opposite. Oversight protocols built on self-report are designing for the wrong number.

Seven ways oversight fails

One. Theater oversight. A reviewer's name is on the audit log; no actual review happened. Most common where oversight is a checkbox with no required content. The Aalto and METR findings predict this: even reviewers who believe they are reviewing carefully are systematically overconfident in their attention.

Two. Bottleneck oversight. Every AI output gets HITL review, including the inbox-triage and meeting-summary outputs that should be HOOTL. The AI productivity case collapses, the team works around the protocol, and shadow AI use rises.

Three. Fatigue-driven rubber-stamping. A reviewer faces 200 AI outputs per day. By output 20, the reviewer is approving without reading. Same mechanism as alert fatigue in clinical decision support: override rates climb and override quality collapses as alert volume rises.

Four. Wrong reviewer. A junior employee reviews high-stakes consequential decisions because the senior person was "too busy." The 2024 automation-bias literature in clinical decision support (Kostick-Quenet et al., the empirical study at PubMed 39234734, n=210) found that better diagnostic performance, formal training, and physician status all reduced false agreement with incorrect AI recommendations, while higher perceived system benefit increased susceptibility. Translation for non-clinical settings: the more a reviewer trusts the AI in the abstract, the more they conform to it in the specific case, and the less expertise the reviewer has, the less they catch the error. A junior reviewer hesitant to override AI on a high-stakes call compounds the problem.

Five. No documentation of override rationale. When a reviewer overrides the AI, no record is kept of why. Six months later, no one can audit whether the override was sound, and the AI cannot be retrained on the override pattern. Colorado's AI framework and the EU AI Act both push organizations toward documented human review in covered high-risk or consequential-decision settings.

Six. Override drift. A reviewer overrides the AI repeatedly in early weeks; over time the AI's recommendations and the reviewer's overrides converge; the reviewer stops overriding because the AI is "usually right." The drift is the reviewer learning the AI's pattern and conforming to it, not the AI getting smarter. The Howard, METR, and Aalto findings predict this at scale.

Seven. Confusing legal review with operational oversight. Legal reviews the vendor contract, the data processing agreement, and the privacy notice. None of those substitute for the operational reviewer who looks at individual AI outputs. Vendor management governs the contract surface; oversight governs the production surface. Different controls.

Where this fits in the 7-domain governance framework

Human oversight is Domain 4 in the seven-domain AI governance architecture. The pillar piece introduces all seven; the AI Governance Maturity Model walks the five-level progression from Ungoverned to Strategic. Maturity Level 2 requires a documented decision authority matrix; Level 3 requires behavioral instrumentation (override rate, time-to-decision distribution); Level 4 requires cross-functional architecture (oversight tied to ERP, CRM, and audit logs). Adjacent domains compose: data classification (Domain 3) sets the stakes column of the matrix above; incident response (Domain 7) is the structural backstop when oversight fails.

How the 7 Levels of AI Proficiency integrates

Oversight is a Level 4, Level 5, and Level 6 capacity in The 7 Levels of AI Proficiency. The L4-L6 progression is the structural answer to "we need oversight but we cannot afford to slow everything down."

Level 4 (Commander). Context engineering for oversight. The Commander can specify, in plain English to the AI tool and to the team, what an AI output needs to contain for a human to review it efficiently. Requiring the AI to surface its sources, flag low-confidence outputs, and enumerate alternatives it considered. Commanders design the workflow that makes oversight tractable.

Level 5 (Captain). Designing the oversight system. The Captain maps a department's decision types to HOOTL, HOTL, and HITL modes, writes the escalation path, and defines what gets documented. The level that produces a real decision-authority matrix for a real team, not a generic template.

Level 6 (Admiral). Cross-functional oversight architecture. The Admiral designs oversight at the company-wide level: how Sales' AI tooling interacts with Customer Success's and Legal's review queue, how the audit trail integrates with the CRM and the ERP, how the company demonstrates Article 14 compliance to a regulator or investor. Oversight becomes an architectural property of the business.

An organization at Maturity Level 2 needs at least one Captain building governance; Level 4 needs an Admiral. The org-level maturity model and the individual proficiency framework compose; they do not substitute. Related context: the 32-point disagreement between CIOs and COOs on AI readiness surfaces in oversight design too, where Captain-tier work requires shared vocabulary across executive functions.

Frequently asked questions

Sources

• Becker, J., Rush, N., Barnes, E., Rein, D. (2025). Measuring the Impact of Early-2025 AI on Experienced Open-Source Developer Productivity. METR. arXiv 2507.09089. metr.org/blog/2025-07-10-early-2025-ai-experienced-os-dev-study.
• Welsch, R. et al. (2025). AI makes you smarter but none the wiser: The disconnect between performance and metacognition. Computers in Human Behavior, Vol. 175, article 108779. Published online October 27, 2025; print issue February 2026. Study 1 N=246, Study 2 N=452. aalto.fi/en/news/ai-use-makes-us-overestimate-our-cognitive-performance.
• Deloitte (2026). Tech Trends 2026. Includes Ayanna Howard interview on stated-vs-behavioral trust measurement.
• European Union (2024). Regulation (EU) 2024/1689, Article 14: Human Oversight. artificialintelligenceact.eu/article/14.
• Colorado General Assembly (2024). SB 24-205: Consumer Protections for Artificial Intelligence. Statutory effective date June 30, 2026, but enforcement enjoined April 27, 2026 by federal magistrate (xAI v. Weiser, with DOJ intervening). leg.colorado.gov/bills/sb24-205.
• Colorado General Assembly (2026). SB 26-189: Automated Decision-Making Technology. Repeal-and-replace bill; passed Senate May 7, 2026 and House May 9, 2026; pending Governor Polis' signature. Replaces "high-risk AI system" framework with narrower ADMT regime; January 1, 2027 effective date. leg.colorado.gov/bills/sb26-189.
• IBM Security (2025). 2025 Cost of a Data Breach Report. Average breach lifecycle 241 days (158 to identify + 83 to contain), a 9-year low; organizations with AI-powered detection cut the lifecycle by 80 days. ibm.com/reports/data-breach.
• Stanford HAI (2026). 2026 AI Index Report, Responsible AI section. AI incidents rose to 362 in 2025 (up 55% from 233 in 2024). hai.stanford.edu/ai-index/2026-ai-index-report.
• Kostick-Quenet, K. et al. (2024). Automation Bias in AI-Decision Support: Results from an Empirical Study. PubMed 39234734. n=210; identifies diagnostic performance, training, status as moderators of automation bias. pubmed.ncbi.nlm.nih.gov/39234734.
• Fuller, J., Raman, M., Sage-Gavin, E., Hines, K. (2021). Hidden Workers: Untapped Talent. Harvard Business School Project on Managing the Future of Work + Accenture. September 3, 2021. 88% of executives surveyed agree their hiring funnel screens out qualified high-skills candidates because of resume-language mismatch with job-description criteria. hbs.edu/managing-the-future-of-work/research/Pages/hidden-workers-untapped-talent.
• Guilbeault, D. et al. (2025). Stanford research on AI resume screener bias against older female and younger candidates. October 2025; 34,500 LLM-generated resumes across 54 occupations. news.stanford.edu/stories/2025/10/ai-llms-age-bias-older-working-women-research.
• Indiana Management Performance Hub (2026). State of Indiana AI Policy and Guidance. in.gov/mph/AI.
• Indiana University News (December 3, 2025). Lilly and IU to expand access to clinical trials and latest innovative treatments for Hoosiers. Five-year agreement up to $40M; AI-enabled clinical trial infrastructure as one of three focus areas. news.iu.edu.

This article is informational only. It is not legal advice. Consult counsel before making compliance decisions.

Harrison Painter

AI Business Strategist. Founder, LaunchReady.ai and AI Law Tracker.

Harrison helps teams build AI systems that cut cost and grow revenue. Nearly twenty years of business experience. 2.8M YouTube views. Founder of LaunchReady.ai and the 7 Levels of AI Proficiency framework. Author of You Have Already Been Replaced by AI and The White-Collar Factory is Closing.

Connect on LinkedIn