Human Oversight Protocol

Every automated tier and score produced by the ConnectGRC assessment can be challenged, reviewed, and overridden by a human. Candidates keep ultimate control over how — and whether — to share their result. Employers that deploy ConnectGRC outputs inside a hiring flow must implement the same review path on their side.

The simplest oversight mechanism is built into the product. Any completed assessment whose scoring failed to land (completed AND scored_at IS NULL) surfaces a Run scoring button to its owner and to admins. The button re-runs the full LLM-judge + synthesis pass against the stored transcript, idempotently overwrites the tier, and audit-logs the action.

Candidates can trigger a rescore from their own results page; admins can trigger one from the /admin/assessments/[id]detail view. Both surfaces hit the same Route Handler (/api/score-assessment) under the same idempotency guard.

If the rescore returns the same tier and the candidate still believes the result is wrong, they can request a manual review. The review process is:

1. Candidate contacts us via the contact page and marks the message "Assessment review" with the assessment ID from their results URL.
2. A qualified GRC reviewer (named in our internal RACI; minimum five years of GRC practice) reads the full transcript, the judge feedback, and the candidate's written context.
3. The reviewer either (a) confirms the tier, (b) issues a manual-override tier with written rationale stored in tier_overrides, or (c) marks the run as inconclusive and offers a free retake outside the normal cooldown.
4. Outcome is communicated to the candidate within ten working days of the request.

Every human override is written to the tier_overrides table with: assessment id, original tier, new tier, reviewer id, reason, timestamp. The candidate's results page surfaces the override prominently — "Tier adjusted by a human reviewer" — so downstream consumers (LinkedIn share, employers) see the adjusted value alongside the original. We do not silently rewrite history.

If you are an employer planning to use ConnectGRC outputs inside your hiring flow, EU AI Act Article 26 obligations apply to you as the deployer. At minimum:

• Display the candidate's tier alongside a clear note that the value is AI-generated and may be appealed.
• Never make a final hiring decision on the tier alone — keep at least one human in the loop for every candidate.
• Document your override path internally and provide it to the candidate on request.
• Carry out your own fundamental-rights impact assessment under Article 27 if you fall within scope.

Reach out to discuss the deployment review before going live — contact us via the link above and mark the message "Employer deployment."

If you are not satisfied with the outcome of a manual review:

• Internal — request a senior reviewer (CTO or Head of GRC at ConnectGRC). Response within five working days.
• Regulatory — complain to your local data- protection or AI-Act supervisory authority. EU/UK residents may complain to the ICO, CNIL, or the equivalent national regulator.
• Right to human review under GDPR Article 22 — you can request that any decision based on the assessment be reviewed by a human, regardless of whether you went through our manual-review process first.

• v1.0.0 (May 2026) — initial publication. Built-in rescore + manual-review + audit-table machinery as documented above.