Every conversation I have with a head of loss prevention follows a similar arc. They ask whether QuantumEye can ban someone automatically. They ask whether the system can call the police. They ask whether it can flag an individual without a manager getting involved.
The answer to all three is no. And the reason is the same reason we built the product this way in the first place: an AI in a surveillance product needs a different bar. Human-in-the-loop isn't a feature we added to look responsible, it's the foundational architectural choice the rest of the platform sits on top of.
What 'human-in-the-loop' actually means
The phrase has been hollowed out by marketing teams. Vendors stick a checkbox on a dashboard that a human clicks and call it human-in-the-loop. That's not what we mean.
In QuantumEye, a human is required to make any consequential decision, every theft confirmation, every police-report approval, every ban-list addition. The platform proposes; a human disposes. The model is a senior analyst, not a junior decision-maker.
- The model surfaces candidate detections with confidence scores and evidence.
- A reviewer with the right role sees the candidate, the clip, the prior events, the audit chain.
- The reviewer accepts, rejects, or escalates. Every decision is timestamped, attributed, and written to an append-only log.
- Until the human acts, no consequential action happens.
Why 'fully autonomous' fails under GDPR
UK GDPR, like its EU parent, has explicit rules about automated decision-making in cases where the decision is significant, and a face-recognition match that leads to a ban or a police referral absolutely qualifies. The right thing for retailers to do is to assume the strictest interpretation will be the one enforced.
Why human-in-the-loop is faster, not slower
The objection I hear from operators is intuitive: surely making humans approve everything is a bottleneck. In practice it's the opposite, and the reason is the workflow, not the technology.
A typical pre-QuantumEye incident workflow looks like this: a manager notices something off-feeling. They go to the back office. They scrub CCTV for the better part of an hour. They write a report by hand. They forward it as a PDF. The total elapsed time from event to forward is often 60–90 minutes.
With QuantumEye and proper human-in-the-loop, the workflow becomes: the AI flags the moment. The manager opens the alert. The clip, the face, the prior events, the audit chain are already attached. The manager reviews, adds context, taps Confirm. The report is forwarded. Total time: minutes, not the better part of an hour.
Three questions to ask any vendor
If you're evaluating a retail AI vendor, us or anyone else, there are three questions whose answers tell you whether they take this seriously.
- Who has to approve a ban-list addition? If the answer involves no human at all, walk away.
- Where does the audit log live, and is it append-only? If it's mutable, it isn't an audit log.
- Who is accountable when the model is wrong? If the answer is 'the manager who clicked Confirm,' you've now exposed every store manager. If it's 'the vendor,' that's also a problem. The right answer is a shared responsibility model with clear escalation paths.
Where QuantumEye lands
Every action-taking call in QuantumEye, confirming a theft, approving a report, toggling a rule, drafting a new rule, requires inline confirmation. RBAC is enforced server-side. Audit logs are append-only. The model is a participant in the decision; never the decision-maker.