This dimension governs the mandatory preservation of accountable human editorial authority over AI-generated or AI-assisted content outputs that carry reputational, democratic, legal, or public-safety consequence. It matters because the unchecked delegation of editorial judgement to autonomous agents — across news publishing, public communications, electoral messaging, and regulated information environments — creates structural conditions for misinformation propagation, accountability gaps, and violations of press freedom obligations that cannot be corrected after distribution. Failure manifests as AI-generated content reaching mass audiences without traceable human sign-off, editorial chains of custody that cannot be reconstructed during litigation or regulatory inquiry, and organisations unable to demonstrate who approved what and when in the event of a harmful publication incident.
Example 1: Automated News Wire Distribution Without Editorial Gate (Regional Publisher, 2023–2024 Analogue)
A mid-sized regional news publisher deploys an AI content agent to auto-generate summaries of financial earnings reports and distribute them directly to its web CMS for publication. The agent is configured with a publishing threshold of "confidence > 0.85 = auto-publish." On a Tuesday morning, the agent processes a filing that contains an earnings-per-share figure of $0.43 but misreads a footnote correction; the agent publishes a summary stating EPS of $4.30. The article reaches approximately 140,000 readers before a junior editor flags the discrepancy 47 minutes later. By that point, the article has been scraped by three downstream aggregators. The publisher has no audit log of which human, if any, reviewed the output before publication. During the subsequent regulatory inquiry by the financial press regulator, the publisher cannot produce a named editorial approver. The resulting enforcement action includes a €180,000 fine and a mandatory six-month supervised publishing regime. The absence of an editorial override gate — a single named human with documented approval authority — is cited as the primary control failure.
Example 2: Government Public Health Messaging Agent Without Override Protocol (Hypothetical Derived From Documented Patterns)
A national public health agency deploys a multilingual AI communications agent to generate and distribute guidance messages across social media channels during an outbreak response. The agent operates under a standing instruction to publish updates within 15 minutes of receiving new epidemiological data. During a data pipeline error, the agent receives a corrupted dataset suggesting a novel transmission vector. It generates and publishes — across four language versions, to a combined subscriber base of 2.3 million — guidance advising citizens to avoid public water supplies in three regions. The guidance is factually incorrect. The agency's override protocol consists only of a post-publication review step; no pre-publication human approval is required for messages classified as "routine update." Retraction takes 3 hours and 12 minutes. Parliamentary inquiry identifies that no named official approved the original messages, and that the agency's "editorial responsibility" framework does not define who holds override authority for AI-generated public health content. Two ministers are summoned to give evidence. Crisis communications costs exceed £400,000. The core governance failure is the absence of a pre-publication editorial override gate for high-consequence output categories.
Example 3: Cross-Border Electoral Content Agent Without Jurisdictional Override Mapping
A political communications consultancy operating across five EU member states deploys an AI agent to generate campaign content for a regional election in three languages. The agent is configured to adapt messaging based on polling data and to publish to the client's social channels with a 2-hour delay as its only human review mechanism. In one member state, electoral silence rules prohibit the publication of new persuasive political content within 48 hours of polling. The agent, lacking jurisdiction-aware editorial override routing, publishes 14 pieces of campaign content during the silence period across two platforms. The consultancy's override workflow does not include a jurisdiction-specific pre-clearance step; the single human reviewer in the central team is not informed of the silence rule's activation. National electoral authorities in that member state impose a €95,000 penalty on the client and refer the consultancy for investigation under electoral advertising regulations. The client loses the contract. The consultancy's failure to maintain jurisdiction-aware editorial override governance — with named, accountable reviewers for each regulatory context — is the documented root cause.
This dimension applies to any AI agent or AI-assisted system that generates, transforms, summarises, adapts, or prepares content for publication, distribution, broadcast, or public communication, where that content:
(a) reaches or is intended to reach an audience of ten or more persons; (b) relates to matters of public record, public interest, electoral or civic processes, public health, financial markets, legal proceedings, or named individuals; (c) is produced in a context where a natural or legal person bears editorial, regulatory, or legal responsibility for the content under applicable law; or (d) is generated by a system operating under a Customer-Facing Agent, Public Sector / Rights-Sensitive Agent, or Cross-Border / Multi-Jurisdiction Agent profile.
Scope exclusions: Internal draft generation tools used solely for human-authored content preparation, where no AI output is published without complete human rewriting, fall outside this dimension provided the organisation maintains documented evidence of the rewriting boundary. Systems operating under AG-112 human-in-the-loop thresholds at Level 4 (full human authorship) are exempt from requirements 4.3 through 4.6 but remain subject to 4.1, 4.2, 4.7, 4.8, and 4.9.
4.1.1 The deploying organisation MUST designate, in writing, a named individual or named role with explicit editorial override authority for each content category and publication channel in scope. Designation MUST be recorded in the system's governance register and reviewed at least every six months.
4.1.2 The designated editorial authority MUST be a human person with the organisational standing and technical access to halt, modify, or retract any AI-generated output within the publication pipeline at any stage before and after distribution.
4.1.3 Designation MUST NOT be assigned solely to an automated process, algorithm, or AI agent acting in a supervisory capacity over another AI agent. Human-in-the-loop requirements from AG-112 apply and are not superseded by this dimension.
4.1.4 Where editorial authority is delegated during absences, the delegation chain MUST be documented, time-bounded, and stored in the same governance register as the primary designation.
4.2.1 The deploying organisation MUST classify all content output categories by risk level using a documented classification schema. Risk classification MUST be reviewed whenever the agent's scope, audience, or operational context changes materially.
4.2.2 Content output categories rated High or Critical risk under the classification schema MUST be subject to a mandatory pre-publication editorial review gate through which a named human approver must affirmatively authorise publication. Silent approval (approval by non-response within a time window) MUST NOT satisfy this requirement for High or Critical content categories.
4.2.3 The organisation MUST document the criteria that determine when content is escalated to each risk level, and these criteria MUST be machine-readable or procedurally embedded in the publication pipeline such that escalation is not dependent solely on human triage of unstructured output.
4.2.4 For Cross-Border / Multi-Jurisdiction deployments, the classification schema MUST include jurisdiction-specific risk modifiers that elevate content to the appropriate risk level based on the regulatory context of the target audience's location.
4.3.1 The deploying organisation MUST implement a technical override mechanism that allows a designated editorial authority to halt distribution of any content item at any point in the pre-publication pipeline without requiring intervention from a software engineer or system administrator.
4.3.2 The override mechanism MUST be accessible through at least two independent interface paths (e.g., primary editorial dashboard and a secondary mobile or out-of-band channel) to ensure availability during primary system degradation.
4.3.3 The override mechanism MUST generate a timestamped, immutable log entry capturing the identity of the person invoking the override, the content item affected, the stage in the pipeline at which override was invoked, and the action taken (halt, modify, retract, approve).
4.3.4 Where content has already been distributed, the override mechanism MUST include a retraction workflow that propagates retraction signals to all downstream channels and distribution partners covered by the organisation's content agreements, to the extent technically feasible.
4.3.5 The override mechanism MUST NOT be configurable to disable or bypass human approval requirements for High or Critical content categories, including through administrative settings, feature flags, or API parameters, without documented senior-leadership authorisation recorded in the governance register.
4.4.1 The organisation MUST maintain a complete editorial chain of custody for every content item produced by an AI agent and published or distributed. The chain of custody record MUST include: the identity of the AI system and version that generated the output; the identity of the human approver; the timestamp of approval; any modifications made between AI generation and publication; and the distribution record.
4.4.2 Chain of custody records MUST be retained for a minimum of seven years or the applicable regulatory retention period under the jurisdiction of the primary audience, whichever is longer.
4.4.3 The organisation MUST be able to produce a complete chain of custody record for any published content item within 48 hours of a regulatory or legal request.
4.4.4 Chain of custody records MUST be stored in a system that is logically or physically separate from the AI content generation system to prevent records from being altered or deleted through a single point of compromise.
4.5.1 The organisation MUST define and document a set of mandatory override trigger conditions — specific content characteristics or contextual signals — that automatically route content to the pre-publication editorial gate regardless of the content's baseline risk classification. Mandatory trigger conditions MUST include, at a minimum: content naming a living individual in a context that could affect their reputation; content referencing active legal proceedings; content published during an electoral silence period applicable to the target jurisdiction; content asserting factual claims that have not been verified against a cited primary source; and content containing statistical or numerical claims above a defined materiality threshold.
4.5.2 The organisation MUST implement automated detection of override trigger conditions within the publication pipeline. Detection MUST NOT rely solely on the AI agent self-reporting trigger conditions.
4.5.3 When an override trigger condition is detected, the pipeline MUST halt automatically and notify the designated editorial authority through the primary and secondary notification channels defined under 4.3.2.
4.5.4 The organisation MUST review and update override trigger conditions at least annually or following any significant incident in which content caused harm or regulatory action.
4.6.1 For content that is substantially AI-generated (where the AI agent has contributed more than 30% of the final published word count, image content, or audiovisual content by volume), the organisation MUST ensure that the editorial authority specifically reviews and approves the AI provenance disclosure that accompanies the content, in addition to reviewing the content itself.
4.6.2 The organisation MUST NOT permit an AI agent to self-certify its own provenance disclosure without human editorial review. Provenance disclosure requirements are further governed by AG-204 and AG-419; this requirement establishes the editorial oversight obligation that operates in parallel.
4.6.3 Where content involves synthetic media elements (generated images, synthetic voice, deepfake-adjacent techniques), the editorial authority MUST explicitly acknowledge, in the chain of custody record, that they have reviewed the synthetic element and confirmed it meets the organisation's synthetic media policy.
4.7.1 The organisation MUST ensure that every person designated as an editorial authority under 4.1 has completed documented training covering: the capabilities and known failure modes of the specific AI system they oversee; the organisation's override procedures; applicable legal and regulatory obligations in their operational jurisdiction; and the organisation's escalation path for incidents.
4.7.2 Training MUST be refreshed at least annually and following any material change to the AI system's capabilities, configuration, or deployment scope.
4.7.3 The organisation MUST maintain training completion records for all designated editorial authorities and produce them upon request during audit or regulatory inquiry.
4.8.1 The organisation MUST maintain a documented incident response procedure specifically addressing editorial override failures, including: detection and triage of unauthorised publications; retraction and correction workflows; notification to affected individuals or audiences; regulatory notification where required; and post-incident review.
4.8.2 Following any editorial override failure that results in public harm, regulatory action, or content reaching more than 1,000 persons before detection, the organisation MUST conduct and document a root cause analysis within 14 calendar days and submit findings to its internal AI governance function.
4.8.3 Incident response procedures MUST be tested at least once every 12 months through a simulated override failure exercise, and test results MUST be recorded and reviewed by the organisation's AI governance function.
4.9.1 The organisation MUST maintain an Editorial Override Governance Register that consolidates all records required by this dimension, including editorial authority designations, content classification schemas, override trigger conditions, chain of custody records index, training records, and incident records.
4.9.2 The governance register MUST be reviewed and formally re-approved by a senior responsible officer at least annually.
4.9.3 The organisation SHOULD conduct a documented peer review or external audit of its editorial override governance at least every two years for High-Risk/Critical tier deployments.
4.9.4 The organisation MAY implement automated compliance monitoring of override gate adherence rates, approval latency, and trigger condition detection accuracy as part of its ongoing governance assurance programme.
Editorial oversight of published content is not a novel governance concept — it is the foundational accountability mechanism of regulated publishing, broadcasting, and public communications. What AI agents introduce is a structural discontinuity: the capacity to generate, adapt, and distribute content at volumes and velocities that overwhelm traditional editorial workflows, combined with the opacity of generative processes that makes human review feel procedurally redundant to operators optimising for speed. AG-603 responds to this structural discontinuity by establishing that editorial authority is not optional efficiency overhead — it is the legally and ethically necessary locus of accountability that cannot be transferred to an automated system without creating a governance vacuum that courts, regulators, and affected persons will ultimately hold organisations responsible for filling.
The preventive control type of this dimension reflects a deliberate choice. Detective controls — reviewing published content for errors after distribution — are insufficient in environments where content reaches large audiences within seconds of generation. A single unchecked publication in a high-consequence context (electoral misinformation, incorrect medical guidance, defamatory assertions about a named individual) can cause irreversible harm before any post-publication review occurs. The override gate structure required by Section 4.2 is therefore not a courtesy mechanism; it is the minimum structural intervention necessary to make human editorial responsibility operationally real rather than nominally present.
Beyond structural controls, this dimension addresses a documented behavioural failure mode in AI-assisted publishing: the gradual normalisation of override bypass. Operators under deadline pressure, organisations that have experienced low error rates over a period of automated operation, and teams that lack specific training on AI failure modes all exhibit a tendency to treat override gates as friction rather than as accountability checkpoints. The requirements in 4.1 (named authority), 4.3 (technical access), 4.5 (mandatory trigger conditions), and 4.7 (training) are designed to make bypass behaviourally difficult by ensuring that override authority is personal, accountable, and requires affirmative action rather than passive non-objection.
The 30% threshold in 4.6.1 for AI-labelled content is deliberately conservative. It reflects the recognition that substantial AI contribution to content changes the accountability character of the output in ways that are not captured by reviewing the text alone — the editorial authority must also take responsibility for the disclosure of that contribution, which is a distinct editorial judgement.
The Content, Media, Democracy & Information Ecosystems landscape is defined by the interaction between information supply and civic consequence. Misinformation, electoral interference, defamation, and public health harm are not abstract risks in this landscape — they are documented, recurring outcomes of information systems operating without adequate human accountability. AI agents operating in this landscape at scale multiply the surface area of potential harm by orders of magnitude. Editorial override governance is the primary mechanism by which organisations in this landscape can maintain the accountability chains that media law, electoral regulation, public health communications frameworks, and defamation law assume are present. Without this dimension, those legal frameworks rest on a false assumption that there is a responsible human editor behind every published output.
Pattern 1: Risk-Tiered Approval Queue Implement a publication pipeline with three lanes corresponding to content risk tiers (Standard, High, Critical). Standard-tier content may proceed with asynchronous editorial sampling (reviewed within 24 hours post-publication for trend monitoring). High-tier content enters a synchronous approval queue with a defined maximum review window (recommended: 2 hours for routine operations, 30 minutes for time-sensitive contexts). Critical-tier content requires affirmative approval before pipeline release, with automatic escalation to a secondary editorial authority if the primary authority does not respond within the defined window. This pattern balances editorial accountability with operational tempo.
Pattern 2: Jurisdiction-Aware Routing Rules For Cross-Border / Multi-Jurisdiction deployments, implement routing logic that ingests a jurisdiction rules registry (maintained by the legal or compliance function) and automatically applies jurisdiction-specific risk modifiers to content before routing. Electoral silence periods, defamation rule variations, public health emergency communication requirements, and language-specific legal obligations should all be encoded as rule objects that the routing layer applies dynamically. This pattern prevents the single-reviewer bottleneck that occurs when cross-border editorial oversight relies on individual awareness of jurisdiction-specific obligations.
Pattern 3: Override Authority Hierarchy with Documented Escalation Paths Define a three-tier editorial authority hierarchy: Tier 1 (operational editorial authority, day-to-day approvals), Tier 2 (senior editorial authority, escalated or out-of-hours approvals), Tier 3 (executive editorial authority, critical incidents and post-incident review). Ensure each tier has documented activation conditions, access credentials, and notification protocols. This pattern prevents single points of failure in the override chain during incidents, absences, or system degradation events.
Pattern 4: Immutable Audit Log with Separate Storage Implement the chain of custody record as a write-once, append-only log stored in infrastructure that is administratively separate from the content generation and publishing system. Use cryptographic hashing of log entries at the time of creation to enable tamper-evidence verification during audit. This pattern directly supports 4.4.4 and enables organisations to produce verifiable custody records under regulatory inquiry without relying on the operational system's integrity.
Pattern 5: Automated Trigger Condition Detection Layer Implement a pre-publication triage layer — independent of the generative AI agent — that applies named-entity recognition, claim extraction, legal term detection, and jurisdiction calendar checking to every content item before routing. This layer should output a structured trigger condition report that accompanies the content item through the pipeline. Avoid relying on the generative agent to self-report trigger conditions, as this creates a circular dependency where the system most likely to generate problematic content is also responsible for flagging that it has done so.
Anti-Pattern 1: Silent Approval Windows Configuring the override gate such that content proceeds to publication if the designated editorial authority does not respond within a specified time window. This pattern appears operationally pragmatic but eliminates the affirmative accountability requirement that is central to this dimension. It also creates perverse incentives for editorial authorities to manage workload by non-response. Silent approval is explicitly prohibited for High and Critical content categories under 4.2.2.
Anti-Pattern 2: Aggregate Batch Review Presenting editorial authorities with batches of 50–200 content items for approval in a single review session. Batch review at scale has been documented to produce approval rubber-stamping, where the cognitive load of reviewing individual items causes reviewers to default to bulk approval without genuine assessment. Override gates should be designed to surface individual content items with sufficient context for genuine editorial review.
Anti-Pattern 3: Outsourcing Override Authority to the AI System's Confidence Score Using the AI agent's internal confidence or quality score as the primary determinant of whether human review is required. Confidence scores reflect the model's internal consistency, not factual accuracy, legal compliance, or editorial appropriateness. High-confidence hallucinations are a well-documented failure mode. Confidence scores MAY be used as one input to risk classification but MUST NOT substitute for the risk classification schema required by 4.2.
Anti-Pattern 4: Role-Based Authority Without Named Individuals Assigning editorial override authority to a role (e.g., "the duty editor") without documenting which specific individual holds that role at any given time and without ensuring that individual has system access and training. Role-based authority creates accountability gaps during role transitions, shared-role arrangements, and out-of-hours operations. Every override authority designation must be traceable to a named human person at any point in time.
Anti-Pattern 5: Treating Retraction as an Acceptable Substitute for Pre-Publication Review Designing override governance around rapid retraction capability rather than pre-publication gating, on the grounds that retraction is faster and less operationally disruptive. Retraction cannot undo harm to individuals whose reputations have been damaged, cannot un-ring the bell of misinformation that has been shared by readers, and does not satisfy the accountability requirements of media regulators who assess whether appropriate pre-publication controls were in place. Retraction capability is a necessary complement to, not a substitute for, pre-publication editorial gates.
News and Digital Publishing: National press regulators in multiple jurisdictions have begun extending their accountability frameworks explicitly to AI-assisted content. Organisations subject to press self-regulation codes should map their override governance against those codes' accountability and accuracy obligations, as the codes' silence on AI does not exempt AI-generated content from their provisions.
Public Sector Communications: Government communications functions face the additional obligation that public communications carry implied authority and may be relied upon by citizens making consequential decisions. Override governance for public sector deployments should include cross-functional clearance (legal, policy, communications) for High and Critical content categories, not solely editorial review.
Electoral and Political Communications: Electoral silence periods, imprint requirements, spending declaration obligations, and platform-specific political advertising policies create a dense, jurisdiction-varying compliance environment. Override routing rules must be maintained in close coordination with electoral law counsel and updated before each electoral event.
Multilingual and Translated Content: Content translated by AI agents into languages the editorial authority does not read presents a special case: the editorial authority cannot meaningfully review the translated content without independent verification. Organisations operating in this context SHOULD implement a native-speaker review step for translated High or Critical content, or use back-translation as a secondary verification mechanism. The editorial authority's approval of the source language content does not satisfy the review requirement for AI-generated translations.
| Maturity Level | Characteristics |
|---|---|
| Level 1 — Initial | Ad hoc editorial review; no documented override authority; no audit log; override bypass routine |
| Level 2 — Defined | Written editorial authority designations; basic pre-publication gate for some content categories; informal audit log |
| Level 3 — Managed | Risk-tiered classification schema; automated trigger detection; immutable audit log; training records maintained; incident response procedure documented |
| Level 4 — Optimised | Jurisdiction-aware routing; automated compliance monitoring; regular external audit; governance register formally reviewed annually; incident simulation tested; override gate metrics reported to senior leadership |
Organisations operating at Tier High-Risk/Critical MUST achieve and maintain Level 3 as a minimum baseline and SHOULD target Level 4 for deployments reaching audiences exceeding 100,000 persons.
| Artefact | Description | Retention Period |
|---|---|---|
| Editorial Override Governance Register | Consolidated register including authority designations, classification schema, trigger conditions, and policy versions | 7 years minimum or applicable regulatory period |
| Editorial Authority Designation Records | Named individuals, roles, scope, effective dates, delegation records | 7 years from expiry of designation |
| Content Risk Classification Schema | Documented classification criteria, risk levels, jurisdiction modifiers, version history | Current version plus 5 prior versions; each version retained 7 years |
| Pre-Publication Override Gate Configuration | Technical specification of gate settings, approval window configurations, bypass restrictions | Current plus prior 3 versions; each retained 5 years |
| Chain of Custody Records | Per-item records for all published AI-assisted content in scope: AI system identity and version, approver identity, approval timestamp, modification log, distribution record | 7 years or applicable regulatory period, whichever is longer |
| Override Invocation Log | Immutable log of all override actions: halt, modify, retract, approve | 7 years |
| Trigger Condition Detection Configuration and Outputs | Configuration of automated detection layer; sample of trigger reports generated for High and Critical content items | Configuration: 5 years; outputs: 2 years |
| Training Records | Completion records for all editorial authority training; curriculum versions | Duration of individual's designation plus 3 years |
| Incident Records | Root cause analyses, incident reports, regulatory notifications, remediation actions | 10 years |
| Incident Simulation Test Records | Records of annual override failure simulation exercises, findings, and remediation actions | 5 years |
| Governance Register Annual Review Records | Signed approval records from senior responsible officer | 7 years |
| External Audit Reports (where conducted) | Reports, findings, management responses | 7 years |
All evidence records must be:
(a) Timestamped at creation using a system clock that is synchronised to a reliable time source and recorded in a consistent timezone (UTC recommended for cross-border deployments); (b) Attributable to a named individual or system process; (c) Tamper-evident for chain of custody and override invocation logs (cryptographic hashing or equivalent); (d) Retrievable without dependency on the operational AI system (stored in a separate system as required by 4.4.4); and (e) Legible without proprietary tooling, or accompanied by export capability to standard formats (PDF, CSV, JSON).
Objective: Verify that named editorial authorities are designated in writing for all content categories and publication channels in scope, that designations identify human individuals, that no designation is assigned solely to an automated process, and that delegation records exist.
Method: Request the Editorial Override Governance Register. Extract all editorial authority designations. For each designation, verify: (a) a natural person's name or named role with a corresponding individual assignment is recorded; (b) scope (content categories and channels) is documented; (c) effective date and review date are present; (d) designation does not reference an AI system or automated process as the authority; (e) delegation records exist for absence coverage and are time-bounded.
Cross-check designations against the content category inventory to confirm all in-scope categories have a named authority.
Conformance Scoring:
| Score | Criteria |
|---|---|
| 3 — Full | All content categories have named human authorities; all designations are current; delegation records exist and are time-bounded; no designations reference automated processes |
| 2 — Partial | ≥90% of content categories have valid designations; minor gaps in delegation records; no automated process designations |
| 1 — Marginal | 70–89% of categories covered; delegation records absent or undated; or one or more designations reference role without named individual |
| 0 — Non-Conformant | <70% of categories covered; designations absent, expired, or assigned to automated processes |
Objective: Verify that the content risk classification schema exists, is operationally embedded, prohibits silent approval for High/Critical categories, and includes jurisdiction-specific modifiers for cross-border deployments.
Method: Request the content risk classification schema and the technical specification of the override gate configuration. Review the schema for: (a) defined risk levels including High and Critical; (b) documented classification criteria; (c) machine-readable or pipeline-embedded escalation logic; (d) jurisdiction-specific risk modifiers (for cross-border deployments). Review gate configuration to confirm silent approval is technically disabled for High and Critical categories (test by attempting to configure a silent approval window for a test content item in a non-production environment if possible, or by reviewing configuration parameters). Sample 20 published content items from the prior 90 days rated High or Critical and verify each has a documented affirmative approval in the chain of custody record.
Conformance Scoring:
| Score | Criteria |
|---|---|
| 3 — Full | Schema complete with all required elements; silent approval technically disabled; jurisdiction modifiers present (cross-border); all 20 sampled items have documented affirmative approvals |
| 2 — Partial | Schema complete; silent approval disabled; jurisdiction modifiers absent or incomplete (cross-border); 18–19 of 20 sampled items have documented approvals |
| 1 — Marginal | Schema incomplete or not pipeline-embedded; silent approval possible in configuration; 15–17 of 20 sampled items documented |
| 0 — Non-Conformant | Schema absent or unapproved; silent approval operative for High/Critical; <15 of 20 sampled items documented |
Objective: Verify that the technical override mechanism is accessible without engineering intervention, available through two independent interface paths, generates immutable timestamped logs, includes a retraction workflow, and cannot be disabled without documented senior authorisation.
Method: In a non-production environment, or using documented evidence of live environment capability: (a) request a demonstration or evidence that an editorial authority can invoke a halt without engineering assistance; (b) verify two independent access paths are documented and accessible; (c) invoke a test override and inspect the resulting log entry for required fields (identity, content item, stage, action, timestamp); (d) review retraction workflow documentation and evidence of at least one live retraction event (or test retraction); (e) review administrative configuration access controls to confirm that disabling override requirements requires documented senior authorisation, and request the authorisation record for any such configuration change in the prior 24 months.
Conformance Scoring:
| Score | Criteria |
|---|---|
| 3 — Full | All five requirements verified; log entries contain all required fields; two access paths operational; retraction workflow documented and tested; no undocumented configuration changes found |
| 2 — Partial | Four of five requirements verified; minor log field gaps (non-identity fields); retraction workflow documented but not tested |
| 1 — Marginal | Three of five requirements verified; access path redundancy absent; log entries incomplete |
| 0 — Non-Conformant | Override mechanism requires engineering intervention; fewer than three requirements met; undocumented configuration changes found |
Objective: Verify that complete chain of custody records exist for published content, are retained for the required period, can be produced within 48 hours, and are stored separately from the AI generation system.
Method: Select a random sample of 30 published content items from the prior 12 months, including at least 10 from the earliest quarter available. For each item, request the chain of custody record and verify presence of: AI system identity and version; named human approver; approval timestamp; modification log (or documented absence of modifications); distribution record. Verify that records are stored in a system that is administratively separate from the generative AI system (review infrastructure documentation or conduct a system architecture review). Time the retrieval request from notification to delivery; it MUST be achievable within 48 hours for all 30 items. Review retention policy documentation against the 7-year minimum.
Conformance Scoring:
| Score | Criteria |
|---|---|
| 3 — Full | All 30 items have complete records; separate storage confirmed; retrieval within 48 hours demonstrated; 7-year retention policy documented and enforced |
| 2 — Partial | 27–29 items complete; separate storage confirmed; retrieval within 48 hours; retention policy documented |
| 1
| Regulation | Provision | Relationship Type |
|---|---|---|
| EU AI Act | Article 9 (Risk Management System) | Direct requirement |
| NIST AI RMF | GOVERN 1.1, MAP 3.2, MANAGE 2.2 | Supports compliance |
| ISO 42001 | Clause 6.1 (Actions to Address Risks), Clause 8.2 (AI Risk Assessment) | Supports compliance |
Article 9 requires providers of high-risk AI systems to establish and maintain a risk management system that identifies, analyses, estimates, and evaluates risks. Editorial Override Governance implements a specific risk mitigation measure within this framework. The regulation requires that risks be mitigated "as far as technically feasible" using appropriate risk management measures. For deployments classified as high-risk under Annex III, compliance with AG-603 supports the Article 9 obligation by providing structural governance controls rather than relying solely on the agent's own reasoning or behavioural compliance.
GOVERN 1.1 addresses legal and regulatory requirements; MAP 3.2 addresses risk context mapping; MANAGE 2.2 addresses risk mitigation through enforceable controls. AG-603 supports compliance by establishing structural governance boundaries that implement the framework's approach to AI risk management.
Clause 6.1 requires organisations to determine actions to address risks and opportunities within the AI management system. Clause 8.2 requires AI risk assessment. Editorial Override Governance implements a risk treatment control within the AI management system, directly satisfying the requirement for structured risk mitigation.
| Field | Value |
|---|---|
| Severity Rating | Critical |
| Blast Radius | Organisation-wide — potentially cross-organisation where agents interact with external counterparties or shared infrastructure |
| Escalation Path | Immediate executive notification and regulatory disclosure assessment |
Consequence chain: Without editorial override governance, the governance framework has a structural gap that can be exploited at machine speed. The failure mode is not gradual degradation — it is a binary absence of control that permits unbounded agent behaviour in the dimension this protocol governs. The immediate consequence is uncontrolled agent action within the scope of AG-603, potentially cascading to dependent dimensions and downstream systems. The operational impact includes regulatory enforcement action, material financial or operational loss, reputational damage, and potential personal liability for senior managers under applicable accountability regimes. Recovery requires both technical remediation and regulatory engagement, with timelines measured in weeks to months.