If your approvers say yes 97% of the time in under 20 seconds, you don't have human oversight — you have a ritual. Kynara risk-scores every approval and flags the reviewers who've stopped reviewing.
Every agent platform can pause for a human. Almost none asks whether the human is still paying attention. The OWASP AI Exchange #OVERSIGHT control lists approval fatigue — "humans overwhelmed by approval requests, especially if the large majority are okay" — as a principal limitation of human oversight. The EU AI Act (Art. 14) requires oversight to be effective, not just present.
| Signal | Trigger | What it means |
|---|---|---|
| Rubber-stamp risk | ≥95% approval rate at ≥20 reviews | Reviews are likely not meaningful; tighten auto-allow policies so fewer, riskier requests reach humans. |
| Speed risk | Median review under 30 seconds | Decisions faster than the request can be read. |
| Overloaded | ≥100 reviews/week per approver | Unsustainable volume — add approvers or raise thresholds. |
| High-risk fast-approved | High-risk request approved < 60s | The exact case oversight exists for, waved through. |
Every approval request carries a deterministic risk score — monetary size, tainted
(untrusted-input) context, high-risk namespaces like payments or infra,
bulk markers — so reviewers see high-risk requests first and low-risk noise can be
eliminated at the policy layer, where it belongs. Same request, same score: explainable to an auditor
line by line, because no LLM is involved in scoring.
Free plan: 3 seats, 10k decisions/month.