Most teams add human review the way they add a confirmation dialog: a checkpoint in the interface that a person clicks through. It feels like control. It is not. A checkpoint in the UI is a checkpoint someone can route around the moment there is a second entry point, a background job, or a hurried integration.
Where the gate lives is the whole question
If an action can reach the outside world through any path that does not require a human's signature, then human review is a habit, not a property of the system. Habits decay under deadline pressure. Properties do not.
So we put the gate in the schema. An irreversible action is modeled as a thing that does not exist until it carries an approval — not a flag you check, but a state the record cannot leave without a person on it. There is no code path that produces the side effect without the sign-off, because the type system will not let you write one.
- Approval is a state in the data model, not a step in the UI.
- If a second integration appears next year, the gate still holds — it was never in the screen.
- The trail of who approved what falls out for free, because the approval is the record.
If a junior engineer adding a new endpoint could accidentally bypass your review, your review was never real.
Decide this on day one. Retrofitting a guarantee onto a model that assumed convenience is far more expensive than designing for the guarantee from the start.