MODEL BOUNDARY ONE-PAGER (TEMPLATE)

Workflow name:
- Example: Customer support email replies (billing + account access)

Business goal (1 sentence):
- What are we trying to improve (speed, quality, consistency), without changing risk posture?

Outcome owner (single accountable human role):
- Name the role, not a committee. Example: Head of Support Operations

Model role (choose one):
- Draft only (human sends)
- Recommend actions (human executes)
- Execute bounded actions (model can act inside explicit limits)

Allowed inputs (data boundary):
- What the model may see (ticket text, internal KB, product docs)
- What it may NOT see (secrets, credentials, private keys, payment data, customer PII beyond X)
- Approved retrieval sources (URLs, documents, databases) and who maintains them

Allowed actions (decision boundary):
- List explicit actions the model can take.
- Example: Generate draft reply; suggest macro; propose refund amount (not issue).

Forbidden actions (hard stops):
- List actions that must never be taken by the model.
- Examples: Send email; issue refund; change account security settings; publish public comms.

Human approval rules:
- Which categories require review? (billing disputes, legal threats, safety, data requests)
- Who can approve? (role + on-call coverage)
- What is the approval UI/path? (PR review, ticket checkbox, queue)

Verification expectations:
- What must be checked before execution? (citations, policy alignment, amounts, links)
- What is “good enough” verification? (e.g., source links to internal KB section)

Logging & audit (must be implementable):
- Log inputs (what was provided), retrieval sources, model version, prompt/template version
- Log outputs, tool calls, and final action (send/merge/issue)
- Retention policy and access controls for logs

Rollback & incident plan:
- How do we undo a bad action? (email recall is not real; plan for follow-up)
- Where do AI incidents get reported? (channel/ticket type)
- Who triages? Who owns post-incident review?

Release discipline:
- What changes count as a release? (prompt edits, model version bump, retrieval changes)
- Required gate before release: test set run + sign-off owner

Success criteria (qualitative + measurable where available):
- Examples: fewer escalations, faster first response, fewer policy violations

Sign-offs:
- Outcome owner:
- Security/Privacy (if applicable):
- Legal/Compliance (if applicable):
- Engineering owner: