diff --git a/scripts/check-risk-block.sh b/scripts/check-risk-block.sh
index 7f518b4..165994e 100644
--- a/scripts/check-risk-block.sh
+++ b/scripts/check-risk-block.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
-# Block apply if risk is HIGH or FAILED.
+# Block apply if risk is HIGH or FAILED, unless an override exists.
 #
 # Usage: check-risk-block.sh <risk_level>
 #
 # Exits 0 if safe to apply, 1 if blocked.
-# Slack notification is handled by notify-high-risk.sh in the review step —
-# no duplicate alert here.
+# On HIGH risk, checks S3 for an override.json signed by the apply-gate Lambda.
+# Requires: PLAN_BUCKET, GITHUB_REPOSITORY, GITHUB_RUN_ID env vars.
 
 set -e
 
@@ -17,5 +17,15 @@ if [ "$RISK" != "HIGH" ] && [ "$RISK" != "FAILED" ] && [ -n "$RISK" ]; then
   exit 0
 fi
 
-echo "Auto-apply blocked (risk=${RISK})."
+# Check for a signed override in S3
+PLAN_PREFIX="plans/${GITHUB_REPOSITORY}/${GITHUB_RUN_ID}"
+OVERRIDE_KEY="${PLAN_PREFIX}/override.json"
+
+if aws s3 ls "s3://${PLAN_BUCKET}/${OVERRIDE_KEY}" > /dev/null 2>&1; then
+  echo "Override found: s3://${PLAN_BUCKET}/${OVERRIDE_KEY}"
+  echo "Proceeding with HIGH risk apply."
+  exit 0
+fi
+
+echo "Auto-apply blocked (risk=${RISK}). No override found."
 exit 1