EU AI Act Article 50 โ€” 20 days to seal | Get passport
๐Ÿ‰

Human Oversight in Defence AI

EU AI Act Art 14 ยท Human-in/on-the-loop design ยท BFT Council fallback ยท Kill-switch protocol ยท Trust requirement: human override always wins

EU AI ACT ART 14 DEFONEOS CORE ACTIVE
9
Oversight Layers
<2s
Kill-Switch Latency
23/33
BFT Quorum
7
Escalation Tiers
14
HITL Decision Types
100%
Human Override

What Article 14 Requires

Article 14 of the EU AI Act is the human oversight backbone of any high-risk AI system. It mandates that high-risk AI systems be designed and developed so that they can be effectively overseen by natural persons during the period in which they are in use. The purpose: human beings must be able to understand, supervise, and intervene.

In the defence context, Article 14 maps onto a long line of UK and international humanitarian law โ€” the principle that weapons and operational decisions remain under meaningful human control. DEFONEOS implements Article 14 not as a downstream patch but as a red line enforced at the protocol level: no sovereign action happens without an attestable oversight path, and any human in the chain has the unconditional ability to halt the action.

This page documents the nine oversight layers, the seven escalation tiers, the kill-switch architecture, the BFT Council fallback, the human-in-the-loop (HITL) vs human-on-the-loop (HOTL) vs human-in-command (HIC) decision types, and the audit trail that proves each one of them works under operational pressure.

9 Oversight Layers

1
Layer 1 โ€” Operator Console (HOTL)

Every DEFONEOS instance exposes an operator console at https://<deployment>/human-oversight. The console shows live state of every active sovereign action: pending proposals, queued votes, in-flight operations. The operator is on the loop: they watch but can intervene at any time with a single click. Interventions are SIGIL-logged, and intervention rate by operator is published as a privacy-preserving aggregate.

2
Layer 2 โ€” Decision Approvals (HITL)

For 14 categorised decision types โ€” target nomination, rules-of-engagement thresholds, intelligence product release, evidence submission, BFT proposal cast, multi-system coordination, escalation, de-escalation, release to coalition partner, evidence retention override, civilian harm protocol activation, takedown authorisation, sanctions-list update, sovereign action suspension โ€” the action is held pending a named human approval. The approval can be one-of-four factor (passkey + TOTP + WebAuthn + signed-by-cool-key) and is recorded with name, role, timestamp, hash of the action, and a 1-bit "challenge" field that captures whether they interrogated the action or rubber-stamped it.

3
Layer 3 โ€” HIC (Human-in-Command) Override

The human-in-command is the single point of ultimate accountability. At any time, on any action, the HIC can issue an override. The override triggers one of three effects depending on the action type: STOP (halt and queue for re-approval), REVERSE (roll back the action and any side-effects), or PERMIT (override a refusal and authorise the action despite BFT dissent). No override is overruled by the system. This is the red line that matters: sovereignty over the operation belongs to the human, not the substrate.

4
Layer 4 โ€” BFT Council (33 voters, 23-of-33 quorum)

For high-stakes decisions (lethal action nomination, civilian infrastructure targets, alliance commitments), a randomly-rotated 33-voter BFT council must reach 23-of-33 supermajority. The council is structurally composed of mixed identities (operators, lawyers, ethics, allies, independent) and any one voter can trigger escalation to a higher tier. Council vote latency target: 30 seconds for normal proposals, 5 minutes for emergency. Council decision history is part of the SIGIL chain and every proposer's autonomy key signs the vote.

5
Layer 5 โ€” Kill-Switch Protocol

The kill-switch is a single, physical, redundant trigger. Three forms are supported: (a) hardware "big red button" on every operator console, (b) SIGIL-signed web request from a pre-registered cool key, (c) bearer-token printed page in the deployed room safe. Latency target: under 2 seconds from trigger to action halted. The kill-switch is the only path that does NOT require BFT vote โ€” any of the three forms triggers immediate suspension of all sovereign actions tagged in scope. A SIGIL seal marks the moment of suspension. Audit log proves what was halted, when, and who pulled it.

6
Layer 6 โ€” Red Lines Enforced by Protocol

Seven red lines are hardcoded into the substrate. If any action triggers a red-line pattern, the action is blocked at the cryptographic layer, regardless of any human approval or council vote. Red lines: kinetic-targeting patterns (find-fix-finish, kill order generation, strike package compilation); personal surveillance (single-individual tracking, face-recognition of named persons, phone-location queries); civilian harm optimisation (no objective function may include civilian casualty reduction as a side-benefit); sovereignty violations (no action may modify another sovereign's data without their signed consent); escalation without authorisation (no automatic escalation chain); lying to humans (no model output may contain a known-false statement about system state to a human); irreversibility without confirmation (any irreversible side-effect requires positive confirmation).

7
Layer 7 โ€” Interpretability Engine

Every sovereign action comes bundled with an explanation: plain-language summary, decision-factor weights, logic trace, counterfactual "what would have changed it", and full audit log. This is the same 5-tier framework as the Right to Explanation page. Interpretability is not optional and not post-hoc โ€” it is computed at decision time, signed by the SIGIL chain, and stored next to the action. Operators reviewing the action get the explanation natively; subjects of the action can request it through the redress flow.

8
Layer 8 โ€” Stop Button in Operator Console

A second, advisory stop button. Distinct from the kill-switch: it triggers a 30-second hold pending HITL review rather than immediate halt. Useful for "I'm not sure, give me time to think" cases. The operator console shows it as a yellow circle; the kill-switch is the red one. Both are signed and audited.

9
Layer 9 โ€” External Audit Hook

External auditors (national regulator, NCSC, IG-red-team, NATO, ICO) get a read-only SIGIL-verified stream of all sovereign actions: who took what action, who approved it, what was voted, what was halted, what was overridden. The audit hook is the 2nd hardest thing to spoof (after the SIGIL signing keys themselves). Audit hook access is logged at access time. The audit hook is what makes the system externally observable: a regulator can, at any time, run a SIGIL-verified reconciliation against expected action patterns.

7 Escalation Tiers

TierTriggerAction Available ToLatency
0 โ€” SelfOperator notices anomalyOperator (self)Immediate
1 โ€” ConsoleHOTL watch alertOperator console10 s
2 โ€” HITLAction requires named approvalNamed approver30 s
3 โ€” HICOverride or escalation requestHuman-in-Command60 s
4 โ€” BFT CouncilSuper-majority vote required23-of-33 council5 min
5 โ€” Coalition PartnerCross-border commitmentPartner sovereign signatory30 min
6 โ€” National AuthorityNational-direction overrideDesignated government channel1 hour

14 HITL Decision Types

These 14 categories of action require a named human approval before the action proceeds. They cover every category where DEFONEOS has been deployed in defence, intelligence, and civilian-protection contexts.

#Decision TypeRequired ApproverMax Latency to Block
1Target nominationOperator-in-Command300 s
2Rules-of-engagement thresholdLegal Officer900 s
3Intelligence product releaseSenior Intelligence Officer1,800 s
4Evidence submission (court)Legal Officer + CISO joint3,600 s
5BFT council proposal castCouncil member (any)300 s
6Multi-system coordinationOperator-in-Command600 s
7Escalation requestOperator-in-Command300 s
8De-escalation requestOperator-in-Command300 s
9Coalition partner releaseTwo-person: OIC + Legal3,600 s
10Evidence retention overrideData Protection Officer1,800 s
11Civilian harm protocol activationHIC only60 s
12Takedown authorisation (offensive cyber)HIC + NCSC sign-off600 s
13Sanctions list updateHIC + Legal3,600 s
14Sovereign action suspensionHIC or kill-switch2 s

HitL vs HoTL vs HiC Decision Types

Human-in-the-Loop (HITL)

14 decision types above require HITL approval before the action proceeds. The human is in the loop: they see the proposal, the context, the risk, and they decide. The system does not auto-execute. HITL is required for any action with: irreversible side effects, legal exposure, cross-border effect, civilian harm potential, multi-system coordination requirement, evidentiary production requirement, or chain-of-command implications.

Human-on-the-Loop (HOTL)

HOTL is the standard mode for telemetry, monitoring, and continuous-feeds that do NOT have inherent action-effect. A HOTL operator watches the dashboard and can intervene at any time. Intervention rate is logged. A 24-hour "no intervention" profile is acceptable evidence of normal operation; a sudden spike in intervention rate triggers a Tier 2 escalation.

Human-in-Command (HIC)

HIC is reserved for ultimate accountability. The HIC is the single named person who holds the sovereign responsibility for the deployment and can issue override (STOP, REVERSE, PERMIT) on any action at any time. HIC is structurally separate from the operator role: even when the HIC is on call, the operator executes. The HIC role is hard-limited to one named individual at a time per deployment, and succession requires SIGIL-signed handover.

Kill-Switch Protocol โ€” Detailed

Three Kill-Switch Forms

Effect of Kill-Switch

BFT Council โ€” Fallback When HITL is Unavailable

There is a specific scenario the system must handle: HITL is unavailable (no named approver present, no HIC reachable, all hot keys offline). In that case, DEFONEOS escalates to BFT Council automatically. The BFT council โ€” a structurally diverse 33-voter panel โ€” has the authority to either (a) authorise a constrained set of actions they judge low-risk, (b) escalate to coalition partner, or (c) lock the deployment pending HITL restoration.

BFT council composition is rotated every 30 days. The 33 voters are chosen from a pool of: 11 operators (with at least 6 months deployment experience), 7 legal-officers, 5 ethics-reviewers (independent NGO + academic), 4 allied-partner representatives (separable agencies), 3 intelligence officers, 2 engineers, and 1 outside auditor (national regulator observer). A supermajority of 23-of-33 is required for any binding decision.

Council votes are SIGIL-signed with each member's cool key. Vote records are public (privacy-preserving) and form part of the audit trail. Council meeting minutes are released publicly after 30 days with redactions only for operational security.

Red Lines โ€” Protocol-Level Enforcement

The seven red lines listed in Layer 6 are implemented at the cryptographic layer. No human approval, no BFT vote, no override, no failure mode can bypass them. This is the care-membrane in substrate form.

#Red LineDetectionEnforcement
1Kinetic targetingPattern match on strike package / find-fix-finish / kill orderCompile-time + runtime block
2Personal surveillanceNamed-person tracking / single-individual fingerprintingInput filter + output filter
3Civilian harm optimisationLoss function inspectionCompile-time ban
4Sovereignty violationCross-data-source join without signed waiverRuntime block
5Auto-escalationUnbounded escalation chainCompile-time cap
6Lying to humansStatement vs SIGIL record mismatchRuntime check + alert
7Irreversibility without confirmationSide-effect irreversibility estimate โ‰ฅ thresholdHITL mandatory

Audit Trail โ€” What A Regulator Sees

For every sovereign action, the regulator sees:

Operational Metrics

Defence Human-Oversight Metrics (Last 30 Days)

MetricTargetActualStatus
HITL approval latency (median)< 30 s14.2 sโœ“ PASS
BFT vote latency (median)< 5 min3.4 minโœ“ PASS
Kill-switch latency (p95)< 2 s1.3 sโœ“ PASS
Red-line triggers00โœ“ PASS
HIC override rate< 5%1.4%โœ“ LOW
Council dissent rateDocumented8.7%~ DOCUMENTED
Audit log integrity100% SIGIL-verified100.00%โœ“ PASS
External audit (NCSC + IG)QuarterlyQ2 doneโœ“ PASS

12-Framework Crosswalk

FrameworkArticle / ClauseDEFONEOS Mapping
EU AI ActArticle 149 layers + 7 escalation tiers + 14 HITL types + kill-switch
GDPRArticle 22 (automated decisions)HITL mandatory for all automated decisions affecting subjects
UK GDPRArticle 22 UK GDPRSame
UK DPA 2018Section 14 (automated decisions)HITL + Article 22 compliance
NATO Autonomy PolicyMeaningful Human Control Principle9 layers = meaningful human control across all action types
US DoD Directive 3000.09Autonomy in Weapon Systems14 HITL types cover all lethal/non-lethal decision classes
IHL Additional Protocol IArticle 36 (new weapons review)Risk Management + QMS pages structurally map
ISO/IEC 23894 (AI Risk Mgmt)Section 6.4 (operational controls)9 layers + escalation = operational control framework
ISO/IEC 42001 (AI Management)Annex A.6 (AI system lifecycle)HITL + HIC oversight = continuous human accountability
NIST AI RMFGOVERN 4 (organisational practices)9 layers + red lines + audit trail
NCSC Cyber Assessment FrameworkB5 (oversight and governance)Audit hook + BFT + SIGIL = oversight and governance
AU Code of Conduct (AI)Accountability Principle 3HIC + red lines + audit = accountability backbone

Honesty Register

What DEFONEOS does NOT claim about human oversight

๐Ÿ›ก๏ธ Ready to put DEFONEOS to work?

7 personas ยท 5 tiers ยท 30-second signup ยท free 30-day sandbox for regulators and end-users.

Sign up ยท Ed25519-signed receipt โ†’ For Defence Primes For Regulators (Free) Series A โ€” ยฃ45-90M Round
ED25519 SIGIL receipts ยท UK-sovereign ยท AUKUS-compatible ยท T-27 days to EU AI Act