Decision Framework

Every AI Decision Is Actually Seven Decisions.
By The 1938 Group | 4 June 2026 | Johannesburg
Most people treat the use of an AI tool as a single action. You open the tool, type the prompt, get the output and use it.
It isn’t. It is seven decisions, each with its own set of rules, risks, and accountability implications. When those decisions are made unconsciously, or not made at all, the AI will take it upon itself to create problems: a hallucinated fact in a client deliverable, sensitive data entered a public tool, an AI-generated recommendation acted on without any human reviews in place.
The 1938Group AI Usage Decision Framework gives your team a structured, seven-step process for every AI interaction. This isn’t a bureaucratic checklist. It’s a habit, one that takes seconds for routine tasks and provides the right guardrails for high-stakes work.
The 7-Step AI Decision Framework at a Glance
Every time your team reaches for an AI tool, these are the seven questions that need answers:
# | STEP | THE QUESTION | THE RULE |
|---|---|---|---|
1 | TASK | Is AI appropriate for this task? | Drafting, summarising, brainstorming: yes. Final decisions affecting people: no. |
2 | TOOL | Is this tool approved for this use? | Tier 1 (Enterprise): GREEN + AMBER. Tier 2 (Vetted Public): GREEN only. Unapproved: stop. |
3 | DATA | What is the classification of my input? | RED = stop. AMBER = sanitise or get approval. GREEN = proceed. Mixed content = highest classification. |
4 | RISK | What if AI makes an error here? | High stakes: full VERIFY + expert review + documentation. Low stakes: sanity check. |
5 | PROMPT | Is my prompt clear, constrained, and safe? | Use RCTCF: Role, Context (no RED), Task, Constraints, Format. No sensitive data in context. |
6 | VERIFY | Have I checked the output before acting? | Apply VERIFY: Validate, Examine, Review, Identify, Flag, Your Judgment. Every time. |
7 | DOCUMENT | Am I taking responsibility for this output? | Document AI usage for high-stakes work. Modify as needed. You own it from here. |
The steps are sequential for a reason. A problem at Step 1 means Steps 2 through 7 are irrelevant. A data classification failure at Step 3 cannot be corrected by excellent verification at Step 6. The framework is a gate system, meaning that each step must be cleared before the next one can start.
STEP 1 | Task Assessment Is AI appropriate for this task? |
|---|
This is the question most teams skip. They have an AI tool, they have a task, and the tool seems useful, so they proceed with the task. Unfortunately, not every task should be dealt with the assistance of AI. To get this wrong at Step 1 creates a compounding problem throughout all the steps that follow.
The Task Assessment divides tasks into two categories: OK/CAUTION
TASK TYPE | AI ROLE | YOUR REQUIREMENT | STATUS |
|---|---|---|---|
Drafting & writing | AI good for first drafts | Human review and finalise before use | OK |
Analysis & summarisation | AI good for summaries | Verify accuracy, especially claims and numbers | OK |
Research & learning | AI good as a starting point only | Verify ALL facts independently | OK |
Creative & ideas | AI good for ideation | Human judgment applies to all selections | OK |
Technical & code | AI good for scaffolding & review | Security review required before production | OK |
Decision-making | AI can support analysis only | Human makes the decision. Always. | CAUTION |
Real-time information | AI not appropriate | Training data is historical. Verify with live sources. | CAUTION |
Legal or medical advice | AI not appropriate without review | Expert review is non-negotiable | CAUTION |
Three task types deserve added attention because they generate errors that cost the most:
Decision-making
AI can prepare analysis, surface options, and draft recommendations. It cannot make the decision. Final decisions, especially those affecting employment, credit, legal rights, healthcare, or safety, require a human decision-maker. This isn’t a preference. It is a policy requirement, and in many contexts, a legal one.
Tasks requiring current information
AI models have training cutoffs. After that date, they extrapolate. Asking a model trained on 2024 data about a 2026 regulatory development will produce a confident, potentially fictional answer. Always verify time-sensitive information through primary sources.
Legal and medical contexts
AI can help research, draft, and structure. It cannot be used as a substitute for professional advice. Any output used in legal, medical, or regulatory contexts requires expert review before use, without exception.
STEP 2 | Tool Selection Is this tool approved for this use? |
|---|
Not all AI tools are equal, and the distinction matters for what data you can legitimately input. The 1938Group framework uses a tiered approval system:
Tier 1 - Enterprise Approved: Tools deployed within organisational infrastructure or with contractual data protection guarantees. GREEN and AMBER data permitted (with appropriate controls). Examples: Microsoft Copilot under an enterprise licence, internal AI platforms.
Tier 2 - Public Vetted: Public tools reviewed and approved for limited use. GREEN data only. No AMBER, no RED. Examples: public ChatGPT, Claude.ai, Gemini, depends on your organisation's approved list.
Not on the approved list: Treat as prohibited until formally evaluated. The evaluation process exists for a reason - submit a request through your designated contact rather than proceeding on a judgement call.
The data classification and the tool tier must align. AMBER data in a Tier 2 public tool is a policy violation, regardless of how convenient the tool is. When in doubt: use a higher-tier tool or sanitise the data down.
STEP 3 | Data Classification What classification applies to everything I am about to input? |
|---|
This is the step with the most direct compliance implications, and the one the 1938Group Data Classification Guide covers in depth. The core rule here is simple and non-negotiable:
List all information you plan to input . Prompts often contain context that carries classification implications. The client’s name in a prompt context. The project name. The financial figure used as an example.
Classify each piece independently. RED means stop. AMBER means sanitise or get approval. GREEN means proceed.
Apply the highest classification to the entire input. If one element is RED, the whole input is RED. You cannot average down. You can only classify up.
When handling AMBER information: Sanitise it and get approval process from the relevant authorization. For RED information: the alternative approaches are a higher-tier tool with appropriate data protections, or a reframing of the task that removes the sensitive element completely.
STEP 4 | Risk Assessment What happens if AI makes an error in this output? |
|---|
Step 4 is where the verification standard gets set. This framework distinguishes three risk levels based on the consequence of an AI error, not the probability of one. AI errors are always possible. The question is, what is the cost of the error?
STAKES | EXAMPLES | VERIFICATION REQUIRED |
|---|---|---|
HIGH | Client deliverables, published content, decisions affecting people, regulatory submissions | Full VERIFY + expert review + documentation of verification performed + manager approval |
MEDIUM | Internal documents, colleague emails, working drafts | Full VERIFY framework + fact-check all key claims |
LOW | Personal brainstorming, informal notes, easily corrected internal work | Quick sanity check - does this seem reasonable? Any obvious errors? |
The most important insight here: the risk assessment is about the output's destination and impact; not about how confident the AI seems. High-confidence AI outputs can still be wrong.
STEP 5 | Prompt Design Is my prompt clear, constrained, and safe? |
|---|
A poor prompt creates inefficiency problems, quality inconsistencies and safety concerns. Vague prompts can only produce vague outputs, and vague outputs are more likely to be full of hallucinations, the output will wander into unintended areas or miss the point completely. The 1938 Group's RCTCF framework gives your team a consistent structure for every prompt:
COMPONENT | PURPOSE | EXAMPLE | WHEN TO USE |
|---|---|---|---|
R - ROLE | Define the AI's perspective and expertise | "You are a financial analyst specialising in..." | When specific expertise or tone is needed |
C - CONTEXT | Provide necessary background, no RED data | "This is for a mid-sized retail company in..." | Check every word here against RAG before sending |
T - TASK | Specify exactly what you want done | "Summarise this report focusing on risk factors..." | Always required, be precise |
C - CONSTRAINTS | Set boundaries to control output quality | "Do not invent statistics. Maximum 200 words. Avoid..." | Protects against hallucination and scope creep |
F - FORMAT | Specify how the output should be structured | "Present as a numbered list with a one-line summary each" | When format matters for use |
Three RCTCF components carry specific safety implications:
• Context: This is the highest-risk component from a data protection standpoint. Every word of context must be checked against the RAG classification before the prompt is submitted. RED data in the context field is a data breach in progress.
• Constraints: These are your primary tool against hallucination. 'Do not invent statistics.' 'If uncertain, say so.' 'Stay within the scope of the provided information.' 'Do not cite sources you cannot verify.' These constraints do not eliminate hallucination risk, but they reduce it and create a basis for evaluating the output.
• Task: Precision here directly predicts output quality. 'Summarise this' is a poor task specification. 'Summarise this in 200 words, focusing on the three main risks identified, avoiding any claims not supported by the text' is a controlled, verifiable task.
Before sending any prompt: no RED data included, AMBER data sanitised or approved, task is precisely specified, constraints protect against hallucination, you are prepared to verify the output. If any of these is not true, do not submit.
STEP 6 | Execute and Verify Have I checked this output before acting on it? |
|---|
Step 4 set the verification standard. Step 6 is where you apply it. The VERIFY framework, introduced in Module 1 and mandatory across the programme, provides the structure for this:
• V - Validate: Do cited sources exist? Can you find the original? How accurate are the quotes? This step alone would have prevented the phantom court case disaster that sanctioned two US lawyers in 2023.
• E - Examine: Does the reasoning make sense? Are there internal contradictions? Does the logical flow hold when you trace it?
• R - Review: Does this match what you know? What do authoritative sources say about the key claims? Especially for territory outside your direct expertise, this step requires an external check.
• I - Identify: What is missing? What assumptions has the AI made that you did not specify? What gaps exist between what you asked and what was answered?
• F - Flag: Does this need legal review? Technical review? A subject matter expert? When the answer is yes that review must happen before the output is used.
• Y - Your Judgment: Would you stake your professional reputation on this content? Does it feel right, beyond the mechanics of the checks above? This is the final human check, and it happens to be the most important one.
Verification is not optional for high-stakes work, and it is not a formality for medium-stakes work. The output you verify is the output you own.
STEP 7 | Document and Use Am I taking responsibility for this output? |
|---|
The final step is also the most accountability-defining one. Once you use an AI output, in a document, a decision, a communication, a deliverable. You become responsible for that information as if you created it yourself.
For high-stakes usage, documentation is required. This means recording; the AI tool used, the nature of the prompts, the type of output received, the verification steps performed, the human modifications made, and the reviewer or approver. This documentation is your evidence of professional diligence, and in a POPIA enforcement action, a legal dispute, or an internal audit, it is the difference between demonstrating responsible use and having no answer at all.
Disclosure requirements also apply in specific contexts: client agreements may require disclosure of AI involvement, academic and research submissions have their own standards, and regulatory submissions may have explicit requirements. When in doubt, disclose. Transparency is a policy principle, not a liability.
THE ACCOUNTABILITY PRINCIPLE | You are now responsible for this content as if you created it yourself. 'The AI generated it' transfers no accountability. Verify, modify, take ownership, or don’t use it. |
|---|
Putting It Together: The Framework in Practice
A compliance manager at a South African financial services firm needs to draft a summary of updated regulatory guidance for the leadership team. Here is the framework in action:
Step 1: Task assessment - AI appropriate for drafting and summarising. Not for providing final legal interpretation. Proceed.
Step 2: Tool - Tier 2 public tool on the approved list. Only GREEN data permitted.
Step 3: Data classification - the regulatory guidance itself is public (GREEN). The internal context about why leadership needs this is AMBER. Sanitise the context or use the tool without it.
Step 4: Risk assessment - this is going to leadership. HIGH stakes. Full VERIFY + expert review (Legal) + documentation required.
Step 5: Prompt - Role: compliance analyst. Context: GREEN only. Task: summarise sections 4-7 of the attached guidance. Constraints: do not add interpretation, present only information in the source; flag any ambiguous areas. Format: executive summary with a bullet list of key obligations.
Step 6: Verify - validate all section references against the original document, review key claims with Legal, flag two areas of ambiguity for expert commentary. Documented.
Step 7: Document and use - AI tool, prompts, verification steps, Legal review recorded. Manager approved. Summary distributed with a note that AI assisted with drafting and human review was performed.
Seven conscious decisions. A defensible process. An output that can withstand scrutiny.
Follow The 1938 Group on LinkedIn for the weekly module teasers or visit 1938group.com for more.
Your team is making AI decisions right now. Are they making them consciously? The 1938 Group AI Safety Workshop embeds the 7-step AI Decision Framework into your team's daily habits - with practical exercises, real SA scenarios, and accountability tools that stick beyond the training room. Book your workshop: info@the1938group.co.za |