All Volumes/

Corporate AI Policy

Comprehensive policy governing acceptable and prohibited AI use, guiding principles, human oversight requirements, and accountability frameworks.

2.1 Purpose & Scope

This Corporate AI Policy establishes the mandatory requirements for the ethical, secure, and lawful use of Artificial Intelligence across all operations of CSA Digital Asset Developers and its client organisations. It applies to all employees, contractors, vendors, and third parties who develop, procure, deploy, or operate AI systems on behalf of the organisation.

Purpose

  • Define acceptable and prohibited uses of AI within the organisation.
  • Establish minimum standards for responsible AI development and deployment.
  • Protect the organisation, its stakeholders, and the public from AI-related harm.
  • Ensure compliance with applicable laws, regulations, and contractual obligations.
  • Provide a clear framework for accountability, oversight, and continuous improvement.

Scope

This policy applies without exception to:

  • All generative AI tools, including but not limited to large language models (LLMs), image generators, code assistants, and multimodal systems.
  • All machine learning models used for prediction, classification, recommendation, or autonomous decision-making.
  • All AI-powered automation, robotic process automation (RPA), and intelligent process automation (IPA).
  • All third-party AI services, APIs, and platforms used by or on behalf of the organisation.
  • All data used to train, fine-tune, prompt, or evaluate AI systems.
  • All AI outputs, decisions, recommendations, and generated content distributed internally or externally.

Policy Violation

Use of AI in contravention of this policy constitutes a breach of employment conditions and may result in disciplinary action up to and including termination. Material breaches may also trigger regulatory notification obligations.

2.2 Definitions

The following definitions apply throughout this policy and the broader governance framework. Where terms are used in a specific technical context, the technical definition shall prevail over the general definition.

TermDefinition
Artificial Intelligence (AI)Any machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments.
Generative AIAI systems capable of generating new content — including text, images, audio, video, code, or synthetic data — that did not exist in the training data in that precise form.
Prompt InjectionAn attack vector where malicious input is crafted to override or bypass the intended instructions of a language model, causing it to produce unintended outputs or disclose sensitive information.
HallucinationGeneration of content by an AI system that is factually incorrect, nonsensical, or unrelated to the input context, presented with unwarranted confidence.
Model PoisoningThe deliberate corruption of training data or model weights to cause an AI system to behave in a manner desired by the attacker.
Human-in-the-Loop (HITL)A governance control requiring human review, approval, or override before an AI-generated output or decision is finalised or acted upon.
High-Risk AIAI systems that affect fundamental rights, safety-critical decisions, financial eligibility, employment outcomes, or access to essential services.
Shadow AIThe use of AI tools or services by employees without organisational knowledge, approval, or security oversight.

2.3 Acceptable AI Use

The following uses of AI are permitted subject to the controls, approvals, and oversight requirements specified in this policy and related procedures.

Permitted Use Categories

CategoryDescriptionApproval RequiredControls
Content DraftingUsing AI to generate first drafts of emails, reports, presentations, and marketing copy.ManagerHuman review before distribution; accuracy verification; no confidential data in prompts.
Code AssistanceUsing AI coding assistants for suggestions, documentation, test generation, and refactoring.Team LeadCode review mandatory; no proprietary algorithms in public AI tools; licence compliance check.
Data AnalysisUsing AI to analyse structured datasets, identify patterns, and generate insights.Data OwnerData anonymisation; access control; output validation; retention limits.
Customer SupportDeploying AI chatbots and virtual assistants for Tier-1 customer enquiries.Product OwnerEscalation pathways; human override; accuracy monitoring; sentiment analysis.
Document ProcessingUsing AI for OCR, classification, summarisation, and extraction from documents.Process OwnerData classification review; accuracy benchmarking; exception handling.
Recruitment ScreeningUsing AI to screen CVs, schedule interviews, and assess candidate fit.HR DirectorBias auditing; human final decision; candidate notification; appeal process.

General Condition

All permitted AI use is subject to the overarching requirements of human oversight, data protection, security controls, and compliance with applicable laws. The absence of a category from this table does not constitute permission.

2.4 Prohibited AI Use

The following uses of AI are strictly prohibited. No waiver, exception, or deviation is permitted without written approval from the Chief Governance Officer and the Board Risk Committee.

Absolutely Prohibited Activities

  1. Using AI to generate, disseminate, or amplify disinformation, deepfakes, or misleading content targeting individuals, organisations, or democratic processes.
  2. Deploying fully autonomous AI systems for decisions affecting human safety, liberty, or fundamental rights without meaningful human oversight.
  3. Using AI to circumvent security controls, conduct unauthorised surveillance, or access restricted data.
  4. Inputting classified, restricted, or personally identifiable information into public generative AI tools or unapproved third-party services.
  5. Using AI to make final decisions on hiring, termination, promotion, or disciplinary action without human review and documented rationale.
  6. Deploying AI systems that have not completed the mandatory risk assessment, security review, and ethics approval processes.
  7. Using AI to manipulate, deceive, or coerce customers, employees, or other stakeholders.
  8. Engaging in 'shadow AI' — using unapproved AI tools for work purposes without registering the tool, completing risk assessment, and obtaining approval.
ViolationConsequenceReporting
Shadow AI useWritten warning, mandatory retraining, tool removalSecurity team, line manager
Confidential data in public AISuspension pending investigation, regulatory notificationCISO, Data Protection Officer
Unapproved high-risk deploymentProject halt, disciplinary action, audit findingAI Steering Committee
Disinformation / deepfakesTermination, legal action, regulatory referralBoard, legal counsel
Autonomous safety-critical AIImmediate shutdown, investigation, regulatory notificationBoard, regulators

2.5 Human Oversight & Accountability

Meaningful human oversight is a non-negotiable requirement of this policy. The following matrix establishes minimum oversight requirements based on AI system risk classification.

Risk LevelOversight RequirementDocumentationReview Frequency
CriticalHuman-in-the-loop for every decision; mandatory dual approvalFull audit trail, decision rationaleReal-time
HighHuman-in-the-loop; single approver with override authorityDecision log, exception registerDaily
MediumHuman-on-the-loop; sampling-based review with escalation triggersSample review records, trigger logsWeekly
LowHuman-over-the-loop; periodic spot checks and trend analysisReview schedule, trend reportsMonthly

Accountability Hierarchy

  • Accountable Executive: Bears ultimate responsibility for AI system outcomes, compliance, and risk posture. Typically the relevant C-suite executive or business unit leader.
  • Responsible Manager: Day-to-day operational responsibility for AI system performance, monitoring, and incident response.
  • Technical Owner: Responsible for model architecture, data pipelines, security controls, and technical documentation.
  • Ethics Guardian: Independent reviewer responsible for assessing ethical implications and ensuring fairness and non-discrimination.

2.6 Bias Management & Fairness

AI systems shall be designed, trained, tested, and monitored to prevent, detect, and remediate unfair bias. Fairness is not a one-time activity but a continuous obligation throughout the AI lifecycle.

Bias Management Lifecycle

  1. Design Phase: Document protected attributes, define fairness metrics, and establish demographic parity targets.
  2. Data Phase: Audit training data for representation gaps, historical bias, and proxy variables that may encode discrimination.
  3. Training Phase: Apply fairness-aware machine learning techniques, adversarial debiasing, and constraint-based optimisation where appropriate.
  4. Testing Phase: Validate model performance across demographic subgroups, measure disparate impact, and test for intersectional bias.
  5. Deployment Phase: Implement real-time fairness monitoring with automated alerts when metrics drift beyond acceptable thresholds.
  6. Review Phase: Conduct periodic bias audits with independent reviewers, publish findings to the Ethics Review Panel, and remediate within defined timeframes.
Fairness metrics are defined and documented for every AI system affecting individuals.
Training data has been audited for representation and bias by an independent reviewer.
Model performance has been validated across all relevant demographic subgroups.
Real-time fairness monitoring is operational with defined alert thresholds.
Bias audit findings are reported to the Ethics Review Panel and Board annually.
Remediation plans exist for all identified fairness gaps with assigned owners and deadlines.