AI-Powered Project Management · Module 5 · Lesson 1 of 3
Approval gates and review roles: who checks, and who decides
Defining an approval gate as a fixed point where work pauses for a decision, and a review role as the named authority who makes that decision, then choosing the right review path for a range of project scenarios so a high-impact decision never quietly slips through unreviewed — and is never approved by AI itself.
By the end, you can
- Define an approval gate and a review role, and explain why a project needs both a fixed point where work pauses and a named person with authority to decide (PM-4).
- Choose the appropriate review path for a range of project scenarios — routine confirmation, named reviewer sign-off, or escalation to a sponsor or governance board — based on a decision's scale and risk (PM-4).
- Explain why an AI assistant can propose which gate a decision needs but must never be treated as the approver at that gate, and name whose authority it belongs to instead (PM-4, PM-5).
Before you start
This is Module 5, Lesson 1 of the AI-Powered Project Management course, opening the course's last module on governance and review. It assumes you have completed Modules 1 to 4 — you should be comfortable with a bounded project brief, a reviewed task breakdown, a decision/risk packet and an evidence-based status update — and have used at least one AI chat assistant for drafting text. It does not require project-management certification, software or a specific governance tool.
A gate is where work pauses; a review role is who decides
Every artifact this course has built so far — a brief, a task breakdown, a risk register, a status update — eventually needs someone to actually say yes to it before work moves forward. APM's project management glossary defines a gate as "the point between phases, gates and/or tranches where a go/no go decision can be made about the remainder of the work." A gate is not a formality; it is a genuine pause, built into the project on purpose, where the honest answer could be no. The same glossary defines a stage as "a subdivision of the development phase of a project created to facilitate approval gates at suitable points in the life cycle" — the phrase "approval gates" is the glossary's own, and it is worth taking literally: a gate exists to be approved, which means it could also, honestly, not be.
A gate with nobody authorised to decide at it is just a pause with no outcome. That authority is a review role — a named person or body whose job is to make the call at a specific gate, not everyone in the room and not whoever happens to be free that week. Naming the gate and naming who decides at it are two separate design choices, and a governance structure missing either one is not really a structure — it is a hope that someone will notice when a decision is needed.
Not every decision needs the same review path
Module 3 introduced escalation for a risk or decision that outgrows its owner's authority — worked out in the moment, once something specific has already gone far enough to need it. This lesson generalises that same idea into something decided in advance: a standing map of which kinds of decision need which level of review, agreed before any particular decision arrives, so nobody has to guess mid-crisis who is supposed to sign off.
Three broad review paths cover most project decisions. A routine confirmation suits a small, reversible choice within an already-agreed plan — ordering stationery a brief already budgeted for does not need a governance board's attention. A named reviewer's sign-off suits a moderate decision with real but contained consequences — approving a two-week schedule slip inside an already-approved budget might need one specific person's confirmation, not a full board meeting. Escalation to a sponsor or governance board, the path Module 3 named, suits a decision that is large, hard to reverse, or outside the current owner's delegated authority altogether — a budget increase, a scope change a client will notice, or anything that could seriously affect the project's chance of meeting its goal. Those two names are worth defining precisely, since this module's remaining lessons lean on both: APM's project management glossary defines a governance board as "a body that provides sponsorship to a project, programme or portfolio," whose members "oversee deployment and make decisions through the chosen life cycle," and defines the sponsor as "a critical role as part of the governance board" who "is accountable for ensuring that the work is governed effectively and delivers the objectives that meet identified needs" — the level where accountability genuinely lives once a decision passes beyond everyone else's delegated limits. Choosing the wrong path in either direction causes a real problem: routing every decision to the board buries the genuinely serious ones in noise, while routing a serious decision through routine confirmation lets it through without anyone who could actually say no ever seeing it.
Why AI can suggest a gate, but can't be the approver at it
Given a description of a project's likely decisions, an AI assistant can propose a genuinely sensible starting map: which kinds of decision probably need routine confirmation, which probably need a named reviewer, and which look serious enough to escalate. That is useful structuring work — building a review-path map from scratch, decision type by decision type, is easy to leave vague if nobody sits down to do it deliberately.
It is not the same as knowing your organisation's actual delegated authority. The US National Institute of Standards and Technology's (NIST) AI Risk Management Framework describes an AI system as something that "can, for a given set of objectives, generate outputs such as predictions, recommendations, or decisions" — a generator of a plausible review-path suggestion, not a party who knows which specific person in your organisation is actually authorised to approve a five-figure spend, or which decisions your sponsor has said she wants to see personally regardless of size. A drafted map is a starting point the named lead corrects against the organisation's real authority, not a finished governance structure.
There is a second, sharper point here, and it holds regardless of how confident or well-reasoned an AI-drafted recommendation sounds: an AI assistant that helped draft a plan, a risk register or a decision must never also be the approver that signs off on it at a gate. The Open Worldwide Application Security Project's (OWASP) guidance on excessive agency recommends that a system "utilise human-in-the-loop control to require a human to approve high-impact actions before they are taken" — and a gate exists precisely to be that human checkpoint. Letting AI approve its own drafted work collapses the gate into nothing: the pause still happens on the calendar, but nobody with independent judgement, and nothing outside the system that produced the draft, actually looks at it before it proceeds. The review role at any gate belongs to a named person with real authority and real accountability for the call — never to the tool that produced what's being reviewed.
A worked example: Riverside Food Bank's volunteer-scheduling project
Riverside Food Bank, a small charity, is three weeks into rolling out new volunteer-scheduling software, working from a bounded project brief and a reviewed task breakdown its operations coordinator built using this course's earlier modules. She asks an AI assistant to draft a review-path map for the decisions the rest of the project is likely to raise.
The assistant proposes a sensible-looking three-tier map: routine confirmation for anything inside the already-approved £2,000 software budget; the coordinator's own sign-off for schedule changes under two weeks; escalation to the trustee board for anything touching the charity's data-handling policy, since volunteer contact details are involved.
The coordinator checks the draft against what she actually knows about Riverside's governance. She agrees with the two lower tiers largely as drafted. She corrects the top tier: the AI's draft treated a budget overrun as something for her own sign-off up to £500, but she knows the trustee board's own rules require any overrun at all on a board-approved budget to come back to them, regardless of size — a rule that lives in the charity's governing documents, not in anything the task breakdown told the AI assistant. She also adds a gate the draft had no way to propose: Riverside's director, Priya, has asked personally to review anything that changes which volunteers can see other volunteers' contact details, a standing preference specific to this charity that no generic review-path map could have known to include.
Accessibility notes
This lesson is text-first, with no images, audio, video or downloadable artifacts. The practice exercise's model answer sits behind a native disclosure control that is reachable and operable by keyboard and correctly announced by screen readers. The knowledge check uses native radio-button inputs with a visible question and options, and posts its result to a live status region so assistive technology announces the outcome without a page reload.
Practice
Choosing a review path: a tenants' association's playground upgrade
A residents' tenants' association is upgrading a shared playground using funds from a council grant. An AI assistant, asked to suggest which decisions need which level of review, proposes three sample decisions from the project: (1) buying replacement rubber safety matting that was already listed and costed in the approved grant application; (2) a contractor's quote coming in £3,000 over the amount the grant covers, with no other funding source yet identified; (3) a resident's request to add a small bench near the playground, which was not in the original grant application but would cost under £100 from the association's existing petty cash.
- Classify each of the three decisions into a review path — routine confirmation, named reviewer sign-off, or escalation to the tenants' association's committee — and explain your reasoning for each.
- Decision 2 involves money the project does not currently have. Explain why this is a stronger reason to escalate than the amount alone might suggest.
- The AI assistant that helped cost the original grant application also drafts a recommendation that decision 2 be approved by 'increasing the contingency line,' without flagging it for the committee. Explain what is wrong with treating this AI-drafted recommendation as if it were already an approved decision.
- Name one piece of information about this specific tenants' association — for example, a rule in its own constitution about spending limits — that an AI assistant proposing review paths from the project's numbers alone would have no way to know.
Compare with a bounded first version
Decision 1 fits routine confirmation: the matting was already itemised and costed in the approved grant application, so buying it is executing an already-approved plan, not making a new call. Decision 2 fits escalation to the committee: it involves money the project does not currently have, which is exactly the kind of gap only the association's committee can resolve, whether by approving new spending, seeking further funds, or scaling back the work. Decision 3 likely fits named reviewer sign-off: it's a small, low-cost addition outside the original grant scope, but not large or risky enough to need full committee escalation — a named committee member confirming that petty cash can stretch to it, and that a bench near a playground raises no safety concern, is proportionate. The funding gap in decision 2 matters more than the amount alone because the question isn't just 'is £3,000 a lot of money' — it's that nobody has yet said where that money comes from, and committing to the extra cost without identifying the source could leave the association financially exposed in a way a same-size decision within an already-funded budget wouldn't. Treating the AI's 'increase the contingency line' recommendation as an approved decision is wrong because a recommendation, however reasonable it sounds, has not been checked against whether the association's contingency line can actually absorb it without affecting other approved costs — and because the AI assistant that helped cost the original application has no authority to approve spending decisions at all; that approval belongs to the committee, not to whichever draft proposed a workaround. Something the AI assistant proposing review paths could not know: perhaps the association's own constitution sets a fixed rule that any spend over £1,000 outside the original grant application requires a vote at a general meeting, not just committee sign-off — a specific governance rule that lives in the association's own paperwork, not in the numbers of this particular project.
Knowledge check
Try the idea
Low-stakes practice only. This does not score, block progress or create a learner record.Sources and limits
This lesson synthesises the sources below into a practical learning model. It is not a security standard, legal advice or a guarantee that any particular agent design is safe.
- Project management glossary — APM (Association for Project Management). Defines a gate as the point between phases, gates or tranches where a go/no go decision is made, and a stage as a subdivision of a project created to facilitate approval gates at suitable points in the life cycle.
- Project management glossary — APM (Association for Project Management). Defines a governance board as a body that oversees a project and makes decisions through its life cycle, and a sponsor as the governance-board role accountable for ensuring the work is governed effectively.
- AI Risk Management Framework 1.0 — NIST AI Resource Center. Frames an AI system as an engineered system that generates outputs such as predictions, recommendations or decisions — not a self-directing decision-maker.
- LLM06:2025 Excessive Agency — OWASP Gen AI Security Project. Recommends human-in-the-loop control requiring a person to approve high-impact actions before an LLM-connected system takes them.