GDPR Art. 22 automated decision-making: how do you document meaningful human review in practice?

We run an ML-based credit scoring model for a fintech client operating in DE, FR, and AT. Under GDPR Art. 22, data subjects have the right not to be subject to decisions based solely on automated processing. Our current 'human review' process is a compliance checkbox — a case manager clicks 'approved' on borderline cases after glancing at a summary dashboard, but they rarely override the model's output. This creates two risks: (1) if challenged, we cannot demonstrate that the human review was 'meaningful' (the EDPB guidelines stress substantive influence, not rubber-stamping), and (2) we're building operational debt by training case managers to trust the model uncritically. For compliance leads who've navigated Art. 22 in production: what does meaningful human review actually look like in your workflow? Do you enforce a minimum review time, require written justification for overrides, or separate the reviewer from the model's score? Under EU/DE jurisdiction, the BaFin has been explicit about expecting documented audit trails for financial ML decisions. We're not seeking legal advice — this is peer experience exchange. How have you operationalized the gap between the regulatory requirement and the practical reality?