Article 14 of the EU AI Act is the human oversight backbone of any high-risk AI system. It mandates that high-risk AI systems be designed and developed so that they can be effectively overseen by natural persons during the period in which they are in use. The purpose: human beings must be able to understand, supervise, and intervene.
In the defence context, Article 14 maps onto a long line of UK and international humanitarian law โ the principle that weapons and operational decisions remain under meaningful human control. DEFONEOS implements Article 14 not as a downstream patch but as a red line enforced at the protocol level: no sovereign action happens without an attestable oversight path, and any human in the chain has the unconditional ability to halt the action.
This page documents the nine oversight layers, the seven escalation tiers, the kill-switch architecture, the BFT Council fallback, the human-in-the-loop (HITL) vs human-on-the-loop (HOTL) vs human-in-command (HIC) decision types, and the audit trail that proves each one of them works under operational pressure.
Every DEFONEOS instance exposes an operator console at https://<deployment>/human-oversight. The console shows live state of every active sovereign action: pending proposals, queued votes, in-flight operations. The operator is on the loop: they watch but can intervene at any time with a single click. Interventions are SIGIL-logged, and intervention rate by operator is published as a privacy-preserving aggregate.
For 14 categorised decision types โ target nomination, rules-of-engagement thresholds, intelligence product release, evidence submission, BFT proposal cast, multi-system coordination, escalation, de-escalation, release to coalition partner, evidence retention override, civilian harm protocol activation, takedown authorisation, sanctions-list update, sovereign action suspension โ the action is held pending a named human approval. The approval can be one-of-four factor (passkey + TOTP + WebAuthn + signed-by-cool-key) and is recorded with name, role, timestamp, hash of the action, and a 1-bit "challenge" field that captures whether they interrogated the action or rubber-stamped it.
The human-in-command is the single point of ultimate accountability. At any time, on any action, the HIC can issue an override. The override triggers one of three effects depending on the action type: STOP (halt and queue for re-approval), REVERSE (roll back the action and any side-effects), or PERMIT (override a refusal and authorise the action despite BFT dissent). No override is overruled by the system. This is the red line that matters: sovereignty over the operation belongs to the human, not the substrate.
For high-stakes decisions (lethal action nomination, civilian infrastructure targets, alliance commitments), a randomly-rotated 33-voter BFT council must reach 23-of-33 supermajority. The council is structurally composed of mixed identities (operators, lawyers, ethics, allies, independent) and any one voter can trigger escalation to a higher tier. Council vote latency target: 30 seconds for normal proposals, 5 minutes for emergency. Council decision history is part of the SIGIL chain and every proposer's autonomy key signs the vote.
The kill-switch is a single, physical, redundant trigger. Three forms are supported: (a) hardware "big red button" on every operator console, (b) SIGIL-signed web request from a pre-registered cool key, (c) bearer-token printed page in the deployed room safe. Latency target: under 2 seconds from trigger to action halted. The kill-switch is the only path that does NOT require BFT vote โ any of the three forms triggers immediate suspension of all sovereign actions tagged in scope. A SIGIL seal marks the moment of suspension. Audit log proves what was halted, when, and who pulled it.
Seven red lines are hardcoded into the substrate. If any action triggers a red-line pattern, the action is blocked at the cryptographic layer, regardless of any human approval or council vote. Red lines: kinetic-targeting patterns (find-fix-finish, kill order generation, strike package compilation); personal surveillance (single-individual tracking, face-recognition of named persons, phone-location queries); civilian harm optimisation (no objective function may include civilian casualty reduction as a side-benefit); sovereignty violations (no action may modify another sovereign's data without their signed consent); escalation without authorisation (no automatic escalation chain); lying to humans (no model output may contain a known-false statement about system state to a human); irreversibility without confirmation (any irreversible side-effect requires positive confirmation).
Every sovereign action comes bundled with an explanation: plain-language summary, decision-factor weights, logic trace, counterfactual "what would have changed it", and full audit log. This is the same 5-tier framework as the Right to Explanation page. Interpretability is not optional and not post-hoc โ it is computed at decision time, signed by the SIGIL chain, and stored next to the action. Operators reviewing the action get the explanation natively; subjects of the action can request it through the redress flow.
A second, advisory stop button. Distinct from the kill-switch: it triggers a 30-second hold pending HITL review rather than immediate halt. Useful for "I'm not sure, give me time to think" cases. The operator console shows it as a yellow circle; the kill-switch is the red one. Both are signed and audited.
External auditors (national regulator, NCSC, IG-red-team, NATO, ICO) get a read-only SIGIL-verified stream of all sovereign actions: who took what action, who approved it, what was voted, what was halted, what was overridden. The audit hook is the 2nd hardest thing to spoof (after the SIGIL signing keys themselves). Audit hook access is logged at access time. The audit hook is what makes the system externally observable: a regulator can, at any time, run a SIGIL-verified reconciliation against expected action patterns.
| Tier | Trigger | Action Available To | Latency |
|---|---|---|---|
| 0 โ Self | Operator notices anomaly | Operator (self) | Immediate |
| 1 โ Console | HOTL watch alert | Operator console | 10 s |
| 2 โ HITL | Action requires named approval | Named approver | 30 s |
| 3 โ HIC | Override or escalation request | Human-in-Command | 60 s |
| 4 โ BFT Council | Super-majority vote required | 23-of-33 council | 5 min |
| 5 โ Coalition Partner | Cross-border commitment | Partner sovereign signatory | 30 min |
| 6 โ National Authority | National-direction override | Designated government channel | 1 hour |
These 14 categories of action require a named human approval before the action proceeds. They cover every category where DEFONEOS has been deployed in defence, intelligence, and civilian-protection contexts.
| # | Decision Type | Required Approver | Max Latency to Block |
|---|---|---|---|
| 1 | Target nomination | Operator-in-Command | 300 s |
| 2 | Rules-of-engagement threshold | Legal Officer | 900 s |
| 3 | Intelligence product release | Senior Intelligence Officer | 1,800 s |
| 4 | Evidence submission (court) | Legal Officer + CISO joint | 3,600 s |
| 5 | BFT council proposal cast | Council member (any) | 300 s |
| 6 | Multi-system coordination | Operator-in-Command | 600 s |
| 7 | Escalation request | Operator-in-Command | 300 s |
| 8 | De-escalation request | Operator-in-Command | 300 s |
| 9 | Coalition partner release | Two-person: OIC + Legal | 3,600 s |
| 10 | Evidence retention override | Data Protection Officer | 1,800 s |
| 11 | Civilian harm protocol activation | HIC only | 60 s |
| 12 | Takedown authorisation (offensive cyber) | HIC + NCSC sign-off | 600 s |
| 13 | Sanctions list update | HIC + Legal | 3,600 s |
| 14 | Sovereign action suspension | HIC or kill-switch | 2 s |
14 decision types above require HITL approval before the action proceeds. The human is in the loop: they see the proposal, the context, the risk, and they decide. The system does not auto-execute. HITL is required for any action with: irreversible side effects, legal exposure, cross-border effect, civilian harm potential, multi-system coordination requirement, evidentiary production requirement, or chain-of-command implications.
HOTL is the standard mode for telemetry, monitoring, and continuous-feeds that do NOT have inherent action-effect. A HOTL operator watches the dashboard and can intervene at any time. Intervention rate is logged. A 24-hour "no intervention" profile is acceptable evidence of normal operation; a sudden spike in intervention rate triggers a Tier 2 escalation.
HIC is reserved for ultimate accountability. The HIC is the single named person who holds the sovereign responsibility for the deployment and can issue override (STOP, REVERSE, PERMIT) on any action at any time. HIC is structurally separate from the operator role: even when the HIC is on call, the operator executes. The HIC role is hard-limited to one named individual at a time per deployment, and succession requires SIGIL-signed handover.
There is a specific scenario the system must handle: HITL is unavailable (no named approver present, no HIC reachable, all hot keys offline). In that case, DEFONEOS escalates to BFT Council automatically. The BFT council โ a structurally diverse 33-voter panel โ has the authority to either (a) authorise a constrained set of actions they judge low-risk, (b) escalate to coalition partner, or (c) lock the deployment pending HITL restoration.
BFT council composition is rotated every 30 days. The 33 voters are chosen from a pool of: 11 operators (with at least 6 months deployment experience), 7 legal-officers, 5 ethics-reviewers (independent NGO + academic), 4 allied-partner representatives (separable agencies), 3 intelligence officers, 2 engineers, and 1 outside auditor (national regulator observer). A supermajority of 23-of-33 is required for any binding decision.
Council votes are SIGIL-signed with each member's cool key. Vote records are public (privacy-preserving) and form part of the audit trail. Council meeting minutes are released publicly after 30 days with redactions only for operational security.
The seven red lines listed in Layer 6 are implemented at the cryptographic layer. No human approval, no BFT vote, no override, no failure mode can bypass them. This is the care-membrane in substrate form.
| # | Red Line | Detection | Enforcement |
|---|---|---|---|
| 1 | Kinetic targeting | Pattern match on strike package / find-fix-finish / kill order | Compile-time + runtime block |
| 2 | Personal surveillance | Named-person tracking / single-individual fingerprinting | Input filter + output filter |
| 3 | Civilian harm optimisation | Loss function inspection | Compile-time ban |
| 4 | Sovereignty violation | Cross-data-source join without signed waiver | Runtime block |
| 5 | Auto-escalation | Unbounded escalation chain | Compile-time cap |
| 6 | Lying to humans | Statement vs SIGIL record mismatch | Runtime check + alert |
| 7 | Irreversibility without confirmation | Side-effect irreversibility estimate โฅ threshold | HITL mandatory |
For every sovereign action, the regulator sees:
| Metric | Target | Actual | Status |
|---|---|---|---|
| HITL approval latency (median) | < 30 s | 14.2 s | โ PASS |
| BFT vote latency (median) | < 5 min | 3.4 min | โ PASS |
| Kill-switch latency (p95) | < 2 s | 1.3 s | โ PASS |
| Red-line triggers | 0 | 0 | โ PASS |
| HIC override rate | < 5% | 1.4% | โ LOW |
| Council dissent rate | Documented | 8.7% | ~ DOCUMENTED |
| Audit log integrity | 100% SIGIL-verified | 100.00% | โ PASS |
| External audit (NCSC + IG) | Quarterly | Q2 done | โ PASS |
| Framework | Article / Clause | DEFONEOS Mapping |
|---|---|---|
| EU AI Act | Article 14 | 9 layers + 7 escalation tiers + 14 HITL types + kill-switch |
| GDPR | Article 22 (automated decisions) | HITL mandatory for all automated decisions affecting subjects |
| UK GDPR | Article 22 UK GDPR | Same |
| UK DPA 2018 | Section 14 (automated decisions) | HITL + Article 22 compliance |
| NATO Autonomy Policy | Meaningful Human Control Principle | 9 layers = meaningful human control across all action types |
| US DoD Directive 3000.09 | Autonomy in Weapon Systems | 14 HITL types cover all lethal/non-lethal decision classes |
| IHL Additional Protocol I | Article 36 (new weapons review) | Risk Management + QMS pages structurally map |
| ISO/IEC 23894 (AI Risk Mgmt) | Section 6.4 (operational controls) | 9 layers + escalation = operational control framework |
| ISO/IEC 42001 (AI Management) | Annex A.6 (AI system lifecycle) | HITL + HIC oversight = continuous human accountability |
| NIST AI RMF | GOVERN 4 (organisational practices) | 9 layers + red lines + audit trail |
| NCSC Cyber Assessment Framework | B5 (oversight and governance) | Audit hook + BFT + SIGIL = oversight and governance |
| AU Code of Conduct (AI) | Accountability Principle 3 | HIC + red lines + audit = accountability backbone |
7 personas ยท 5 tiers ยท 30-second signup ยท free 30-day sandbox for regulators and end-users.
Sign up ยท Ed25519-signed receipt โ For Defence Primes For Regulators (Free) Series A โ ยฃ45-90M Round