A Summary of a AI Controls Policy

BY TONY SAIZ

Artificial intelligence is becoming increasingly common in all areas of business, but have you considered the risks that your business faces from its uncontrolled use?

We at InnTech Consultancy know the danger posed by the wayward use and unauthorized use of technology: from IT systems that fail to secure against hackers, to the internal misuse of phone and video technology; and we know that such misuse is not only dangerous for the business but costly to fix or to mitigate against employee misuse.

We offer our thoughts on a “best practice” internal policy on the use of artificial intelligence in your business.

Contact us if you have concerns about this important subject.

ARTIFICIAL INTELLIGENCE GOVERNANCE POLICY - EXECUTIVE SUMMARY

Purpose

This Policy establishes comprehensive standards for responsible AI use across all business operations, ensuring compliance with ISO/IEC 42001 and other regulations while protecting organizational and individual rights.

Critical Prohibitions

Employees are strictly forbidden from:

Recording conversations (phone, video, or in-person) without express written approval from all parties AND management authorization
Using conversation content from any verbal communications to develop AI materials or train AI systems without explicit permission
Using photographs, videos, or media from any source (public or private) to generate AI content without proper authorization and licensing rights
Taking or using AI prompts without express written management permission—all Company-developed prompts are proprietary intellectual property

Governance Framework

The Company’s AI Governance Committee oversees all AI initiatives, with clear accountability chains from executive leadership through department heads to individual users. Every AI system requires a designated System Owner responsible for compliance, documentation, and incident reporting.

Key Requirements

Transparency: All AI systems must maintain comprehensive documentation, including algorithms, data sources, decision logic, limitations, and performance metrics.

Compliance: Adherence to ISO/IEC 42001, GDPR, CCPA, and industry-specific regulations through quarterly assessments and annual audits.

Ethics: Mandatory bias testing, fairness assessments, and human oversight for high-risk decisions affecting employment, customer rights, or sensitive matters.

Risk Management: AI systems are categorized by risk level (high/medium/low) with corresponding controls. High-risk systems require maximum safeguards, including enhanced bias testing, human review requirements, and regular fairness audits.

Enforcement

Violations result in progressive discipline from written warnings to termination. Critical violations—including unauthorized recordings, use of prohibited content, or data breaches—may result in immediate termination and legal action.

Training

All employees must complete mandatory AI policy training within 30 days of hire and annual refresher courses, with specialized certification required for high-risk AI users.