Most agentic-workflow rollouts in regulated industries fail at the same step: the team builds a working agent, then realises the compliance team needs human-in-the-loop, then bolts on a single review gate, then watches the gate become a queue, then the agent program stalls. The failure is not technical. It is governance design.
The framework below specifies four gate types, a role-mapping convention, escalation paths with SLA defaults, and an audit-trail schema. It is the artifact we ship to financial-services, healthcare, and legal clients on day one of an agentic engagement, and it is what the compliance teams sign off against.
- 01One gate type does not fit every workflow point — there are four.Advisory (logged, no block). Validating (signed off, allows continuation). Blocking (must pass; halts on fail). Escalating (routes to higher authority on flag). Most workflows use 2-3 of the four; using one type for everything is what produces gate-as-queue failure modes.
- 02Map gates to a RACI on the underlying workflow before building.If the gate's responsible/accountable role is the same as the workflow's responsible/accountable role, the gate adds no oversight value. The mapping forces the design conversation before the engineering work; it is cheaper to redesign on paper than in code.
- 03Escalation SLAs of 15 min, 4 hrs, 24 hrs are the practical defaults.Below 15 min, reviewer fatigue dominates and gate quality drops. Above 24 hrs, the workflow throughput dies. The three-tier SLA (15 min for real-time gates, 4 hrs for batch gates, 24 hrs for complex review gates) is the band most regulated teams converge on.
- 04The audit-trail schema is what compliance teams actually want — gate state, reviewer, decision, comment, agent state diff.Without the agent state diff, the audit trail is non-actionable; auditors cannot see what the gate was reviewing. Including the state diff in the trail is what turns the gate from a checkbox into a defensible compliance artifact.
- 05NIST AI RMF, ISO 42001, and EU AI Act all map cleanly into this framework.The gate types correspond to specific compliance controls; the audit-trail schema satisfies the documentation requirements; the escalation paths satisfy human-oversight clauses. The crosswalk table in section 6 shows the mapping per regulation.
01 — ContextWhy governance now.
By April 2026, three regulatory regimes are simultaneously shipping requirements that touch agentic workflows: the EU AI Act's high-risk-system clauses, ISO 42001 certification requirements, and the NIST AI Risk Management Framework. Each requires demonstrable human oversight; each defines "human oversight" differently; none of them prescribes the implementation.
The result: every regulated-industry team is building gate architecture from scratch. Most of them learn the failure modes the slow way — by shipping a single review gate, watching it become a queue, and starting over.
"Compliance signed off on our gate design. Six weeks later it was a 4-day queue and the AE team was in revolt. We tore it out and rebuilt with four gate types."— VP of Operations, financial-services SaaS, March 2026
02 — Gate typesFour gate types.
Advisory — logged, never blocks
lowest friction · highest scaleRecords the agent's output and the proposed action. Does not pause execution. Used when the action's reversibility and stakes are low and audit visibility is the only requirement (e.g., logging an AI-suggested response that a human will choose to use or not).
Audit onlyValidating — sign-off, allows continuation
asynchronous · 4-24 hr SLAHuman signs off on the agent's output before the action proceeds. Workflow pauses pending sign-off. Right for medium-stakes outputs where the action is reversible but should be reviewed (most agentic content workflows in regulated industries).
Standard gateBlocking — must pass, halts on fail
synchronous · 15 min SLAHard stop. The agent's output cannot proceed without explicit approval. Used where the action is irreversible or the stakes high enough that even a 4-hr delay is acceptable (e.g., large-financial-transaction approvals, medical-decision support).
High-stakesEscalating — routes on flag
conditional · variable SLAMost actions go through automatically; specific patterns (low confidence, high stakes, novel pattern) route to higher-authority review. The escape hatch that prevents agents from making bad calls under uncertainty.
Escape hatch03 — RACIRACI mapping for gates.
Before building any gate, run a RACI mapping. The mapping is the design conversation that prevents the most common failure mode — building a gate whose reviewer has the same accountability as the workflow originator, which adds no oversight value.
Reviewer must NOT be Responsible on the workflow
If the same role is Responsible on the workflow and Reviewer at the gate, the gate is theatrical — the role marking the gate has incentive to pass it. The gate's reviewer needs to be someone whose accountability differs from the workflow originator.
Independent reviewerReviewer must be Accountable for the GATE OUTCOME
Whoever clicks 'approve' has to be the person who answers for the outcome. This forces clarity on who actually owns the decision. 'Compliance reviewed' is not a name; the named individual has to be on the record.
Named accountabilityConsulted roles get visibility, not approval rights
Other stakeholders (legal, ops, exec sponsors) can be Consulted via notification but should not have approval rights at the gate. Multi-approver gates produce queue serialisation; single-approver gates with consulted-role visibility scale better.
Single approverInformed roles get the audit trail, not the active gate
Some stakeholders (audit committee, board sub-committee) need visibility into gate decisions but not active involvement. The audit trail (section 5) is the artefact for them; do not put them in the active gate flow.
Trail-only visibility04 — EscalationEscalation paths + SLAs.
Real-time gates (synchronous)
Blocking gates on synchronous workflows (customer-facing chat agent, real-time decision support). Reviewer is on-shift; SLA is tight; if SLA breaches, the gate auto-escalates to a higher-tier reviewer with extended SLA.
SynchronousStandard validating gates (async)
Most validating gates run on 4-hour SLAs. Reviewer batches sign-offs across the day. SLA breach escalates to a back-up reviewer at 4 hrs and to the team lead at 8 hrs.
StandardComplex review gates
Multi-step review or cross-functional review gates run on 24-hour SLAs. Used for content that requires legal + brand + compliance triangulation. Beyond 24 hrs, the workflow halts and the gate becomes an explicit blocker.
ComplexReviewer → Backup → Team Lead
Standard escalation chain has three stops. Auto-escalation rules in the gate platform route to the next stop on SLA breach. Most agentic platforms (LangGraph, Mastra workflow primitives) have built-in escalation; configure once per gate type.
3-stop default05 — Audit trailAudit-trail schema.
The audit-trail schema is the artefact that turns the gate from a checkbox into a defensible compliance artifact. Nine fields per gate event. The compliance team needs every field; missing any of them is what gets flagged in audits.
Identity · Time · Workflow
what + when + whichWorkflow ID, gate ID, gate event timestamp (UTC, ISO-8601). The minimum to find the event in any audit query. All three fields are server-side stamped, not user-provided.
IdentificationReviewer · Decision · Comment
who + what they decided + whyReviewer ID (named individual), decision (approve / reject / escalate / defer), and a free-text comment. The comment is required on reject and escalate decisions; encouraged on approve.
Decision recordAgent state diff at gate
before/after snapshotStructured snapshot of what the agent was about to do, captured at the moment the gate triggered. Without this, auditors cannot see what was reviewed; with it, the gate decision is reproducible.
ReproducibilitySLA metrics + escalation chain
performance + historyTime-to-decision (computed at decision), SLA tier, escalation chain history (which reviewers it routed through). Performance fields support both gate quality monitoring and compliance reporting.
Performance06 — ComplianceNIST · ISO 42001 · EU AI Act crosswalk.
The framework satisfies named clauses across the three major governance regimes. The crosswalk below is the reference compliance teams use to defend the design.
Govern + Manage + Measure functions
Gate types map to MANAGE (validating + blocking gates), GOVERN (RACI mapping + audit trail), MEASURE (SLA metrics + decision history). Audit trail satisfies AI RMF's traceability and accountability requirements.
Direct mappingClauses 6.1 + 7.5 + 8.1 + 9.1
Risk treatment (6.1) maps to gate-type selection by risk level; documented information (7.5) maps to audit-trail schema; operational planning (8.1) maps to escalation paths; performance evaluation (9.1) maps to SLA metrics.
Clause mappingArticle 14 (high-risk human oversight)
Article 14 requires that high-risk systems be designed for effective oversight by natural persons. The four-gate framework satisfies the article's specific requirements: oversight measures (gate types), oversight role identification (RACI), and oversight competence (escalation tiers).
Article-specificAccountability + Transparency
OECD principles on accountability and transparency map directly to the audit-trail schema (accountability via reviewer attribution) and the gate-type-by-risk-level approach (transparency via documented design rationale).
Principle-aligned07 — Reference architecturesThree reference architectures.
Financial-services content compliance
Researcher → Drafter → Auditor → VALIDATING gate (compliance review, 4-hr SLA) → ESCALATING gate (legal review on flagged claims, 24-hr SLA) → Deployer (CRM + email). Two gates of different types; audit trail captures every claim that triggered legal escalation.
Content-heavyHealthcare patient communications
Researcher (KB lookup) → Drafter (response template) → Auditor (HIPAA + clinical rubric) → VALIDATING gate (clinician sign-off, 4-hr SLA) → BLOCKING gate (compliance check on PHI exposure, 15-min SLA on real-time chat) → Deployer (patient portal). Mix of validating and blocking gates because PHI exposure is irreversible.
PHI-protectedLegal contract drafting
Researcher (precedent lookup) → Drafter (clause-by-clause) → Auditor (rubric + jurisdictional check) → ESCALATING gate (paralegal review) → BLOCKING gate (partner sign-off on novel clauses) → Deployer (DocuSign). Two-tier gate design — paralegal handles standard clauses, partner reviews novel patterns flagged by the escalator.
Tiered review08 — ConclusionFour gate types, one framework.
Governance is design work. Done well, gates protect risk without becoming queues; done poorly, agentic programs in regulated industries simply do not ship.
The four-gate framework — advisory, validating, blocking, escalating — covers the practical surface of human-in-the-loop review across regulated workflows. The RACI mapping, escalation SLAs, and audit-trail schema convert the design into something a compliance team can defend and an operations team can run without it becoming a bottleneck.
Adopt the framework before building. The most expensive failure mode is shipping a single-gate workflow, watching it queue, and tearing it out for a redesign. The cost of getting the gate design right on paper is one design session and a RACI table; the cost of getting it wrong is three months of operational friction and a stalled program.
Map your specific regime (NIST, ISO 42001, EU AI Act, sector regulators) into the crosswalk; pick the reference architecture closest to your workflow; build the audit-trail schema first (the gates are easier to add once the schema is in place).