How we operate and what we're accountable for

Every workflow we implement has defined approval gates before consequential actions are taken. We do not build automation that commits to external actions — sending communications, triggering payments, modifying records — without a defined approval step.

Approval gates can be automated based on rules (e.g., amounts under a threshold route automatically) or manual (a human sees and approves before the action proceeds). The threshold and routing logic is documented, client-approved, and reviewable.

Approval logs are retained and auditable. You can always see what was approved, by whom, when, and what action resulted.

Norsewave designs all AI-assisted workflows with explicit human-in-the-loop requirements. AI surfaces outputs to a human for review — it does not take final action autonomously in workflows where errors have material consequences.

The scope of 'material consequence' is defined with the client before build begins. High-stakes decisions — financial commitments, patient-facing communications, compliance-triggering actions — always route to human review regardless of AI confidence scores.

Human review interfaces are designed to be genuinely useful, not rubber-stamp queues. We show the human context, the AI's reasoning, and the available actions. We track override rates and tune when humans are consistently disagreeing with AI outputs.

Norsewave does not retain client operational data beyond the scope of the engagement. Data accessed during implementation is used for testing, training, and validation — not retained, analyzed, or shared.

We document all data flows for every system we touch: what data moves where, who has access, how it's encrypted in transit and at rest, and what the retention and deletion policy is.

We do not pass client operational data to AI model providers without explicit client consent and documented data processing agreements. Model selection considers data residency requirements.

We recommend that clients maintain data governance policies before AI is introduced to any workflow touching sensitive operational, customer, or compliance data.

Every workflow we deliver has monitoring built in. Not optional. Not added later. Logging, alerting, and exception reporting are part of the acceptance criteria for every engagement.

Observability covers: step completion rates, error rates, exception volumes, processing latency, and AI confidence distributions where applicable. Dashboards are handed off to the client, not retained by Norsewave.

Audit logs are structured, timestamped, and retained per the client's data governance policy. Every significant system action — approvals, automated decisions, AI outputs, exception escalations — is logged in a format that can be searched and exported.

We do not build black-box workflows. If you can't see what it did and why, we haven't finished.

Contractor agents operate within explicitly bounded scopes. The scope is documented before deployment and cannot be modified by the agent. Any attempt to act outside scope is logged and flagged.

Every contractor agent has a named human owner at the client organization. That owner is accountable for approving the agent's continued operation, reviewing its outputs on the agreed cadence, and escalating anomalies.

Agent actions are logged in full: input, output, model used, timestamp, confidence score. Logs are client-owned and retained per the client's data governance policy.

We require a staging validation period before any contractor agent enters production. The agent must meet defined acceptance criteria in a test environment before live deployment.

Contractor agents can be suspended or decommissioned without workflow disruption. We build fallback paths into every agent-assisted workflow so that if the agent is stopped, the workflow continues through a manual channel.

We will not automate decisions that require human accountability and cannot be reasonably reversed. Final employment decisions, patient care decisions, and legal commitments are not appropriate automation targets.

We will not automate any workflow where the client does not have a governance plan for reviewing outputs and correcting errors. Automation without oversight is a liability, not an asset.

We will not implement AI in workflows where the data quality is insufficient to support reliable outputs. We will tell the client what data quality improvements are needed first.

We will not build automation designed to obscure decision-making or create plausible deniability for human choices. Every automated decision must have a traceable audit trail.

We will not take on engagements where the goal is to replace human accountability with automated accountability. Automation supports people — it does not remove their obligation to own outcomes.

We do not make claims about specific ROI, cost savings, or performance improvements that we cannot substantiate. Marketing claims are grounded in documented client outcomes, not vendor case studies or industry benchmarks.

Case studies on this site use actual client data or clearly anonymized workflow patterns. We note when examples are anonymized and what they represent.

When we describe outcomes on client engagements, we state the measurement methodology alongside the result. 'Invoice generation reduced from 5 days to same-day' means what it says, measured the way we say it was measured.

If we cannot substantiate a claim to a reasonable standard, we don't make it.

We will tell you when your current stack is already enough. This happens in roughly one in four initial workflow audits. Sometimes the right answer is a configuration change, not a build.

We will tell you when an automation project would add complexity without proportional benefit. Simple manual processes that work reliably are sometimes better left alone.

We will recommend a cheaper path if it achieves the same outcome. If a native integration or an existing tool feature handles the problem, we point you there — even if it means less work for Norsewave.

This posture is a business decision, not charity. Clients who trust us because we told them to do less come back when they have problems that are worth solving.

Norsewave fees cover our labor: design, build, testing, documentation, training, and governance setup. Vendor and platform costs — software subscriptions, API usage, cloud infrastructure, AI model costs — are quoted separately.

We provide vendor cost estimates as part of every scoping engagement. You know what you're paying Norsewave and what you're paying a third party before you commit to either.

We do not receive referral fees, commissions, or revenue sharing from software vendors. Our recommendations are based on what fits your workflow — not what's financially advantageous to us.

Vendor contracts are held by the client, not by Norsewave. You own your infrastructure and your vendor relationships. If you stop working with Norsewave, your systems keep running.