The Decision Assurance Levels
Not every decision deserves the same rigor. The Decision Assurance Levels (DAL) grade a decision A through E by what happens if it is wrong — and prescribe how much assurance, and how much automation, each level requires. Right-sized assurance, by design.
Status: open, versioned, and in draft. This is the Decision Assurance Levels specification at version 0.1 (draft). It is published as an open, vendor-neutral standard for public comment as the founding cohort convenes. It is intended to be cited and adopted now, and revised through an open, versioned process. To cite this draft, reference "Decision Assurance Levels (DAL), v0.1 draft, Decision Assurance Council."
Assurance that is over-applied and under-applied at once.
Most organizations review almost every decision with roughly the same ceremony, regardless of what is at stake. A reversible, low-impact choice waits in the same review queue as a bet-the-company one. The result is assurance that is simultaneously too heavy for trivial decisions and not nearly rigorous enough for catastrophic ones.
The Decision Assurance Levels fix this by right-sizing assurance to consequence. Grade each decision by what happens if it is wrong; the level then prescribes how much assurance rigor the decision requires — and how much it may be automated.
Borrowed from a discipline that has trusted it for decades.
DAL is the direct descendant of Design Assurance Levels in safety-critical aerospace engineering. The standard DO-178C grades airborne software A through E by the severity of failure — Level A (catastrophic, loss of aircraft) demands the most rigorous process; Level E (no effect) demands almost none.
The Decision Assurance Levels apply that same, battle-tested logic to decisions. The deliberate acronym echo makes the framework legible to architects, safety engineers, and regulated-industry leaders who already trust the original.
We extend DO-178C's logic and lineage. We do not claim its certification, equivalence, or compliance.
Classify a decision by its consequence.
A decision's level is a function of three factors. The highest applicable factor governs — a catastrophic-but-rare failure still rates high.
Severity
How bad is a wrong decision — financially, in safety, in regulatory standing, in reputation, in strategy?
Reversibility
How hard and costly is the decision to undo once it is made?
Blast radius
How many systems, people, and customers does the decision touch?
When in doubt, classify up. Under-assuring a high-stakes decision is the costly error. Classification disputes resolve toward the more conservative reading.
The five Decision Assurance Levels.
Each level sets the required assurance and the maximum permitted autonomy for a decision of that consequence.
| Level | Decision profile | Required assurance | Autonomy cap |
|---|---|---|---|
| DAL A | Catastrophic, irreversible, enterprise-wide. A wrong call threatens the business, safety, or regulatory standing. | Full board, all domains, plus an independent second review; complete evidence, rationale, and dissent recorded; mandatory human decision. | Advisory only — a human always decides. |
| DAL B | Critical, hard to reverse, major. Significant cost or risk; expensive to unwind. | Full board review; evidence-cited findings; governing rules enforced; human decides on the record. | Human decides; automation may recommend with conditions. |
| DAL C | Significant, moderately reversible. Real but bounded impact. | Standard board review; the system surfaces concerns and enforces inviolable rules; human sign-off. | Decide with human confirmation. |
| DAL D | Minor, reversible, local. Limited, easily corrected impact. | Light review; the system recommends; human spot-check or veto window. | Decide with a human veto window. |
| DAL E | Negligible, fully reversible, no material effect. Conformant to an established, tested standard. | Automated assurance with complete logging. | Autonomous, with an audit trail. |
Illustrative examples — DAL A: re-architecting a core platform; security architecture for crown-jewel systems; data architecture with regulatory exposure. DAL B: introducing a new system of record; a major integration pattern. DAL C: adopting an approved-list technology; standard application onboarding. DAL D: minor component choices within standards. DAL E: changes fully conformant to an established, tested standard.
Two axes. Operating autonomy is the lower of the two.
DAL is not the only dial. The consequence of the decision is one axis; the autonomy a system has earned in general is another. They must be combined.
DAL — criticality
Set by this decision's consequence. It fixes the required assurance and the maximum permitted autonomy for the decision in front of you.
The autonomy ladder — earned
The autonomy a system has earned in general, on measured evidence, from shadow operation up to broader authority.
The rule
Operating autonomy is the lower of the two. A system that has earned broad autonomy must still drop to advisory for a DAL A decision.
High stakes mean a human keeps control — every time.
The autonomy caps are the science, written into the standard.
This is where the framework is anchored in evidence rather than preference. Pre-registered research (Open Science Framework, Digital Object Identifier 10.17605/OSF.IO/ZWM3S) found that an artificial-intelligence board does not make the call better than a strong human expert, and tends to over-reject.
The Decision Assurance Levels encode that finding as policy: the higher the stakes, the more the framework requires human control — not because the machine is forbidden, but because the evidence says the human should decide. The caps are stated as evidence-based and revisable; the standard improves as the science does.
What scales with the level.
The net effect is lighter governance for the long tail of low-stakes decisions, and heavier, defensible governance where it actually matters — the opposite of one-size-fits-all.
| Assurance control | DAL E | DAL D | DAL C | DAL B | DAL A |
|---|---|---|---|---|---|
| Domains reviewed | Auto-check | Relevant | Relevant + cross-cutting | Full board | Full board + independent second review |
| Evidence / grounding | Logged | Light | Standard | Cited | Cited + verified |
| Dissent captured | — | On request | Yes | Yes | Yes, with rationale |
| Documentation / audit | Record | Record | Full | Full | Full + sign-off chain |
| Re-review cadence | None | On change | Periodic | Periodic | Scheduled + on change |
| Human role | Audit only | Veto window | Confirm | Decide | Decide + independent reviewer |
Stewarded openly, changed in the open.
To be a category standard rather than one vendor's marketing, the Decision Assurance Levels are stewarded openly by the Council — a published specification, a versioned change process, and cross-industry working groups, exactly as standards bodies steward their own frameworks.
- Proposal → working-group draft → public comment → Steering Committee ratification → dated release.
- All decisions, rationale, and version history are public.
- Classification disputes default to the more conservative reading; the framework recalibrates periodically against real outcomes.
Cite it. Adopt it. Help shape v1.0.
The Decision Assurance Levels are open and freely usable, even in draft. Founding endorsers shape the specification as it moves from v0.1 toward a ratified v1.0.