TABLE OF CONTENTS

Industry/News Company Updates Best Practices and How To Languages & Technologies Product Customer Stories

What is the Four Eyes Principle? A Developer's Guide to Safer Flag Changes

Tanaaz Khan

You've been there. It's 3 PM on a Friday, and someone on your team just toggled a feature flag on in production without a single review.

Next thing you know you’re spending the entire evening untangling an incident that could have been caught with one extra set of eyes.

This is the problem with moving fast in enterprise software: speed without oversight creates fragility. You want your team to ship quickly, but you also need controls that prevent mistakes.

That’s what the four-eyes principle helps with.

In this guide, you'll learn what the four eyes principle actually means, why it matters for feature flagging, and how to implement it in a way that scales with your team.

What is the four eyes principle?

The four eyes principle is a governance control that requires at least two people to review and approve any critical action before it takes effect. The name comes from a simple idea: two pairs of eyes catch more than one.

You'll find this principle across industries where the cost of risk is too high. When the stakes are high, you don’t rely on a single person’s judgement.

For example, banks use it to authorise large transactions and nuclear facilities use it to validate safety precautions.

In software development, the four eyes principle translates to requiring approval workflows for changes that could impact:

System stability
Security
Compliance
User experience

You don’t have to rely on just one developer to push changes into production anymore. They have to get it reviewed by a peer or senior developer and get it approved first.

Is the 4 eyes principle the same as segregation of duties?

Not really. Segregation of duties (SoD) separates responsibilities so no single person completes a sensitive process from start to finish.

For example, in a bank, the person who submits a payment request can't approve it and this helps prevent fraud.

When you’re implementing feature flags, a developer proposes a flag change and a team lead approves it. The developer can't approve their own change (SoD), and the team lead has to review the flag before approving (four eyes).

How does the four eyes principle relate to corporate governance and internal controls?

The four eyes principle is an internal control mechanism within governance frameworks. Governance decides who’s responsible and who’s accountable for certain actions—and internal controls enable it through specific procedures.

In an engineering organisation, this means governance decides how deployment workflows work. If your organisation has to comply with certain financial or healthcare regulations, the 4-eyes principle lets you enforce those approval processes with clear audit logs.

Why does the 4-eyes principle matter for feature flagging?

As feature flags give you complete control over production behaviour, that power comes with risk. You don’t want to toggle new functionality for thousands of users without having at least two people involved in that process.

Here are a few reasons why:

It reduces the potential for incidents

Every production incident involving a feature flag involves someone making a change in isolation without considering (or knowing) the consequences.

By ensuring that any flag changes that will impact important features get seen by at least two team members, you bypass the risk of an accident.

It makes sure you have an audit trail

In regulated industries, documentation matters as much as technical implementation.

If an auditor asks: "Who approved enabling this flag that affected customer data processing?" You need a clear answer with timestamps and documented review.

The four-eyes principle enables that—especially when you have an audit trail and approval workflow to back it up.

It lets you move fast without breaking things

Your team is always under the pump. That’s why it’s normal for developers to skip approvals when they’re informal or optional in nature.

But if you have the processes (and tooling) in place to ensure that’s not the case, everybody operates under the same constraints.

A 2 AM urgent fix still follows the same protocol as a calculated 12 PM release.

It enables knowledge transfer as your organisation grows

The principle also scales in ways that informal reviews don't.

When your team has five people, everyone knows what everyone else is working on. At 50+ people across multiple teams, that visibility disappears.

The four eyes principle creates structured touchpoints where knowledge transfers naturally as part of the approval process.

How to implement the 4-eyes principle in your development workflows

Here are a few ways in which you can implement the 4-eyes principle:

1. Define approval requirements based on flag risk

Not all your flags carry the same risk. Start by categorising your flags into tiers based on their potential impact.

For example, a feature flag that touches sensitive data should require the 4-eyes principle. But one that’s toggled on/off for changing a button colour doesn’t need one. It reduces the administrative burden and keeps processes focused on the things that truly matter.

2. Set up role-based access control (RBAC)

Your approval system needs to differentiate between who can propose changes and who can approve them. RBAC lets you define these boundaries clearly. For instance, in Flagsmith, we delineate it based on user groups and individual users.

For each user or group, you can let them make changes based on access to:

Organisation
Project
Environment

Source

This way, only the right users have access to the right environments and projects. A junior developer doesn’t need to access the foundational systems if they don’t have the training or experience in place.

3. Enforce approvals through change requests

A change request is a formal “proposal” of sorts that requires explicit approval before you implement a change.

When a developer wants to enable a flag, adjust targeting rules, or modify remote config values, they can create a change request that describes what's changing and why.

This creates an audit trail for security and compliance. The reviewer can:

See exactly what's being proposed
Comment with questions or concerns
Approve or reject the change

If something goes wrong later, you have a complete record of the change request.

4. Build audit trails automatically

Every flag change should generate an audit log entry that captures who did what and when. It helps you debug incidents, understand feature rollout history, and identify patterns in how your team uses flags.

Good audit logs record more than just "flag enabled." They capture the full context:

Who requested the change
Who approved it
What the previous state was
What targeting rules were applied
Any comments or justifications

Example of an audit trail in Datadog (through Flagsmith)

Source

5. Create emergency bypass procedures

The four eyes principle shouldn't prevent rapid incident response. You need to include exception paths so that you’re not stuck waiting on an approval during an outage or security incident.

So, define what qualifies as an emergency and what approvals can be bypassed. For example, platform engineers can toggle kill switches without approval during active incidents. But those actions should trigger automatic notifications to senior leadership and require post-incident review.

6. Integrate approvals into CI/CD pipelines

Your deployment pipeline should respect approval states. If a flag requires approval but hasn't received it, automated deployments that depend on that flag should fail or send out a warning. This prevents situations where approved code tries to use an unapproved flag configuration.

4 mistakes to avoid while using the 4-eyes principle

Here’s how you can avoid common pitfalls that come with relying on the 4-eyes principle:

1. Allowing self-approvals through workarounds

You can avoid many incidents using the 4-eyes principle, but only if you actually enforce it. If your team is able to work around them by creating flags elsewhere and promoting them without review, it’ll be hard to solve the governance problem.

Consider using additional measures like RBAC and having clear documentation around these processes.

As much as you trust your team, it should be technically impossible to skip approvals for high-risk changes. This way, you’ll be able to enforce it regularly.

2. Skipping the audit trail review

Many engineering teams have access to all the audit logs they need but never actually use the data. In fact, they might only review it when they’re doing a compliance audit.

That’s why you need to build in time to review approval workflows regularly. During these reviews, you should:

Review flags that cause confusion or overlap with other flags
Remove duplicate flags with similar workflows
Re-assign flags in case team members change
Look at old and current incidents to assess points of failure

Use this data to refine your risk tiers and improve your documentation.

3. Relying purely on manual reviews

While the 4-eyes principle requires human review, there’s no reason the whole process needs to be manual. There’s a chance that both reviewers miss the same problem or get “banner blindness” reviewing multiple requests at one.

In these cases, automation would work really well. You can use it to automate basic checks like:

Checking if the flag change matches naming conventions
If the targeting rules are syntactically correct
Reviewing whether the new flag conflicts with existing flags
Tagging the right reviewers when needed

4. Creating a rubber-stamp culture

The four eyes principle only works when both pairs of eyes actually look. If you don’t rotate reviewers regularly, or one reviewer simply defers to another's judgment, the whole process just becomes a formality.

In short: you’re creating a rubber-stamping culture. And this results in a false confidence in your governance.

Make sure you rotate reviewers and encourage them to ask questions or leave comments. As a result, you’ll have better notes on why changes are made.

Build trust in your organisation using the 4-eyes principle

The four-eyes principle is about building systems that let you move fast safely.

When approvals, audit trails, and risk-based reviews are part of your everyday workflow, governance stops feeling like red tape.

In the long run, you’ll create transparency, accountability, and shared confidence across your organization. Because when everyone can see why a change was made and who approved it, trust is the baseline for every action your team takes.

Interested in seeing how Flagsmith uses the 4-eyes principle for feature flagging? Try it for free today.

About the author

Flagsmith contributing technical writer.

October 17, 2025

De-Risking AI Adoption: How Feature Flags Help Enterprises Move Fast Without Breaking Trust

Adrian Gregory

October 7, 2025

Monitoring Feature Flag Performance with Flagsmith, Prometheus, and Grafana

Daniel Efe

September 25, 2025

What is Release Management and How Does it Work in Regulated Industries?

Tanaaz Khan

September 17, 2025

Banking and Modern Observability: Dynatrace Insights

Andreas (Andi) Grabner

September 4, 2025

No More Hardening Phases: Testing in the Age of Continuous Deployment

Pete Hodgson

September 1, 2025

How Modernisation is Changing Open Source Banking

Rob Moffat

August 5, 2025

Use Grafana to Track Feature Health in Flagsmith

Mia Loiselle

August 28, 2025

6 Lessons From the World's Best Open-Source Founders

Michael Dinerstein

May 14, 2025

Embracing Modernisation in Banking Through Platform Engineering

Benjamin Brial

May 9, 2025

Transitioning to Modern Authorisation Management

Alex Olivier

April 22, 2025

What Are Feature Flags? Everything Engineering Teams Need to Know

Ben Rometsch

April 7, 2025

A Conversation with Komerční Banka's Chief Software Architect

Mia Loiselle

March 26, 2025

GitOps for Feature Flags Using Terraform and Terrateam

Malcolm Matalka

March 25, 2025

Why It’s Time to Test in Production (+ How to Do It Safely)

Tanaaz Khan

January 22, 2025

How We Improved Our Docker Image Security Using Chainguard's Wolfi

Kim Gustyr

January 7, 2025

6 Best Enterprise-Grade Harness Alternatives & Competitors

Tanaaz Khan

October 28, 2024

How to Roll out Pricing Changes With Zero Customer Complaints

Matthew Elwell

September 16, 2024

How to Use Feature Flags for Trunk-Based Development

Kyle Johnson

August 21, 2024

7 Best LaunchDarkly Alternatives & Competitors

Tanaaz Khan

August 12, 2024

How Global Banks Use Feature Flags to Stay Competitive

Tanaaz Khan

July 24, 2024

How To Guide: Flagsmith Grafana Integration

Pradumna Saraf

July 23, 2024

New in Flagsmith: 2024 Feature Roundup

Matthew Elwell

July 23, 2024

Don’t Let a Flawed Release Take Your Company Down

Ben Rometsch

June 26, 2024

How to Guide: Flagsmith GitHub Integration

Pradumna Saraf

May 28, 2024

6 Best Firebase Remote Config Alternatives & Competitors

Tanaaz Khan

May 16, 2024

How to Transition to Modern Feature Management in Banking

Ben Rometsch

March 21, 2024

5 Feature Flag Management Pitfalls To Avoid To Keep Your Flags in Check

Tanaaz Khan

February 29, 2024

The Best Thing about Founding a Remote-First Company? Pickled Onion Monster Munch and The Beautiful Game

Ben Rometsch

February 28, 2024

Flagsmith Jira Integration Guide: A Comprehensive How-to Guide

Abhishek Agarwal

February 16, 2024

Guide: How to Create Observability-Driven Development with Feature Flags

Savan Kharod

January 31, 2024

Build vs. Buy for Feature Flags: My Experience as a CTO with a 20+ Engineer Team

Daniel Engelke

January 16, 2024

Announcing the Flagsmith Referral Programme

Anna Redbond

January 15, 2024

How We Measure Feature Flags’ Success

Kyle Johnson

December 20, 2023

Customer Story: Serenis

Anna Redbond

December 7, 2023

Announcing the Flagsmith Jira Integration

Anna Redbond

June 6, 2024

Spring Boot Feature Flags: A Step-by-Step Implementation Guide with a Working Java Spring Boot Application

Abhishek Agarwal

November 22, 2023

Employees on Bootstrapping

Anna Redbond

November 14, 2023

Our POV: When Bootstrapping Works (and When It Doesn't)

Anna Redbond

October 25, 2023

How to Onboard Feature Flag Management Tools

Anna Redbond

October 12, 2023

When is it time to move to feature flag software?

Olga Diaz

September 26, 2023

Why We Bootstrap

Ben Rometsch

September 6, 2023

The Enshittification of Basically all Digital Design. But in this Case, Specifically, the Slack Redesign.

Ben Rometsch

January 9, 2025

Ruby Feature Flags: A Step-by-Step Guide to Implementing Feature Flags in a Ruby on Rails Application

Zeeshan Afridi

September 1, 2023

Unlocking Efficiency: Transitioning to Modern CI Processes

Geshan Manandhar

August 29, 2023

Customer Story: Vontobel

Anna Redbond

Anna Redbond

June 30, 2023

Customer Story: Rain (VP of Platform Engineering)

December 1, 2020

Customer Story: Palo Alto Software

Ben Rometsch

March 14, 2020

What I’ve learned creating a React Native performance monitor

Kyle Johnson

September 20, 2024

How to Setup Feature Flags in Android using Kotlin

Anna Redbond

February 23, 2023

The actual infrastructure costs of running a global Edge API (part 2)

Ben Rometsch

May 3, 2023

Integrating your Flagsmith Project with Datadog: A Step-By-Step Guide with Real-Time Metrics

Abhishek Agarwal

May 10, 2024

Python Feature Flags & Toggles: A Step-by-Step Setup Guide in a Flask Application

Matthew Elwell

July 2, 2025

Java Feature Flags & Toggles: A Step-by-Step Guide with a Working Java Application

Abhishek Agarwal

November 16, 2022

Adventures in Terraform: How and why we built our Terraform Provider

Gagan Trivedi

April 8, 2025

Angular Feature Flags: a Step-by-Step Guide with a Working Application

Geshan Manandhar

January 30, 2025

Golang Feature Flags: A Step-by-Step Implementation Guide with a Working application

Abhishek Agarwal

June 29, 2022

Elixir feature flags: a step-by-step guide with an Elixir example

Ben Rometsch

June 6, 2022

How Banks Implement Feature Flags - Interview with KB Bank | Flagsmith

Ben Rometsch

June 16, 2022

.NET feature flag: a step-by-step guide with Xamarin example

Ben Rometsch

June 14, 2022

Our scariest release to date!

Ben Rometsch

June 15, 2022

The actual infrastructure costs of running SaaS at scale (billions of requests/month)

Ben Rometsch

January 2, 2022

How To Use Swift Feature Flags: iOS App with code examples

Ben Rometsch

May 11, 2022

Our CI/CD and release management process at Flagsmith

Ben Rometsch

January 21, 2022

How eFuse Uses Flagsmith for A/B & Multivariate Testing

Ben Rometsch

May 19, 2022

Flagsmith Submits OpenFeature as CNCF Sandbox Project | Flagsmith

Ben Rometsch

November 17, 2021

Using Flutter Feature Flags to Release Features Without Risk | Flagsmith

Ben Rometsch

May 24, 2024

How to Use JavaScript Feature Flags & Toggles to Deploy Safely [React.js Example]

Ben Rometsch

December 31, 2021

6 Metrics to Monitor When Rolling Out a New Feature Flag

Cassandra Polzin

September 29, 2021

How Inflow Improves Conversions Through A/B Testing with Flagsmith and Mixpanel

Ben Rometsch

October 7, 2021

5 Things I Learned Going from Open Source to Commercial Open Source

Ben Rometsch

April 25, 2024

Feature Flags Best Practices: The Complete Guide

Geshan Manandhar

September 23, 2021

Decoupling Deployment from Release with Feature Flags

Cassandra Polzin