Chapter BAI for emailPage 7 of 8

AI for email

Verification and send gates

Generation creates a candidate; verification and a deliberate send gate turn it into accountable communication.

~15 minQuality and control

Before you start

Why this matters

Imagine an AI drafts a polished apology but addresses the wrong customer, quotes an expired refund policy, and mentions an attachment that is missing. Write the three checks that would have prevented those mistakes. Which check requires a person with authority rather than another tone pass from the same model?

1Learn the idea

Read

Fluent is not verified

An AI draft can look finished because its grammar, transitions, and tone are smooth. That appearance is not evidence that names are correct, dates exist, recipients are authorized, links work, attachments are present, or commitments are approved.

Verification asks whether the message is true and fit for its purpose. A send gate asks whether the right person has reviewed the right things before the external action occurs. Both are necessary because sending changes the world: it informs people, creates expectations, exposes data, and may become a business record.

The sender remains accountable. “The AI wrote it” does not transfer responsibility. Keep visible states for draft, reviewed, approved, ready to send, and sent. Editing prose does not verify an attachment, and approving content does not confirm that autocomplete selected the correct address.

Read

Use a layered verification pass

Reading the draft repeatedly from top to bottom is unreliable. Review in layers, each with one question.

Intent and action

Does the draft achieve the original goal? Is the primary request obvious? Can the recipient tell what to do, by when, and why? Is the requested action within the sender’s authority? A beautifully written draft fails if the recipient cannot act correctly.

Claims and evidence

Highlight every factual claim: names, dates, times, amounts, status, causes, quotations, policy statements, forecasts, and links. Match each to an authoritative source. Label it as confirmed fact, estimate, proposal, inference, or unknown. If the model introduced a claim that is absent from the source, remove it, verify it independently, or turn it into a question.

Inspect omissions too. A draft can contain no false sentence and still mislead because it drops a condition, exception, or unresolved risk. Compare the final message with the original brief, not only with the previous draft.

Commitments and authority

Look for “will,” “guarantee,” “approved,” “resolved,” “refund,” “waive,” and exact deadlines. Ask who authorized every promise. “We aim to deliver Friday” is not the same as “We will deliver Friday.” Models often prefer decisive prose, so modal verbs deserve deliberate review.

An accurate sentence can still be unauthorized. Messages involving legal positions, employment action, health or safety, security incidents, financial transfers, regulated disclosures, or public statements need the designated expert or approver.

Audience and tone

Check the real relationship, not an imagined generic recipient. Is the wording respectful, proportionate, and accessible? Does it blame, patronize, pressure, over-apologize, or imitate intimacy? Would the tone remain acceptable if forwarded without context? Calm language must not conceal bad news or erase responsibility.

Privacy and security

Review To, Cc, and Bcc. Confirm that every recipient needs the information. Remove unnecessary quoted history. Inspect subjects, signatures, tracking links, and attachments for sensitive content. Treat payment changes, credential requests, unexpected links, and urgent secrecy as possible fraud signals. Verify through a trusted second channel rather than replying to contact details in the request.

Mechanics

Confirm recipient names and pronouns; dates, time zones, currencies, and units; link destinations; attachment presence; filenames and versions; document comments, tracked changes, hidden sheets, and metadata; unresolved placeholders; and a specific subject. Mechanics are mundane and consequential.

Read

Match the gate to consequence

Not every message needs the same review. Use risk tiers.

Low risk: routine internal scheduling or acknowledgment with no sensitive data or commitments. The sender performs a brief verification and manually sends.

Medium risk: external updates, customer replies, project commitments, or messages containing non-public information. Require the full checklist and, where policy says so, review by the accountable owner.

High risk: legal, employment, security, safety, medical, financial, regulatory, crisis, or major reputational communication. Require qualified review, approved channels, and explicit authorization. AI may have only a narrow drafting role.

Risk rises with scale. A minor error sent to 50,000 people is not low risk. Bulk email needs test sends, sampled personalization checks, rendering tests, consent and unsubscribe controls, rate limits, and a stop mechanism.

Strengthen the gate when impact, sensitivity, uncertainty, sender authority, or irreversibility rises. Useful controls include source-owner review, manager or specialist approval, independent verification for account changes, and pause-and-escalate behavior when information conflicts. Silence or a timeout must not count as approval for a consequential message.

Read

Separate compose from send

The safest default is that AI may propose text but cannot send it. Keep a boundary between:

  1. generated draft;
  2. human edits;
  3. verified final content;
  4. approved recipients, links, and attachments;
  5. deliberate send action.

The final gate should happen as close as practical to the external effect. Reviewing a draft before recipients or attachments are added does not verify the final message. Read the completed message once after all edits because late changes can reintroduce an error that an earlier review fixed.

If a system supports automatic sending, add controls outside the prompt: allowlisted recipients, scoped permissions, rate limits, content rules, uncertainty handling, approval queues, logs, and a kill switch. Prompt instructions alone cannot enforce these boundaries.

Also verify delivery details outside the prose. Every promised file must be attached, every link must open the intended current resource with suitable permissions, placeholders must be resolved, and scheduled-send settings must be intentional. Email may be the wrong channel for a safety emergency, credential compromise, or rapidly changing incident.

Read

Use a pre-send readback

For consequential email, read back a compact summary:

Sending to: customer contact and account owner.
Purpose: request approval of option B.
Commitment: implementation begins 20 August if approved by 15 August.
Attachments: proposal v3 and pricing schedule.
Sensitive content: confidential pricing.
Reviewer: commercial lead.

This exposes hidden assumptions. If the summary surprises you, do not send. AI can help extract candidate claims and checklist items, but it cannot independently validate sources, know who is authorized, or declare its own draft approved.

For higher-risk mail, maintain a small claim ledger: each operational claim, its source, verification status, and approver. Preserve a record of who approved which version. The goal is not bureaucracy; it is placing a meaningful decision before an external effect.

Read

Learn from near misses

When a reviewer catches an invented date, missing attachment, unauthorized promise, or disclosure, record the failure pattern without retaining unnecessary sensitive content. Improve the relevant prompt, template, interface, policy control, or gate.

Useful measures include the percentage of drafts requiring factual correction, unsupported commitments caught, recipient or attachment near misses, escalations correctly triggered, and time saved after review rather than before it. Track incident severity, not only user satisfaction.

Fast generation with slow correction may not be a productivity gain. A good system reduces total effort while maintaining or improving safety. Repeated near misses are evidence that the workflow needs redesign, even if no message has yet caused visible harm.

Checking tutor…

Continue learning · glossary & guides
  • Why should claims, commitments, privacy, and mechanics be reviewed separately?
  • Where should the final send gate occur?
  • What can make a routine message high risk at scale?
  • Name four controls needed beyond a prompt for automatic sending.
  • Why can a factually correct sentence still require approval?
  • Glossary: human in the loop · Cheatsheet: safe sharing checklist