The Override That Wasn't: How Paper Compliance Masks AI Control Failures

In late 2023, a Medicare Advantage plan used an AI-driven claims system to deny a $4,300 procedure for a patient with a documented condition that met coverage criteria under the plan's own clinical guidelines. The denial notice included instructions for appeal: a board-certified specialist had 72 hours to submit a 14-page exception form, complete with supporting imaging and a written justification addressing the algorithm's specific rejection codes. The patient's physician was in a rural practice with two other doctors, a full patient schedule, and no administrative support for multi-hour paperwork sprints. The override existed on paper. In practice, it was a dead letter. This is not a malfunction story. The AI performed exactly as designed, applying the policy thresholds it was trained on and flagging the claim for standard review. The problem sits one layer deeper, in the design of the override pathway itself. When we talk about human override in AI decision systems—in healthcare claims, loan underwriting, employee scheduling, benefits eligibility—the conversation usually centers on whether an override mechanism exists. Regulators require it. Vendor documentation lists it. Audit checklists verify it. But existence is the wrong metric. The relevant metric is clock time from detection to completed intervention, measured against the window in which the decision can still be reversed without harm. In the Medicare Advantage case, that window was 72 hours for a clinical appeal, but the actual time required to assemble documentation, consult with the denied patient, and file the form ran well past what a working physician could reasonably allocate. The Centers for Medicare and Medicaid Services mandates appeal pathways under its 2024 rules for AI-driven utilization management. Those rules are silent on response-time feasibility. The result is a system that is technically compliant and practically uninterruptible—not because anyone removed the override button, but because the cost of pressing it exceeds the resources of the person who needs to press it. This pattern repeats across domains. A mid-sized employer using AI-driven scheduling software may allow shift managers to override automated assignments, but only by logging a justification in a system that flags every override for regional review, creating a paper trail that discourages the behavior. A mortgage underwriting AI may permit loan officers to overturn a denial, but requires them to document three comparable approved loans from the same quarter to justify the exception—a burden that makes the override functionally unavailable for edge cases, which are precisely where it is most needed. The override is not missing. It is priced out of use. The distinction matters because it separates two very different failure modes. When an AI system denies an override outright, that is a technology problem—a missing feature, a broken interface, a hard-coded rule. When an AI system offers an override that cannot be exercised under real-world constraints, that is a process design problem. And process design problems are harder to catch because they pass every audit check. The procedure is documented. The form exists. The escalation path is defined. What is absent is any measurement of whether the path can be walked in the time available. Enterprise risk-tiering frameworks—human-in-the-loop, human-on-exception, fully autonomous—create a false sense of control when they classify systems by the presence of override mechanisms without also classifying them by the feasibility of those mechanisms under operational load. A system that requires a specialist to clear 90 minutes of focused work within a 72-hour window is not meaningfully interruptible if that specialist is already working at 110% of capacity. The framework says "human-on-exception." The lived experience says "no exceptions in practice." The diagnostic question to ask about any AI decision system is not "does an override exist?" but "how many minutes does it take, from detection to completed intervention, for someone with typical workload and no special escalation privileges?" If the answer exceeds the window in which the decision can be reversed without cascading consequences, the override is performative. It serves audit-readiness, not genuine controllability. That is the gap regulators have not yet closed, and it is the gap that will determine whether human oversight remains a meaningful safeguard or becomes another checkbox in a compliance folder.