11-5 · Chapter 11 · 5 min read

Why Recording Approvals and Evidence Matters More Than Getting a "Yes"

You just got verbal approval from your manager to deploy a database change late at night. They said "go ahead," you ran the deployment, and everything

Why Recording Approvals and Evidence Matters More Than Getting a "Yes"

You just got verbal approval from your manager to deploy a database change late at night. They said "go ahead," you ran the deployment, and everything seemed fine. A week later, something breaks. During the post-mortem, you say your manager approved it. Your manager says they don't remember approving anything like that. Now you're dealing with two problems: the technical issue that caused the outage, and a dispute over who authorized the change.

This scenario plays out more often than most teams admit. The approval happened, but there's no record of it. No proof of who said yes, when they said it, or what they saw before agreeing. Without that record, the approval might as well have never existed.

What a Real Approval Record Should Capture

A proper approval record answers three questions. Miss any one of them, and your audit trail has a hole that could cause real trouble later.

Here is what a complete approval record might look like in a pipeline audit log:

{
  "change_id": "DEPLOY-2024-11-05-142",
  "approver": {
    "name": "alice.chen",
    "role": "engineering_manager"
  },
  "timestamp": "2024-11-05T14:30:00Z",
  "evidence": [
    {
      "type": "test_results",
      "url": "https://ci.internal/pipeline/1234/test-report"
    },
    {
      "type": "security_scan",
      "summary": "0 critical, 2 high, 5 medium findings - all waived per policy"
    },
    {
      "type": "change_request",
      "url": "https://tickets.internal/CR-7890"
    }
  ]
}

Who Approved It

The pipeline needs to log the identity of the person who gave approval. Not just a name, but their role in the team. Was it the tech lead, the engineering manager, or a DBA? The role matters because it tells you whether that person had the authority to approve that type of change.

More importantly, the system needs to verify that the approval actually came from that person, not from someone else using their account. This is why approval workflows should run through systems integrated with your team's authentication, not through chat messages or emails that can be easily faked or forwarded. If someone can copy-paste an "approved" message from a Slack thread, you don't have an approval system. You have a screenshot game.

When It Was Approved

The timestamp needs to include minutes and timezone. This might sound like overkill until you need to reconstruct the sequence of events during an incident investigation.

Consider this timeline:

Change submitted at 14:00
Approval given at 14:30
Deployment to production at 14:45
Incident detected at 15:10

With clean timestamps, you can see exactly how things unfolded. Without them, you're guessing whether the approval came before or after the deployment. An approval that happens after the deployment is not an approval at all. It's a notification dressed up as governance.

What Evidence They Based It On

This is the piece most teams forget. Someone approved a change, but what did they actually see before clicking "approve"? Did they review the test results? Read the changelog? Check whether the change affects other systems? Or did they just trust that everything was fine?

The pipeline should capture the evidence that informed the decision. This could be:

A link to the pipeline run showing all gates passed
A screenshot of the security scan results
The reviewed change request document
A summary of what was checked and confirmed

When you capture this evidence, approval stops being a rubber stamp and becomes a verifiable decision. Anyone can look back later and see exactly what was known at the time of approval, not just that someone said yes.

Building the Audit Trail

These three pieces of information together form your audit trail. An audit trail is the complete record of what happened to a change from start to finish: who made it, who reviewed it, which gates it passed, who approved it, when it was deployed, and whether the deployment succeeded or failed.

A complete audit trail serves two purposes. First, it satisfies compliance requirements. Whether your company has internal policies or external regulations to follow, having a clear record of every change and who authorized it is often mandatory.

Second, and more practically, it makes incident investigation faster and less stressful. When something goes wrong, you don't need to track down people and ask "who did this?" or "why was this allowed through?" The answers are already recorded. You can focus on fixing the problem instead of reconstructing what happened.

Making It Work in Practice

Most modern CI/CD tools already capture some of this information. GitLab CI/CD, GitHub Actions, and Jenkins with the right plugins can log who approved a change and when. But the evidence part usually requires manual effort from the person giving approval.

The fix is simple but requires discipline: make it a habit that before approving, the approver adds a comment with a link or summary of what they reviewed. Without this habit, your approval records will just say "approved" with no context. That's barely better than having no record at all.

Some teams take this further by embedding evidence collection into the pipeline itself. The approval step can show a summary of test results, security scan findings, and change details right in the approval interface. The approver sees everything they need without leaving the pipeline, and the system logs what was displayed. This removes the need for manual comments and makes the evidence capture automatic.

A Quick Checklist for Your Approval Records

If you're setting up or reviewing your approval process, run through these checks:

Does the pipeline log the approver's identity and role?
Is the timestamp precise enough to reconstruct event sequences?
Is the evidence that informed the approval captured automatically or manually?
Can someone reviewing the audit trail six months later understand why this change was approved?
Is the approval system integrated with your team's authentication, not just a chat message?

The Bottom Line

Approval without a record is not approval. It's a conversation that might be remembered differently by everyone involved. When you capture who approved, when they approved, and what evidence they saw, you turn a casual "okay, go ahead" into a decision that can be reviewed, audited, and defended. That's the difference between a process that looks like it has controls and one that actually has them.