Corporate AI Policy
Comprehensive policy governing acceptable and prohibited AI use, guiding principles, human oversight requirements, and accountability frameworks.
2.1 Purpose & Scope
This Corporate AI Policy establishes the mandatory requirements for the ethical, secure, and lawful use of Artificial Intelligence across all operations of CSA Digital Asset Developers and its client organisations. It applies to all employees, contractors, vendors, and third parties who develop, procure, deploy, or operate AI systems on behalf of the organisation.
Purpose
- Define acceptable and prohibited uses of AI within the organisation.
- Establish minimum standards for responsible AI development and deployment.
- Protect the organisation, its stakeholders, and the public from AI-related harm.
- Ensure compliance with applicable laws, regulations, and contractual obligations.
- Provide a clear framework for accountability, oversight, and continuous improvement.
Scope
This policy applies without exception to:
- All generative AI tools, including but not limited to large language models (LLMs), image generators, code assistants, and multimodal systems.
- All machine learning models used for prediction, classification, recommendation, or autonomous decision-making.
- All AI-powered automation, robotic process automation (RPA), and intelligent process automation (IPA).
- All third-party AI services, APIs, and platforms used by or on behalf of the organisation.
- All data used to train, fine-tune, prompt, or evaluate AI systems.
- All AI outputs, decisions, recommendations, and generated content distributed internally or externally.
Policy Violation
Use of AI in contravention of this policy constitutes a breach of employment conditions and may result in disciplinary action up to and including termination. Material breaches may also trigger regulatory notification obligations.
2.2 Definitions
The following definitions apply throughout this policy and the broader governance framework. Where terms are used in a specific technical context, the technical definition shall prevail over the general definition.
| Term | Definition |
|---|---|
| Artificial Intelligence (AI) | Any machine-based system that can, for a given set of human-defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments. |
| Generative AI | AI systems capable of generating new content — including text, images, audio, video, code, or synthetic data — that did not exist in the training data in that precise form. |
| Prompt Injection | An attack vector where malicious input is crafted to override or bypass the intended instructions of a language model, causing it to produce unintended outputs or disclose sensitive information. |
| Hallucination | Generation of content by an AI system that is factually incorrect, nonsensical, or unrelated to the input context, presented with unwarranted confidence. |
| Model Poisoning | The deliberate corruption of training data or model weights to cause an AI system to behave in a manner desired by the attacker. |
| Human-in-the-Loop (HITL) | A governance control requiring human review, approval, or override before an AI-generated output or decision is finalised or acted upon. |
| High-Risk AI | AI systems that affect fundamental rights, safety-critical decisions, financial eligibility, employment outcomes, or access to essential services. |
| Shadow AI | The use of AI tools or services by employees without organisational knowledge, approval, or security oversight. |
2.3 Acceptable AI Use
The following uses of AI are permitted subject to the controls, approvals, and oversight requirements specified in this policy and related procedures.
Permitted Use Categories
| Category | Description | Approval Required | Controls |
|---|---|---|---|
| Content Drafting | Using AI to generate first drafts of emails, reports, presentations, and marketing copy. | Manager | Human review before distribution; accuracy verification; no confidential data in prompts. |
| Code Assistance | Using AI coding assistants for suggestions, documentation, test generation, and refactoring. | Team Lead | Code review mandatory; no proprietary algorithms in public AI tools; licence compliance check. |
| Data Analysis | Using AI to analyse structured datasets, identify patterns, and generate insights. | Data Owner | Data anonymisation; access control; output validation; retention limits. |
| Customer Support | Deploying AI chatbots and virtual assistants for Tier-1 customer enquiries. | Product Owner | Escalation pathways; human override; accuracy monitoring; sentiment analysis. |
| Document Processing | Using AI for OCR, classification, summarisation, and extraction from documents. | Process Owner | Data classification review; accuracy benchmarking; exception handling. |
| Recruitment Screening | Using AI to screen CVs, schedule interviews, and assess candidate fit. | HR Director | Bias auditing; human final decision; candidate notification; appeal process. |
General Condition
All permitted AI use is subject to the overarching requirements of human oversight, data protection, security controls, and compliance with applicable laws. The absence of a category from this table does not constitute permission.
2.4 Prohibited AI Use
The following uses of AI are strictly prohibited. No waiver, exception, or deviation is permitted without written approval from the Chief Governance Officer and the Board Risk Committee.
Absolutely Prohibited Activities
- Using AI to generate, disseminate, or amplify disinformation, deepfakes, or misleading content targeting individuals, organisations, or democratic processes.
- Deploying fully autonomous AI systems for decisions affecting human safety, liberty, or fundamental rights without meaningful human oversight.
- Using AI to circumvent security controls, conduct unauthorised surveillance, or access restricted data.
- Inputting classified, restricted, or personally identifiable information into public generative AI tools or unapproved third-party services.
- Using AI to make final decisions on hiring, termination, promotion, or disciplinary action without human review and documented rationale.
- Deploying AI systems that have not completed the mandatory risk assessment, security review, and ethics approval processes.
- Using AI to manipulate, deceive, or coerce customers, employees, or other stakeholders.
- Engaging in 'shadow AI' — using unapproved AI tools for work purposes without registering the tool, completing risk assessment, and obtaining approval.
| Violation | Consequence | Reporting |
|---|---|---|
| Shadow AI use | Written warning, mandatory retraining, tool removal | Security team, line manager |
| Confidential data in public AI | Suspension pending investigation, regulatory notification | CISO, Data Protection Officer |
| Unapproved high-risk deployment | Project halt, disciplinary action, audit finding | AI Steering Committee |
| Disinformation / deepfakes | Termination, legal action, regulatory referral | Board, legal counsel |
| Autonomous safety-critical AI | Immediate shutdown, investigation, regulatory notification | Board, regulators |
2.5 Human Oversight & Accountability
Meaningful human oversight is a non-negotiable requirement of this policy. The following matrix establishes minimum oversight requirements based on AI system risk classification.
| Risk Level | Oversight Requirement | Documentation | Review Frequency |
|---|---|---|---|
| Critical | Human-in-the-loop for every decision; mandatory dual approval | Full audit trail, decision rationale | Real-time |
| High | Human-in-the-loop; single approver with override authority | Decision log, exception register | Daily |
| Medium | Human-on-the-loop; sampling-based review with escalation triggers | Sample review records, trigger logs | Weekly |
| Low | Human-over-the-loop; periodic spot checks and trend analysis | Review schedule, trend reports | Monthly |
Accountability Hierarchy
- Accountable Executive: Bears ultimate responsibility for AI system outcomes, compliance, and risk posture. Typically the relevant C-suite executive or business unit leader.
- Responsible Manager: Day-to-day operational responsibility for AI system performance, monitoring, and incident response.
- Technical Owner: Responsible for model architecture, data pipelines, security controls, and technical documentation.
- Ethics Guardian: Independent reviewer responsible for assessing ethical implications and ensuring fairness and non-discrimination.
2.6 Bias Management & Fairness
AI systems shall be designed, trained, tested, and monitored to prevent, detect, and remediate unfair bias. Fairness is not a one-time activity but a continuous obligation throughout the AI lifecycle.
Bias Management Lifecycle
- Design Phase: Document protected attributes, define fairness metrics, and establish demographic parity targets.
- Data Phase: Audit training data for representation gaps, historical bias, and proxy variables that may encode discrimination.
- Training Phase: Apply fairness-aware machine learning techniques, adversarial debiasing, and constraint-based optimisation where appropriate.
- Testing Phase: Validate model performance across demographic subgroups, measure disparate impact, and test for intersectional bias.
- Deployment Phase: Implement real-time fairness monitoring with automated alerts when metrics drift beyond acceptable thresholds.
- Review Phase: Conduct periodic bias audits with independent reviewers, publish findings to the Ethics Review Panel, and remediate within defined timeframes.