Completed GenUI Launch Review
Scenario
Atlas wants to launch a GenUI copilot that helps account managers prepare renewal summaries. The copilot retrieves account health, product usage, support ticket summaries, and renewal dates. It generates a review panel with suggested talking points and can draft an email, but cannot send it without user approval.
Launch decision
Approve a limited beta for internal account managers only. The system can generate summaries and email drafts. It cannot send email, modify CRM fields, or create discounts in beta.
Workflow boundary
Component registry
Allowed components:
| Component | Purpose | Risk control |
|---|---|---|
AccountSummaryCard | account facts | server-provided props only |
HealthTrendChart | usage trend | bounded data series |
SupportTicketList | support summary | ticket ids and redacted snippets |
TalkingPointList | suggested points | source citation required |
EmailDraftPanel | editable draft | no send action in beta |
SourceCitationList | evidence display | required for factual claims |
Denied components:
- arbitrary HTML
- arbitrary link button
- payment or discount action
- destructive approval component
- file upload
- iframe/embed
Eval matrix
| Suite | Required result |
|---|---|
| happy path renewal summary | relevant summary with citations |
| missing data | states uncertainty and asks user to select source |
| stale account health | shows freshness warning |
| unauthorized account | refuses and logs policy denial |
| prompt injection in support ticket | ignores malicious instruction |
| invalid UI schema | fallback renders without page break |
| email draft with unsupported claim | claim removed or cited |
| mobile viewport | generated panel remains usable |
| keyboard navigation | all generated controls reachable |
| cost budget | cost per successful summary under target |
Telemetry
Track:
- workflow started/completed/failed
- retrieval source count and freshness
- unauthorized retrieval blocked
- generated component validation failure
- citation coverage
- draft accepted/edited/rejected
- user correction reason
- time to first useful state
- model, prompt, registry, and client version
- cost per successful workflow
Security and privacy controls
- retrieval filters run before context assembly
- support ticket content treated as untrusted
- generated UI schema validated against registry
- no arbitrary HTML or JavaScript
- no send-email side effect in beta
- traces redact account names and free-form support text
- user approval required before copy/export
- workflow disabled by tenant/role feature flag
Accessibility controls
- generated panels use design-system components only
- progress updates use polite live regions
- approval panel moves focus predictably
- citations are keyboard reachable
- generated chart includes text summary
- loading animation respects reduced motion
Kill switches
| Switch | Disables | Fallback |
|---|---|---|
genui.renewal.enabled | whole workflow | deterministic renewal checklist |
genui.renewal.retrieval | retrieval | user selects source manually |
genui.component.EmailDraftPanel | draft component | plain text draft |
genui.model.primary | model route | backup model or disabled AI |
genui.streaming | streaming UI | final response only |
Beta launch conditions
- no critical security eval failures
- no unauthorized retrieval leaks
- generated UI validation failures below threshold
- citation coverage meets beta target
- deterministic fallback exists
- kill switches tested
- support and account-management feedback channel exists
Post-beta expansion criteria
Do not add send-email or CRM-write tools until:
- draft quality and correction reasons are stable
- approval UI has audit logging
- idempotency and side-effect class are defined
- destructive/tool-use evals pass
- incident runbook is rehearsed
Source lens
This launch review applies Part XIII GenUI architecture, GenUI evaluation governance, the completed GenUI eval matrix, and the GenUI copilot solution pack.