(a)Understand the capacities and limits of the system and monitor for anomalies, dysfunction, and unexpected performance.
Helix mechanism. Every Helix playbook is a versioned DAG with a published spec (e.g. packages/playbooks/security-alert-triage/spec.json) declaring the steps the agent is permitted to take, the success contract for each step, and the failure edge. Operators can read what the system is allowed to do before it runs. Every run emits a structured, tenant-scoped audit trail; spend, latency, and error-rate anomalies trip the model-gateway breakers and surface in the tenant dashboard.
(b)Remain aware of the possible tendency to automatically rely on, or over-rely on, output produced by a high-risk AI system (automation bias).
Helix mechanism. The triage queue presents Helix output with the evidence the decision was based on, the confidence score, and a visible “why this severity” trace. High and critical findings are never auto-actioned; the operator must affirmatively close or act on them. Suggested actions are labeled as recommendations, never as completed work.
(c)Correctly interpret the high-risk AI system's output, taking into account the available interpretation tools and methods.
Helix mechanism. Every Helix output ships with: the inputs it saw, the playbook step that produced it, the model-gateway request id, the tenant-scoped enrichment context, and the rule or rationale used to assign severity. Output is structured (Zod-validated at every boundary), not free-form prose, so the operator interprets the same fields every time.
(d)Decide, in any particular situation, not to use the high-risk AI system or otherwise disregard, override, or reverse its output.
Helix mechanism. Every Helix recommendation can be overridden by the operator; overrides are written back as labeled lessons that feed the HEAL strand, so the system tunes towards the operator’s judgment. Tenants can disable an entire playbook or scope it down to a subset of sources from the control plane without contacting support.
(e)Intervene in the operation of the high-risk AI system or interrupt it through a 'stop' button or a similar procedure.
Helix mechanism. Helix runs behind a centralized model gateway that holds a kill-switch, per-tenant spend breakers, and an anomaly breaker. The kill-switch halts further agent calls for a tenant within seconds and is reachable from the tenant control plane and from an out-of-band MSP runbook. Already-queued jobs drain to a human-review state rather than executing.
Scope of this posture
Helix Phase 1 ships the Security Alert Triage playbook, which the operator may classify as a high-risk AI system under Annex III of the AI Act depending on deployment context. This posture is written to satisfy Article 14 regardless of that classification, so the controls travel with the product into any deployment. The supporting provider-side obligations (risk management, data governance, technical documentation, logging, transparency, accuracy/robustness, conformity) are tracked in the internal AI Act conformity register and surfaced to clients on request.