# Governance

## The firewall
Automated scoring and human judgement are separated by a hard boundary. A score, sub-score
or ranking only **re-orders the human review queue**. Everything with real-world consequence
happens on the human side: a trained reviewer may act, escalate or dismiss; the model may not.

## Human-in-the-loop
No suspension, report, disclosure or other adverse action may be triggered by a score. Human
review must be **meaningful** (GDPR Art. 22), with reviewers trained on the model's limitations
and base rates.

## No naming, no vigilantism
The scored list never leaves the review function and is never attached to a public identity.
Public exposure / watch-lists are prohibited. False positives in this domain are gravely harmful.

## Lawful escalation only
Confirmed cases are escalated through lawful channels (US NCMEC CyberTipline under 18 U.S.C.
2258A; UK IWF; EU DSA trusted-flagger), initiated by a human finding and logged — never by the model.

## Data protection
Heightened protection for minors' data; data minimisation; retention limits; full audit logging
of every flag, disposition, escalation and model version. A DPIA is required before real use.

## Fairness
One population base rate; the system flags **behaviour, not identity**. Per-subgroup precision and
calibration must be audited; below-floor cohorts are not relied upon until remediated.