Require password authentication for merge request approval.
CFR Part 11 compliance for digitally signed change requests. Specifically, this.
For FDA/government regulated workflows, there must be a way to ensure that the authorized user was the person who approved a merge request. Otherwise, it could be said that someone else did it on a computer that was already logged in. This improves accountability.
We have done an extensive review of the features of GitLab EE, and this is the only thing preventing medical companies from using GitLab EE for product documentation and risk management.
BitBucket server has a plugin that offers this feature. https://marketplace.atlassian.com/apps/1211303/workzone-pullrequest-workflow?hosting=server&tab=overview