Responsible AI & security

Adopt useful AI without giving up clarity, ownership or human judgment.

Security is not a paragraph added after the build. It shapes which information is used, who can access it and how outputs are reviewed.

Core implementation commitments

Each workflow should have understandable safeguards proportionate to the information and decision involved.

  • Least-privilege access
  • Read-only integrations whenever practical
  • Client-owned accounts and credentials
  • No unnecessary information collection
  • Human review for consequential outputs
  • Documented workflows, limitations and handoff
  • Clear client ownership of data
  • Transparent third-party services and costs

Information and model use

AI tools differ in how they retain, process and use information. Tool selection should match the sensitivity and purpose of the work.

  • Classify information before choosing a tool
  • Avoid sending confidential data to unapproved services
  • Do not train public models on client information without authorization
  • Limit retained information to what the workflow needs
  • Use client-owned organizational accounts where available
  • Review vendor terms and administrative controls

Human review and accountability

Automation can prepare, organize and flag information. Responsibility must remain clear.

Drafts stay drafts

AI-generated summaries, communications and interpretations are labeled for review.

Sources stay visible

Where practical, outputs link back to the records or documents that support them.

Exceptions have owners

The workflow identifies who reviews unusual, incomplete or consequential items.

Decisions remain human

No autonomous safety-critical decisions or unsupported professional determinations.

IT reporting and OT control stay separate

Operational information can support analysis without creating a control path.

Governance and employee training

Policies work best when they are understandable, relevant to real roles and supported by practical examples.

  • Employee AI-use policy development
  • Data classification guidance
  • Approved-tool and prohibited-use definitions
  • Human-review expectations
  • Department-specific training
  • Incident and correction pathways