Reviewer Reference

Routing Graph

Trace how request conditions route into a likely risk tier, reviewer group, and decision range.

Routing Graph

How review branches

Each flow shows the trigger, the likely tier, who joins the review, and the decisions that usually stay on the table.

Trigger

Public or no institutional data

data Classification: publicdecision Impact: none, lowthird Party Involved: falseconnects To College Systems: false

Likely tier Tier 1 - Low

Reviewers

Supervisor or Department Approver

Possible outcomes

approvedapproved with conditionsmore information needed

Evidence: use description, tool name

Trigger

Internal data with human review

data Classification: internal

Likely tier Tier 2 - Moderate

Reviewers

Supervisor or SponsorData Steward

Possible outcomes

approvedapproved with conditionsdeniedmore information needed

Evidence: business purpose, data elements, human review plan

Trigger

Confidential data

data Classification: confidential

Likely tier Tier 3 - High

Reviewers

Data StewardData OwnerITS SecurityLegal/Compliance if Applicable

Possible outcomes

approved with conditionspilot approveddeniedescalatedmore information needed

Evidence: data elements, minimum necessary rationale, security evidence

Trigger

Restricted data

data Classification: restricted

Likely tier Tier 4 - Restricted or Prohibited

Reviewers

Data OwnerITS SecurityLegal/ComplianceExecutive SponsorGovernance Body

Possible outcomes

prohibiteddeniedapproved with conditionsescalated

Evidence: full risk assessment, exception rationale, security controls

Trigger

Unknown data classification

data Classification: unknown

Likely tier unknown

Reviewers

Data Steward

Possible outcomes

more information neededescalated

Evidence: data elements, sample records or description

Trigger

Third-party vendor involved

third Party Involved: true

Likely tier conditional

Reviewers

ProcurementITS SecurityLegal/ComplianceData Steward or Owner

Possible outcomes

approved with conditionspilot approveddeniedmore information neededescalated

Evidence: contract or terms, privacy policy, security documentation

Trigger

College system integration

connects To College Systems: true

Likely tier conditional

Reviewers

ITS SecuritySystem OwnerData Steward or Owner

Possible outcomes

approved with conditionspilot approveddeniedmore information neededescalated

Evidence: integration method, api scopes, authentication method

Trigger

FERPA or student records

sensitive Categories: ferpa

Likely tier Tier 3 - High

Reviewers

Registrar or Student Records OwnerData StewardITS SecurityLegal/Compliance if Applicable

Possible outcomes

approved with conditionsdeniedescalatedmore information needed

Evidence: ferpa purpose, student record elements, access controls

Trigger

High or consequential decision impact

decision Impact: high, consequential

Likely tier Tier 3 - High

Reviewers

Data OwnerLegal/ComplianceGovernance BodyBusiness Owner

Possible outcomes

pilot approvedapproved with conditionsdeniedprohibitedescalated

Evidence: impact assessment, human oversight plan, appeal or override path

Trigger

Agentic AI capability

is Agentic: true

Likely tier Tier 3 - High

Reviewers

ITS Securitydata owner or stewardProcess OwnerGovernance Body if Sensitive or Write Access

Possible outcomes

pilot approvedapproved with conditionsdeniedprohibitedescalated

Evidence: tool permissions, action boundaries, human approval gates

Trigger

Agentic tool use capability

capabilities: agentic tool use

Likely tier Tier 3 - High

Reviewers

ITS Securitydata owner or stewardProcess Owner

Possible outcomes

pilot approvedapproved with conditionsdeniedescalated

Evidence: tool permissions, approved tools list, action boundaries

Trigger

Autonomous action capability

capabilities: autonomous action

Likely tier Tier 4 - Restricted or Prohibited

Reviewers

ITS SecurityData OwnerProcess OwnerLegal/ComplianceExecutive SponsorGovernance Body

Possible outcomes

prohibitedpilot approvedapproved with conditionsdeniedescalated

Evidence: action inventory, human approval gates, rollback plan

Trigger

Code execution capability

capabilities: code execution

Likely tier Tier 3 - High

Reviewers

ITS SecuritySystem OwnerGovernance Body if Sensitive or Write Access

Possible outcomes

pilot approvedapproved with conditionsdeniedprohibitedescalated

Evidence: execution environment, sandboxing controls, secrets handling

Trigger

Automation capability

capabilities: automation

Likely tier Tier 2 - Moderate

Reviewers

Supervisor or SponsorProcess OwnerITS Security

Possible outcomes

approvedapproved with conditionspilot approveddeniedescalated

Evidence: workflow description, trigger conditions, human review plan

Trigger

Decision support capability

capabilities: decision support

Likely tier Tier 2 - Moderate

Reviewers

Supervisor or SponsorData StewardBusiness Owner

Possible outcomes

approved with conditionspilot approveddeniedescalated

Evidence: decision context, human oversight plan, accuracy review

Reviewer Directory

Who each lane represents

Use this as a quick legend when you need to understand why someone appears in a route.

Supervisor or Department Approver

Business need, role fit, department readiness

supervisor or department approver

Supervisor or Sponsor

Business need, expected benefit, accountable owner

supervisor or sponsor

Data Steward

Data classification, minimum necessary use, access scope

data steward

Data Owner

Final data-domain authority, exceptions, high-risk data sharing

data owner

Data Steward or Owner

Data approval appropriate to classification and domain

data steward or owner

ITS Security

Security controls, integrations, identity, logging, vendor posture

its security

System Owner

Integration impact, supportability, system permissions

system owner

Procurement

Purchasing path, contract coordination, vendor requirements

procurement

Legal/Compliance

FERPA, privacy, contract risk, records, regulatory obligations

legal compliance

Legal/Compliance if Applicable

Compliance-sensitive or contract-sensitive requests

legal compliance if applicable

Executive Sponsor

Institutional risk acceptance and strategic fit

executive sponsor

Governance Body

High-risk, novel, disputed, or cross-functional requests

governance body

Governance Body if Sensitive or Write Access

Agentic systems with sensitive data or high-impact capabilities

governance body if sensitive or write access

Business Owner

Operational accountability, training, monitoring, and reassessment

business owner

Registrar or Student Records Owner

FERPA and student-record use

registrar or student records owner

Process Owner

Action boundaries, workflow impact, rollback, user guidance

process owner