AI Approval Workflow
[EAAPL-GOV003] AI Approval Workflow
Category: Governance / Deployment Control Sub-category: Change Management & Approval Gates Version: 1.3 Maturity: Proven Tags: approval-workflow, deployment-gates, separation-of-duties, change-management, APRA, EU-AI-Act Regulatory Relevance: APRA CPS230 §23–§26, EU AI Act Article 14, ISO/IEC 42001 §8.4, NIST AI RMF MANAGE 1.1
1. Executive Summary
The AI Approval Workflow establishes a multi-stage, evidence-gated approval process that every AI system must traverse before production deployment. It implements separation of duties as an architectural principle—technical, security, ethics, regulatory, and executive reviewers operate as independent gates, each with defined authority and accountability.
This pattern solves a persistent enterprise problem: AI systems deploy through standard software change management processes designed for deterministic code, which fundamentally misses AI-specific risks including fairness, explainability, adversarial vulnerability, and regulatory classification. By inserting AI-specific review stages with defined entry and exit criteria, the workflow ensures that deployment decisions are informed, documented, and defensible.
For CIOs and CTOs, this pattern delivers three strategic outcomes: regulatory defensibility (documented approval evidence for every deployed model), risk reduction (no model enters production without expert sign-off on applicable risk dimensions), and accountability (named approvers with defined authority create clear responsibility chains). Implementation integrates with existing ITSM and change management tooling, minimising adoption friction while adding material governance value.
2. Problem Statement
Business Problem
AI systems are promoted to production through standard software release processes (JIRA tickets, change advisory boards) that do not assess AI-specific risk dimensions. Approvers lack the expertise and structured information to make informed decisions. Approval becomes a rubber stamp rather than a genuine risk control.
Technical Problem
Multi-stage approval requires coordination across technical, security, compliance, ethics, and executive reviewers. Without a structured workflow, reviews happen ad-hoc, evidence is unstructured, decisions are verbal, and there is no audit trail connecting deployment to approval.
Symptoms
- AI models deployed without documented fairness or ethics review
- Security reviews of AI systems using generic application security checklists
- Legal/compliance review occurring after deployment when issues are discovered
- No traceable connection between deployed model version and approval evidence
- Different AI projects following different approval processes based on team culture
- Inability to answer regulators' question: "who approved this AI system for deployment and based on what evidence?"
Cost of Inaction
- Regulatory: APRA examination finding; EU AI Act Article 14 (human oversight) non-compliance
- Legal: Deployment of non-compliant AI creating retrospective liability without approval documentation
- Operational: Fast-moving development teams deploy without governance, creating ungoverned AI estate
- Reputational: High-profile AI failure with no documented governance process amplifies regulatory and media response
3. Context
When to Apply
- All AI systems being promoted to production (regardless of risk tier — tier determines approval depth, not whether approval applies)
- Existing deployed models undergoing material changes (new training data, new use case, architectural change)
- Third-party AI integrations being enabled for first time
- Models being promoted from staging to production after staging validation
When NOT to Apply
- Within-experiment model retraining (automated retraining of existing approved models within previously approved parameter bounds)
- Internal experimentation environments with no production data or customer impact
- Non-AI software changes (standard ITSM change process applies)
Prerequisites
- Model registered in AI Model Register (GOV001) with MRID
- Risk assessment completed (GOV002) with documented risk tier
- Technical documentation package complete per risk tier requirements
- Deployment environment provisioned with monitoring controls configured
Industry Applicability
| Industry | Applicability | Approval Authority Level | Regulatory Driver |
|---|---|---|---|
| Banking & Insurance (AU) | Critical | Board Risk Committee for Critical-tier | APRA CPS230 §23 |
| Financial Services (EU) | Critical | CRO + Legal for high-risk AI | EU AI Act Article 14 |
| Healthcare | Critical | Clinical Safety Officer for patient-facing AI | TGA software regulation |
| Government | High | Senior Responsible Officer | APS AI Ethics Framework |
| Technology / SaaS | Medium | VP Engineering + Legal | Customer contractual obligations |
| Retail | Low–Medium | AI Governance lead | Consumer protection obligations |
4. Architecture Overview
The AI Approval Workflow is architected as a sequential gate process with parallel review capability within each gate. The pattern makes three foundational architectural decisions that distinguish it from generic change management workflows.
First principle: Risk-tier-driven depth, not fixed stages. A Low-risk internal analytics model does not require the same approval rigour as a Critical-tier credit decisioning model. The workflow uses risk tier (from GOV002) to determine which stages are mandatory, which are advisory, and what evidence is required at each stage. A four-tier depth model is defined: Express (Low), Standard (Medium), Comprehensive (High), and Full Board (Critical). This prevents the framework becoming a bottleneck that business units circumvent.
Second principle: Evidence gates, not opinion gates. Each approval stage has defined entry criteria (what evidence must exist before the stage opens) and exit criteria (what the approver must review and attest). Approvers cannot mark a stage complete without linking to specific assessment artefacts. This transforms approval from "did the committee meet?" to "did the committee review specific evidence and make an informed decision?" The distinction is material under regulatory examination.
Third principle: Separation of duties by role type. The five review stages—Technical, Security, Ethics, Regulatory, and Executive—must be performed by different individuals from different organisational functions. A single person cannot approve their own technical and ethics review. This separation is enforced at the workflow layer: the system will not accept approvals from the same individual for more than one stage on the same model. This satisfies APRA CPS230 §26 governance requirements for independence in risk oversight.
Stage Architecture. The five stages are:
Stage 1: Technical Review validates that the model meets technical quality standards: performance benchmarks met, model card complete, integration tests passing, fallback behaviour verified, monitoring hooks installed. Technical review can be performed by the AI/ML engineering team but not by the model's own developers (peer review at minimum).
Stage 2: Security Review validates AI-specific security controls: adversarial robustness testing completed (per GOV002 security module), input validation controls in place, model endpoint access controls verified, supply chain provenance confirmed, and penetration test scheduled or completed. Security review is performed by the enterprise security team, not the AI team.
Stage 3: Ethics Review assesses fairness, explainability, and responsible AI alignment. This stage is mandatory for all customer-facing models and all models making consequential decisions about individuals. Ethics reviewers must be independent of the development team and must include at least one non-technical reviewer. For Critical-tier models, the AI Ethics Review Board (GOV009) performs this stage.
Stage 4: Regulatory/Compliance Review validates that the model is compliant with all applicable regulatory obligations: data processing agreements signed (third-party models), privacy impact assessment completed, EU AI Act registration submitted (if applicable), prohibited use case confirmation, and geographic restriction compliance. This stage is performed by Legal/Compliance, not the AI or business team.
Stage 5: Executive Sign-off provides accountability at the appropriate authority level based on risk tier. Low-tier models may not require executive sign-off; Critical-tier models require CRO or Board Risk Committee acknowledgement. This stage creates the governance anchor — a named executive accountable for the deployment decision.
Parallel Review Optimisation. Stages 2, 3, and 4 (Security, Ethics, Regulatory) can execute in parallel once Stage 1 (Technical) is complete. This parallelisation reduces the calendar time from sequential 5-stage to effectively 3-stage (Technical → parallel Security+Ethics+Regulatory → Executive). For a well-prepared Medium-tier model, the full workflow completes in 5–7 business days.
Conditional Re-review. Material changes to an approved model trigger a partial re-review. The system categorises change types and maps them to required re-review stages: a model architecture change triggers Technical + Security; a new use case triggers Ethics + Regulatory; a new training dataset triggers Technical + Ethics. This prevents full re-review for minor changes while ensuring material changes receive appropriate scrutiny.
5. Architecture Diagram
6. Components
| Component | Type | Responsibility | Technology Options | Criticality |
|---|---|---|---|---|
| Pre-flight Validation Service | Business Logic | Validates prerequisites before workflow initiates; checks GOV001 and GOV002 status | Workflow engine + REST calls to GOV001/GOV002 APIs | Critical |
| Risk Tier Router | Business Logic | Determines approval track (Express/Standard/Comprehensive/Full Board) from GOV002 risk rating | Rules engine; workflow BPM routing | Critical |
| Stage Orchestration Engine | Workflow | Manages stage sequencing, parallel execution of stages 2-4, SLA tracking, escalations | Camunda BPM, ServiceNow Workflow, AWS Step Functions | Critical |
| Evidence Gate Enforcer | Business Logic | Blocks stage completion until required evidence artefacts are linked | Custom validation rules; document management integration | Critical |
| Reviewer Assignment Service | Identity/Access | Routes each stage to correct approver pool based on risk tier and organisational role | LDAP/AD group-based routing | High |
| Separation of Duties Enforcer | Security Control | Prevents same individual approving multiple stages on same model | Cross-stage approver deduplication check | Critical |
| SLA Monitor & Escalator | Operations | Tracks time-in-stage; escalates approaching and breached SLAs | Workflow timer events; notification service | High |
| Approval Audit Logger | Compliance | Records every approval decision with approver identity, timestamp, evidence links, rationale | Immutable log (append-only DB or S3 WORM) | Critical |
| Deployment Token Issuer | Security | Issues time-limited, model-version-specific deployment authorisation token consumed by MLOps pipeline | JWT with model version claim; short expiry (24h) | Critical |
| Change Classification Engine | Business Logic | Classifies change type for deployed models; determines re-review scope | Rules engine with change type taxonomy | High |
| GOV001/GOV002 Integration | Integration | Updates model register and risk assessment records with approval outcome | REST API integration | High |
7. Data Flow
Primary Approval Flow (Comprehensive Track — High Risk)
| Step | Actor | Action | Output |
|---|---|---|---|
| 1 | Model Owner | Submits deployment request with MRID, target environment, deployment date | Approval request ID; pre-flight checks initiated |
| 2 | Pre-flight Service | Validates GOV001 MRID exists, GOV002 assessment complete, tech docs present | Pre-flight pass confirmation |
| 3 | Tier Router | Reads GOV002 risk rating; routes to Comprehensive track | Track assignment; Stage 1 notification sent to technical reviewer pool |
| 4 | Technical Reviewer (peer, not developer) | Reviews model card, performance benchmarks, integration tests, monitoring config; links evidence | Stage 1 approval attestation + evidence bundle reference |
| 5 | Stage Orchestration | Validates Stage 1 evidence gate; opens Stages 2, 3, 4 in parallel | Parallel review notifications to Security, Ethics, Regulatory reviewers |
| 6a | Security Reviewer (CISO team) | Reviews adversarial test results, access controls, supply chain provenance | Stage 2 approval or findings requiring remediation |
| 6b | Ethics Reviewer (AI Ethics Officer) | Reviews fairness metrics, explainability report, responsible AI alignment | Stage 3 approval or ethics concerns |
| 6c | Regulatory Reviewer (Legal/Compliance) | Reviews DPA status, PIA completion, prohibited use confirmation | Stage 4 approval or compliance gaps |
| 7 | Aggregation Gate | Checks all three parallel stages passed; compiles consolidated status | Consolidated parallel review outcome |
| 8 | Executive Approver (Risk Officer for High-tier) | Reviews summary package; makes deployment decision | Stage 5 approval/rejection/conditional with rationale |
| 9 | Deployment Token Issuer | Generates time-limited JWT with model MRID and version claim | Deployment authorisation token |
| 10 | GOV001 Integration | Updates model register status to APPROVED; links approval artefact | Model register updated; deployment permitted by MLOps gate |
Error Flow
| Condition | Detection | Response | Recovery |
|---|---|---|---|
| Stage failure (reviewer finds critical issue) | Reviewer marks stage Fail with finding reference | Workflow pauses; owner notified with consolidated findings | Owner remediates; resubmits for failed stages only (not full workflow restart) |
| SLA breach at any stage | SLA monitor timer event | Escalation to stage owner's manager; AI Governance notified | Priority queue assignment; daily status reporting until resolved |
| Separation of duties violation attempted | Stage enforcer check | Approver rejected; alternative reviewer requested | AI Governance assigns independent reviewer |
| Deployment token expired before use | MLOps pipeline check | Pipeline blocked; re-approval required | Fast-track Stage 5 re-approval (token extension) for unchanged model |
8. Security Considerations
Separation of Duties (Critical Control)
- System enforces: no individual can approve more than one stage for a given model deployment
- Workflow engine maintains approver identity per stage; cross-check performed before accepting approval
- Model owners cannot approve any stage on their own model (explicit exclusion list)
Deployment Token Security
- JWT deployment tokens carry: MRID, model version hash, approved environment, issuer, expiry (24 hours)
- MLOps pipeline validates token signature before permitting deployment
- Tokens invalidated immediately if model version changes post-issuance
Audit Log Integrity
- All approval decisions written to WORM-compliant immutable log
- Approval records include: approver identity, timestamp, decision, rationale text, evidence artefact hashes
- No deletion permitted; corrections via superseding record only
OWASP LLM Top 10 Mapping
| OWASP LLM Risk | Approval Stage Coverage | Control |
|---|---|---|
| LLM01 Prompt Injection | Stage 2 Security | Mandatory prompt injection test results required as evidence |
| LLM02 Insecure Output Handling | Stage 1 Technical | Output validation controls verified in technical review |
| LLM04 Model Denial of Service | Stage 2 Security | Rate limiting and resource controls verified |
| LLM08 Excessive Agency | Stage 3 Ethics + Stage 4 Regulatory | Agency scope review mandatory for autonomous AI |
| LLM09 Overreliance | Stage 3 Ethics | Human oversight mechanisms verified; escalation paths documented |
9. Governance Considerations
Responsible AI
The Ethics Review stage (Stage 3) is the primary responsible AI gate. It requires sign-off from a designated AI Ethics Officer or, for Critical-tier, the full AI Ethics Review Board (GOV009). Ethics review covers: fairness assessment outcomes, explainability adequacy, human override mechanisms, and vulnerable population impact.
Model Risk
The approval workflow is a key control in the enterprise model risk framework. Approved models receive a Model Risk Rating that references the approval record. Model risk committee reviews approval outcomes quarterly.
Traceability
Every deployed model has a traceable approval chain: MRID → Assessment ID (GOV002) → Approval Request ID → Stage approver identities → Deployment token hash → Deployed model version. This chain can be reconstructed from audit logs for any deployed model at any point in time.
Governance Artefacts
| Artefact | Owner | Frequency | Regulatory Linkage |
|---|---|---|---|
| Approval Decision Record (per model) | AI Governance | Per deployment | APRA CPS230 §23; EU AI Act Article 14 |
| Approval SLA Compliance Report | AI Governance | Monthly | ISO 42001 §8.4 |
| Separation of Duties Violation Log | CISO | Monthly | APRA CPS230 §26 independence requirement |
| Executive Approval Register | Risk Committee | Quarterly | Board governance obligations |
10. Operational Considerations
SLOs
| SLO | Target | Measurement |
|---|---|---|
| Stage 1 Technical review SLA | ≤3 business days | Per approval request |
| Stages 2-4 parallel review SLA | ≤5 business days | Per approval request |
| Stage 5 Executive review SLA | ≤2 business days | Per approval request |
| Total workflow (High tier) | ≤10 business days | End-to-end |
| Workflow engine availability | 99.5% | 30-day rolling |
Monitoring
| Metric | Target | Alert Threshold |
|---|---|---|
| Approvals awaiting >SLA | 0 | Any approval stuck >SLA |
| SoD violations attempted | 0 | Any attempt |
| Deployments without valid token | 0 | Any event — critical alert |
| Approval conversion rate (submitted → approved) | Tracked | Significant change indicates assessment quality issue |
Disaster Recovery
| Scenario | RTO | RPO | Recovery |
|---|---|---|---|
| Workflow engine unavailable | 4 hours | 1 hour | Emergency manual approval via documented exception process; retrospective system entry |
| Audit log unavailable | 1 hour | 0 | WORM storage; read from replica |
11. Cost Considerations
Cost Drivers
| Driver | Cost Type | Notes |
|---|---|---|
| Reviewer time (dominant cost) | Variable FTE | Stage 1: 0.5 days; Stages 2-4: 1 day each; Stage 5: 0.25 days |
| Workflow platform licence | Fixed SaaS | Camunda Cloud: $2K–$20K/yr; ServiceNow: included in existing licence |
| Audit log storage | Variable | Minimal (KB per approval record); 7-year WORM retention |
Indicative Cost Range
| Track | Reviewer Time | Infrastructure | Total per Approval |
|---|---|---|---|
| Express (Low) | 1 day × $1,500 | $10 | ~AUD $1,510 |
| Standard (Medium) | 2.5 days × $1,500 | $10 | ~AUD $3,760 |
| Comprehensive (High) | 4.75 days × $1,500 | $10 | ~AUD $7,135 |
| Full Board (Critical) | 6+ days × $1,500 + expert | $10 | ~AUD $20,000+ |
12. Trade-Off Analysis
Option Comparison
| Option | Description | Pros | Cons | Recommended For |
|---|---|---|---|---|
| A: Five-stage workflow (this pattern) | Sequential gates with parallel 2-4 | Comprehensive; defensible; separation of duties enforced | 5–10 day cycle time | Regulated industries |
| B: Single approval gate | One cross-functional committee reviews all dimensions | Fast; simple | Single point of failure; no separation of duties; committee lacks depth across all dimensions | Very small organisations |
| C: Automated approval for low risk | Fully automated for Low-tier with human override | Scales to high model volume | Requires high confidence in automated checks | Volume model refresh pipelines |
| D: Continuous deployment with post-deploy review | Deploy first; review second | Maximum speed | Inverts risk management; regulators will not accept | Never for customer-facing consequential AI |
Architectural Tensions
| Tension | Stance | Mitigation |
|---|---|---|
| Speed vs. Thoroughness | Thoroughness wins for High/Critical; tiered tracks for Low/Medium | Risk-tier routing ensures proportionate effort |
| Automation vs. Human Judgement | Human judgement required at every stage | Automation assists (pre-population, evidence linking) but cannot substitute |
| Centralisation vs. Delegation | Central workflow; delegated stage authority | Risk tier maps to authority level; avoid central bottleneck |
13. Failure Modes
| Failure | Likelihood | Impact | Detection | Recovery |
|---|---|---|---|---|
| Reviewer unavailability blocking SLA | High | Medium | SLA monitor alert | Backup reviewer pool; SLA escalation |
| Evidence quality insufficient to support decision | Medium | High | Stage reviewer rejection | Pre-submission checklist; evidence quality coaching |
| Approval granted without reviewing evidence (rubber stamp) | Medium | Critical | Audit log review; periodic approval quality spot-check | Mandatory evidence link validation; approver accountability review |
| Deployment without approval token | Low | Critical | MLOps pipeline gate | Immediate incident; model rollback; governance investigation |
| Approval shopping (submitting to easier reviewer) | Low | High | Cross-approval pattern analysis | Role-based reviewer assignment; no model-owner reviewer selection |
14. Regulatory Considerations
APRA CPS230
- §23: Risk management framework requires documented approval process for changes to critical operations. This workflow provides the required documentation.
- §26: Governance arrangements require independence in risk oversight. SoD enforcement directly satisfies this.
EU AI Act
- Article 14: Human oversight requirements for high-risk AI. Stage 3 (Ethics) and Stage 5 (Executive) provide the human oversight attestation required before deployment.
- Article 16(f): Providers of high-risk AI must draw up technical documentation. Stage 1 (Technical) gate enforces documentation completeness.
- Article 43: Conformity assessment for high-risk AI. Approval record serves as conformity assessment documentation for Annex III use cases.
NIST AI RMF
- MANAGE 1.1: AI risk responses are decided upon and implemented. Approval workflow is the primary implementation of MANAGE function.
- MANAGE 2.2: Mechanisms to respond to AI risk prioritised. Stage-based escalation implements this.
ISO/IEC 42001
- §8.4: Operational planning and control requires documented procedures for AI system deployment. This workflow pattern satisfies §8.4.
15. Reference Implementations
AWS
| Component | AWS Service |
|---|---|
| Workflow Orchestration | AWS Step Functions + Human Approval tasks |
| Deployment Token | AWS Lambda (JWT generation) + KMS signing |
| Audit Log | DynamoDB (append-only) + S3 WORM export |
| Notifications | SNS + SES |
| Evidence Storage | S3 + presigned URL |
Azure
| Component | Azure Service |
|---|---|
| Workflow Orchestration | Azure Logic Apps + Azure DevOps Approval Gates |
| Deployment Token | Azure Functions + Key Vault signing |
| Audit Log | Azure Cosmos DB (append mode) + Immutable Blob |
On-Premises / Enterprise ITSM
| Component | Technology |
|---|---|
| Workflow | ServiceNow Custom Workflow / Camunda BPM |
| Token | Internal PKI JWT issuance |
| Audit Log | Immutable SIEM (Splunk with index-level WORM) |
16. Related Patterns
| Pattern | Relationship | Dependency Direction |
|---|---|---|
| EAAPL-GOV001 AI Model Register | Input — MRID required; output updates register | GOV001 → GOV003 → GOV001 |
| EAAPL-GOV002 AI Risk Assessment | Input — risk tier determines approval track | GOV002 → GOV003 |
| EAAPL-GOV007 AI Audit Trail | Complementary — approval decisions stored in audit trail | GOV003 → GOV007 |
| EAAPL-GOV009 AI Ethics Review Board | Called — Critical-tier models invoke ethics board for Stage 3 | GOV003 → GOV009 |
| EAAPL-CMP003 EU AI Act Compliance | Satisfies — Article 14 human oversight documentation | GOV003 → CMP003 |
17. Maturity Assessment
Overall Maturity: Proven (Level 3)
| Dimension | Score (1–5) | Evidence |
|---|---|---|
| Stage definition completeness | 5 | All five stages with entry/exit criteria |
| SoD enforcement | 5 | System-enforced; no manual bypass |
| Risk-tier routing | 4 | Four tracks defined; gap is automated tier adjustment based on post-deploy signals |
| ITSM integration | 3 | Reference implementations exist; custom integration required per enterprise |
| Re-review automation | 3 | Change classification rules defined; automated triggering from MLOps not yet standardised |
18. Revision History
| Version | Date | Author | Changes |
|---|---|---|---|
| 1.0 | 2024-03-01 | EAAPL Working Group | Initial publication |
| 1.1 | 2024-09-01 | EAAPL Working Group | Added parallel stage execution optimisation |
| 1.2 | 2025-02-01 | EAAPL Working Group | Added deployment token architecture; EU AI Act Article 43 mapping |
| 1.3 | 2025-08-01 | EAAPL Working Group | Added conditional approval track; re-review automation guidance |