GDPR Art. 22 automated decision-making: how did your team handle the human-in-the-loop audit?

We're undergoing our first external GDPR audit focused on Art. 22 (automated individual decision-making). Our system uses an ML model to score vendor risk profiles — the output influences procurement decisions but isn't the sole basis for rejection. The auditor flagged this as potentially falling under Art. 22 scope. What we've documented so far: - Data Protection Impact Assessment covering the model's training data and feature set - Clear opt-out mechanism for data subjects (vendors can request human review) - Internal process: procurement team reviews all scores above the "high risk" threshold manually Where we're struggling: 1. The auditor wants evidence that the human reviewer can actually overturn the model's recommendation — not just rubber-stamp it. How did you demonstrate meaningful human review? 2. Art. 22(3) requires "safeguards" including the right to obtain human intervention. We interpreted this as our opt-out process, but the auditor seems to want something more proactive. 3. Documentation of the logic involved — how granular does the explanation need to be for a non-technical auditor? Looking for peer experience: how did other teams handle this audit? What evidence satisfied the auditors on the human-in-the-loop requirement? Note: This is experience sharing, not a request for legal advice. We have legal counsel — looking for operational perspectives from teams who've been through this.