EVIDENCE TRAIL
Human dual-control — four-eyes rule
Verbatim excerpts from the upstream sources cited on the mitigation page, with what each source does and does not prove. The "four-eyes rule" and "dual control" labels are industry-standard terms; the canonical technical mandate appears in NIST SP 800-53 Rev 5 AC-3(2) as "dual authorization, also known as two-person control." One MDX misattribution is flagged below (NIST AI 600-1 MANAGE 2.4 concerns AI deactivation, not per-action dual approval).
Last cross-checked against upstream sources: · 8 sources
References
Each entry shows what the source supports and what it does not prove.
NIST SP 800-53 Rev 5 — AC-3(2) Access Enforcement: Dual Authorization
Control Enhancement AC-3(2) ACCESS ENFORCEMENT | DUAL AUTHORIZATION — Discussion
"Dual authorization, also known as two-person control, reduces risk related to insider threats. Dual authorization mechanisms require the approval of two authorized individuals to execute. To reduce the risk of collusion, organizations consider rotating dual authorization duties. Organizations consider the risk associated with implementing dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety."
Supports: Verbatim federal mandate for the two-person approval mechanism this control implements. Names insider-threat risk reduction, the collusion-mitigation rationale (pairing rotation), and the carve-out for immediate-response scenarios — all directly mapped to the MDX "When NOT to use" section.
Does not prove: Applies to information systems generically; does not name AI agents, LLM tool invocations, or the specific action classes (IAM policy edits, money movement) that Helmwart uses as examples of dual-control thresholds.
NIST SP 800-53 Rev 5 — AC-5 Separation of Duties
Control AC-5 SEPARATION OF DUTIES — Discussion
"Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions."
Supports: States the principle this control operationalises: different individuals for different roles, no single actor combining proposer and approver functions. The MDX requirement that "approvers must differ from the requester and from each other" is a direct application of this control.
Does not prove: AC-5 does not specify a two-person *approval* gate for individual actions; it governs role assignment at the organisational level. The transition from role-separation to per-action dual approval is Helmwart's agentic-AI specialisation.
MITRE ATLAS AML.M0029 — Human In-the-Loop for AI Agent Actions
AML.M0029 Human In-the-Loop for AI Agent Actions — description
"Systems should require the user or another human stakeholder to approve AI agent actions before the agent takes them. The human approver may be technical staff or business unit SMEs depending on the use case. Separate tools, such as dedicated audit agents, may assist human approval, but final adjudication should be conducted by a human decision-maker. The security benefits from Human In-the-Loop policies may be at odds with operational overhead costs of additional approvals. To ease this, Human In-the-Loop policies should follow the degree of consequence of the task at hand. Minor, repetitive tasks performed by agents accessing basic tools may only require minimal human oversight, while agents employed in systems with significant consequences may necessitate approval from multiple stakeholders diversified across multiple organizations."
Supports: Directly names "approval from multiple stakeholders diversified across multiple organizations" for high-consequence agent systems — the closest upstream analogue to the four-eyes requirement. Also names the degree-of-consequence tiering principle that the MDX "Tier discipline" requirement implements.
Does not prove: Does not mandate a minimum of exactly two approvers, or cryptographic signature capture, or identity-disjointness enforcement. Those specifics are Helmwart's operational implementation on top of the ATLAS framing.
MITRE ATLAS AML.M0026 — Privileged AI Agent Permissions Configuration
AML.M0026 Privileged AI Agent Permissions Configuration — description
"AI agents may be granted elevated privileges above that of a normal user to enable desired workflows. When deploying a privileged AI agent, or an agent that interacts with multiple users, it is important to implement robust policies and controls on permissions of the privileged agent. These controls include Role-Based Access Controls (RBAC), Attribute-Based Access Controls (ABAC), and the principle of least privilege so that the agent is only granted the necessary permissions to access tools and resources required to accomplish its designated task(s)."
Supports: Names the elevated-privilege agent scenario that makes dual-control necessary: agents operating with privileges above normal users. The controls listed (RBAC, ABAC, least privilege) are the access-control layer beneath which the dual-control gate sits for irreversible actions.
Does not prove: AML.M0026 is about constraining agent permissions, not about requiring human approval. It is a complementary control, not a source of the four-eyes principle itself.
NIST AI 600-1 — Generative AI Profile (NIST AI RMF)
GOVERN 1.3 — Action GV-1.3-002
"Establish minimum thresholds for performance or assurance criteria and review as part of deployment approval ("go/no-go") policies, procedures, and processes, with reviewed processes and approval thresholds reflecting measurement of GAI capabilities and risks."
Supports: Establishes the concept of "approval thresholds" for high-risk AI actions — the governance framing within which dual-control sits. Names an explicit review/approval gate ("go/no-go") as part of AI deployment governance.
Does not prove: GV-1.3-002 is about deployment-phase go/no-go policy, not runtime per-action approval. Does not name a two-person mechanism. The MDX claim that "MANAGE-2.4 names dual-control for high-stakes AI decisions" is a misattribution: MANAGE 2.4 covers deactivation and disengagement of non-performing AI systems, not dual-approval of individual actions.
NIST AI 100-1 — AI Risk Management Framework
MAP 3.5
"Processes for human oversight are defined, assessed, and documented in accordance with organizational policies from the GOVERN function."
Supports: Establishes the AI RMF requirement that human-oversight processes are defined, assessed, and documented — the governance infrastructure that dual-control implements for the highest-risk action class.
Does not prove: MAP 3.5 is a process-definition requirement, not a control mandate. It does not specify a two-person gate, a minimum number of approvers, or action-class criteria. Generic oversight framing.
FFIEC IT Examination Handbook — Information Security
No verbatim excerpt pulled yet — open the original to verify the cited section.
Supports: The FFIEC IT Examination Handbook names two-person controls for high-risk financial-transaction approval. This is the financial-services regulatory antecedent to applying dual-control at agentic AI payment and account-action gates.
Does not prove: The FFIEC handbook is behind a 403 access restriction on automated fetch; no verbatim excerpt was retrievable for cross-check. Cite with caution until manually verified. Does not name AI agents or LLM tool invocations.
COBIT 2019 — Segregation of Duties (IT Governance)
No verbatim excerpt pulled yet — open the original to verify the cited section.
Supports: COBIT 2019 names segregation of duties as a primary IT-governance principle and provides the enterprise governance framing within which dual-control for agentic AI actions sits.
Does not prove: COBIT is behind an ISACA paywall; no verbatim excerpt was retrievable for cross-check. Does not address AI agents or LLM tool invocations.