EVIDENCE TRAIL
Risk-prioritised review queue
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The phrase "risk-prioritised review queue" is Helmwart's normalised label — OWASP Agentic AI v1.1 Playbook 5 states the core pattern verbatim: "Use AI trust scoring to prioritize HITL review queues based on risk level."
Last cross-checked against upstream sources: · 7 sources
References
Each entry shows what the source supports and what it does not prove.
OWASP Agentic AI — Threats & Mitigations v1.1
§T10 Overwhelming Human in the Loop — Mitigations (Threat Model Summary table)
"Develop advanced human-AI interaction frameworks, and adaptive trust mechanisms. These are dynamic AI governance models that employ dynamic intervention thresholds to adjust the level of human oversight and automation based on risk, confidence, and context. Apply hierarchical AI-human collaboration where low-risk decisions are automated, and human intervention is prioritized for high-risk anomalies."
Supports: Verbatim upstream statement of the risk-prioritised queue pattern: dynamic intervention thresholds based on risk + context, low-risk automation, high-risk human escalation. Closest single sentence to the control's design intent.
Does not prove: Describes the control at one sentence of resolution. Does not specify the scoring function, threshold values, or tier count. Helmwart adds the multi-factor score formula and tier structure.
OWASP Agentic AI — Threats & Mitigations v1.1
§Playbook 5: Protecting HITL & Preventing Decision Fatigue Exploits — Step 1 "Optimize HITL Workflows & Reduce Decision Fatigue (Proactive)"
"Use AI trust scoring to prioritize HITL review queues based on risk level. Automate low-risk approvals while requiring human oversight for high-impact tasks. Limit AI-generated notifications to prevent cognitive overload. Implement frequency thresholds to limit excessive AI-generated notifications, requests, and approvals to prevent decision fatigue. Apply adaptive workload distribution across human reviewers. Balance AI review tasks dynamically to prevent decision fatigue for individual reviewers."
Supports: Explicitly names "AI trust scoring to prioritize HITL review queues based on risk level" and "automate low-risk approvals while requiring human oversight for high-impact tasks" — the operational core of this mitigation. Also names adaptive workload distribution to prevent per-reviewer fatigue.
Does not prove: Does not specify what factors compose the trust score, or how the threshold between auto-approve and HITL queue is calibrated. Helmwart defines the four-factor weighted score.
OWASP Agentic AI — Threats & Mitigations v1.1
§T10 Overwhelming Human in the Loop — Description
"Overwhelming Human-in-the-Loop (HITL) occurs when attackers exploit human oversight dependencies in multi-agent AI systems, overwhelming users with excessive intervention requests, decision fatigue, or cognitive overload. This vulnerability arises in scalable AI architectures, where human capacity cannot keep up with multi-agent operations, leading to rushed approvals, reduced scrutiny, and systemic decision failures."
Supports: Names the mechanism — undifferentiated volume causing decision fatigue, rushed approvals, and reduced scrutiny — that risk-prioritised queuing directly addresses. The MDX cites "undifferentiated review volume" as the T10 driver this control targets.
Does not prove: Describes the threat, not the mitigation. The excerpt does not state that risk-based routing is the solution — that is in the separate Playbook 5 entry above.
OWASP Top 10 for Agentic Applications 2026
§ASI09 Human-Agent Trust Exploitation — Prevention and Mitigation Guideline 5 "Adaptive Trust Calibration"
"Adaptive Trust Calibration: Continuously adjust the level of agent autonomy and required human oversight based on contextual risk scoring. Implement confidence weighted cues (e.g., "low-certainty" or "unverified source") that visually prompt users to question high-impact actions, reducing automation bias and blind approval."
Supports: Establishes contextual risk scoring as the mechanism for adjusting human oversight level — the same mechanism this control's scoring function implements. Names automation bias and blind approval as the failure modes that risk-tiered attention prevents.
Does not prove: Frames adaptive trust as a countermeasure to trust exploitation (ASI09), not to reviewer fatigue (T10). The risk-scoring purpose differs between the two entries even though the mechanism is the same.
NIST AI RMF 1.0 — AI 100-1
§1.2.3 Risk Prioritization
"Policies and resources should be prioritized based on the assessed risk level and potential impact of an AI system. … When applying the AI RMF, risks which the organization determines to be highest for the AI systems within a given context of use call for the most urgent prioritization and most thorough risk management process."
Supports: Establishes risk-level prioritisation as the canonical resource-allocation principle for AI governance. "Most urgent prioritization … most thorough risk management process" for highest-risk items is the precise logic this control applies to reviewer attention.
Does not prove: Applies to organisational risk management broadly, not to runtime decision routing within a deployed agentic system. Does not name review queues, HITL, or per-decision scoring. Helmwart narrows the principle from portfolio-level to decision-level.
NIST AI RMF 1.0 — AI 100-1
MANAGE 1 — Categories and Subcategories (Table 4)
"MANAGE 1.2: Treatment of documented AI risks is prioritized based on impact, likelihood, and available resources or methods."
Supports: Names impact and likelihood as the two axes that should drive prioritisation of risk treatment — the same axes (value-at-risk × probability proxy) the MDX scoring function encodes. Provides the formal RMF anchor for a risk-priority-ordered queue.
Does not prove: MANAGE 1.2 applies to documented organisational risks, not to real-time per-decision routing. No mention of automated approval tiers or scoring thresholds.
MITRE ATLAS AML.M0029 — Human In-the-Loop for AI Agent Actions
No verbatim excerpt pulled yet — open the original to verify the cited section.
Supports: Defines the human-review gate that the high-risk tier of this control routes into. Risk-prioritised queuing is the mechanism that decides which decisions reach the AML.M0029 gate and which are auto-approved.
Does not prove: AML.M0029 defines the gate, not the routing logic. The catalogue entry does not specify how decisions are selected for human review or scored for risk.