6
Items in approval state
Core Approval Flow
The goal is to make authorization simple enough to follow and strong enough to govern risk.
Request Submitted
The request enters through the shared intake path with the business need, desired timing, and affected users or systems.
IT Review
IT validates that the request is understandable, classifies the work, and determines whether approval is required.
Business / Risk Approval
The right approver confirms access, ownership, risk acceptance, or tradeoff decision depending on the request type.
Implement And Notify
Once approved, IT proceeds with the work, records the decision, and updates the requester and stakeholders.
Who Approves What
Different requests should not all route to the same person. This keeps governance simple and credible.
| Request Type | Primary Approver | Secondary Review | Example |
|---|---|---|---|
| Access / identity | Business owner or supervisor | IT validates least privilege | Temporary staff onboarding |
| Security exception | Risk owner / manager | Security governance review | MFA exception review |
| Priority tradeoff | Leadership sponsor | IT manager outlines queue impact | Leadership dashboard automation vs other enhancement |
| Planned change | Service owner / change authority | IT readiness confirmation | Energy Strategy site update |