Skip to main content

Search

×

ANSIRA AI GOVERNANCE POLICY

1. Introduction

This document establishes Ansira’s AI Governance Policy, providing the framework for the responsible use of Artificial Intelligence (AI) across our organization, platform, and client services. This policy applies to all AI systems that Ansira deploys or uses, whether integrated into our products and services or used internally to support business operations.

Ansira is committed to providing secure and responsible AI services tailored to the needs of our clients. This policy ensures that AI is implemented securely, ethically, and in alignment with our commitment to protecting client data, maintaining compliance standards, and delivering measurable value.

This policy is part of Ansira’s AI Management System (AIMS), which is aligned with ISO/IEC 42001:2023 (Information technology — Artificial intelligence — Management system) and complements our existing ISO 27001 and SOC 2 Type II standards. As AI technology evolves, Ansira will update its capabilities, training programs, and policies accordingly. Employees, clients, and stakeholders can expect timely communication about changes to AI governance practices and new AI-enabled capabilities.

2. Purpose and Objective

Ansira is committed to leveraging AI to deliver value to our clients and employees while maintaining governance, security, and ethical standards. This policy provides the overarching rules and principles that guide all AI-related decisions, whether in product development, service delivery, or internal operations.

This policy governs two key areas:

  • Internal AI Enablement: Empowering employees with approved AI tools to enhance productivity and streamline workflows while ensuring compliance with security and privacy requirements.
  • AI in Products and Services: Governing the integration of AI into Ansira’s platform and client services to improve outcomes while maintaining data protection, ethical AI principles, and regulatory compliance.

3. Scope and Applicability

This policy applies to all Ansira employees, contractors, and third parties who develop, deploy, operate, or interact with AI systems on behalf of Ansira. It covers AI capabilities integrated into the Ansira Platform, enterprise AI tools used for internal productivity, and any AI system within the scope of the AIMS.

The specific AI systems governed by this policy, along with exclusions and their justifications, are documented in the AIMS Scope Statement. The scope is reviewed periodically and updated when material changes occur, such as the introduction of new AI capabilities, changes in regulatory requirements, or shifts in the organization’s risk environment.

4. Ansira’s Role in the AI Ecosystem

Ansira operates as an AI deployer and user. Ansira does not build or train its own foundational AI models. Instead, Ansira integrates pre-trained models from established, enterprise-grade AI providers into its platform and internal systems. These providers are selected through a rigorous evaluation process that assesses security certifications, data protection practices, and AI governance standards.

As a deployer and user, Ansira’s governance responsibilities focus on the selection and assessment of AI providers, the configuration and integration of AI models within our platform, the monitoring and oversight of AI system performance and outputs, ensuring AI systems are used in accordance with their intended purpose, and managing the full lifecycle of deployed AI capabilities from approval through decommissioning.

5. Core Principles

The following principles guide all AI activities across Ansira. These principles are informed by ISO/IEC 42001:2023, industry best practices, and Ansira’s organizational values.

5.1 Innovation with Accountability

AI enhances our capabilities when implemented within proper governance frameworks. All AI usage is subject to risk assessment, impact evaluation, and ongoing monitoring to ensure it meets security, compliance, and ethical standards.

5.2 Client Data Protection

Client data protection is our highest priority. We implement strict controls to ensure client data remains secure, private, and is never used inappropriately or shared without explicit written consent. AI systems are designed with data isolation, minimization, and purpose limitation as foundational requirements.

5.3 Ethical and Transparent AI

Ansira is committed to fair, unbiased, and transparent AI practices. All AI systems undergo evaluation for potential risks including bias, fairness, and accuracy. We provide clear information about how AI is used in our services and maintain human oversight over AI-generated outputs.

5.4 Enterprise-Grade AI Providers

Ansira partners with enterprise-grade AI providers that maintain recognized security certifications and contractual data protection commitments. While specific providers may evolve, our governance framework and provider evaluation standards remain constant.

5.5 Continuous Improvement

AI tools, security practices, and governance frameworks are regularly evaluated and improved. The Technology Steering Committee reviews AI initiatives for effectiveness, security requirements, alignment with business objectives, emerging best practices, and evolving regulatory requirements.

5.6 Competence and Awareness

Ansira employees receive ongoing training on responsible AI use, data protection, bias awareness, and ethical practices. Ansira believes that informed employees are essential to responsible AI adoption and maintains role-appropriate training programs for all personnel who interact with AI systems.

6. Risk and Impact Management

Ansira maintains a structured approach to identifying, assessing, and managing risks associated with AI systems. This includes both risks to the organization and potential impacts on individuals, groups, and society.

  • AI Risk Assessment: All AI systems undergo formal risk assessment before deployment and at planned intervals thereafter. Risk assessments evaluate security, privacy, bias, fairness, accuracy, and regulatory compliance.
  • AI Impact Assessment: Ansira conducts impact assessments to evaluate the potential consequences of AI systems on affected stakeholders, including clients, end-users, and the broader community. Impact assessments are required before deploying new AI capabilities, when significant changes occur, and at regular review intervals.
  • Risk Treatment: Identified risks are addressed through documented treatment plans that specify controls, responsible parties, and verification methods. Risk treatment decisions are recorded and tracked through Ansira’s AI Management System.

7. Data Protection and Privacy

Ansira applies the following data protection commitments to all AI systems:

  • Data Isolation: Client data is logically isolated within our infrastructure. Strict technical controls prevent any data mixing, cross-use, or leakage between clients.
  • No Unauthorized Training: Client data is never used to train general-purpose AI models, improve third-party AI systems, or for any purpose outside the agreed service scope without explicit, documented written permission from the client.
  • Data Minimization: AI systems only access the minimum data necessary to perform their intended function. Employees are trained to avoid submitting unnecessary sensitive information to AI tools.
  • Retention and Deletion: AI-processed client data follows the same retention and deletion policies as all other client data. Upon client request or contract termination, all client data is removed from AI systems in accordance with our data retention policy.
  • Encryption: All data processed by AI systems is encrypted in transit and at rest in accordance with industry standards and Ansira’s security policies.

8. Security and Compliance

All AI usage at Ansira operates within our established security and compliance framework. AI-specific governance extends and complements existing controls rather than replacing them.

  • Compliance Standards: AI systems comply with SOC 2 Type II requirements, applicable data protection regulations (including CCPA and GDPR where applicable), ISO 27001 information security controls, and contractual obligations specific to each client engagement.
  • Infrastructure Security: Ansira’s infrastructure is hosted on trusted enterprise cloud providers that maintain recognized security certifications. Regular reviews and assessments ensure compliance, resilience, and continuous improvement.
  • Access Controls: Employees may only use AI tools that have been formally approved and designated as sanctioned. AI tools must be accessed exclusively through company-provided accounts and approved integrations. The use of personal AI tool accounts for work-related activities is prohibited.
  • External Integrations: Any AI capability that connects to external systems requires formal security review and approval before implementation. All AI-generated actions that create, modify, or delete data are subject to audit logging.

9. Responsible AI Use

Ansira is committed to using AI systems responsibly and in accordance with their intended purpose. The following commitments apply to all AI systems within the AIMS scope:

  • Human Oversight: AI systems operate with appropriate human oversight. AI-generated outputs that affect clients, end-users, or business decisions are reviewed by qualified personnel before use. Ansira maintains the authority to override or correct AI system outputs at all times.
  • Intended Use: AI systems are deployed and operated in accordance with their documented intended purpose. Modifications to the purpose or scope of an AI system require formal review and approval.
  • Bias and Fairness: Ansira evaluates AI systems for potential bias and fairness concerns as part of the risk and impact assessment process. Where applicable, testing and monitoring procedures are implemented to detect and address bias in AI outputs.
  • New AI Technologies: All new AI tools and capabilities must undergo a formal review and approval process that evaluates security, compliance, risk, and alignment with business objectives before deployment.

10. AI System Lifecycle Management

Ansira manages AI systems through a defined lifecycle that covers all stages from initial conception through decommissioning. Each stage includes governance touchpoints, AI-specific considerations, and documentation requirements.

Key lifecycle commitments include formal evaluation and approval before any AI capability is deployed to production, ongoing monitoring of AI system performance, accuracy, and security throughout operation, structured processes for updates, provider changes, and version management, and formal decommissioning procedures when AI capabilities are retired, including data handling, stakeholder communication, and documentation retention.

Detailed lifecycle stages and procedures are documented in the AI System Development Lifecycle document, which is maintained as part of the AIMS.

11. Third-Party AI Provider Governance

As an AI deployer and user, Ansira’s relationship with third-party AI providers is a critical component of our governance framework. Ansira maintains the following commitments regarding AI providers:

  • Provider Evaluation: AI providers are assessed against Ansira’s security, compliance, and AI governance standards before approval. Evaluation criteria include security certifications, data protection capabilities, model governance practices, and contractual commitments.
  • Responsibility Allocation: Responsibilities between Ansira and its AI providers are documented and clearly allocated across the AI system lifecycle.

12. Transparency and Stakeholder Rights

Ansira is committed to transparency regarding its use of AI. The following rights and commitments apply to clients, end-users, and other affected stakeholders:

  • Disclosure: Clients are informed about how AI is used in their services and have the right to request information about which AI capabilities process their data, including explanations of AI-driven recommendations or decisions.
  • Reporting Concerns: Ansira provides mechanisms for stakeholders to report concerns or adverse impacts related to AI systems. All reported concerns are investigated and addressed in accordance with Ansira’s incident management procedures.

13. Training and Awareness

Ansira requires that its personnel who interact with AI systems maintain appropriate knowledge and competence. Training requirements include initial AI governance training for employees with access to AI tools, periodic refresher training on policy updates and responsible AI practices, and role-specific training for personnel with specialized AI responsibilities.

Training covers data protection, recognizing bias, security best practices, appropriate use cases for AI tools, and the importance of human oversight in AI-assisted workflows.

14. Incident Management

Ansira maintains documented procedures for detecting, reporting, investigating, and resolving AI-related incidents. These procedures are integrated with Ansira’s broader incident management and information security frameworks.

  • Reporting: Employees who observe or suspect AI policy violations, security incidents, or adverse AI system behavior must report them promptly through established reporting channels.
  • Investigation and Response: All reported incidents are investigated promptly. Corrective actions are taken based on the severity and nature of the incident, including root cause analysis and measures to prevent recurrence.
  • Stakeholder Communication: Affected clients and stakeholders are notified of AI-related incidents in accordance with contractual obligations, regulatory requirements, and Ansira’s incident communication plans.
  • Corrective Action: Nonconformities identified through incidents, audits, or monitoring trigger a formal corrective action process to eliminate root causes and drive continuous improvement of the AI Management System.

15. Governance Structure and Accountability

Ansira’s AI governance is supported by defined roles and responsibilities across the organization:

  • Technology Steering Committee: Provides executive oversight of AI strategy, approves new AI capabilities and provider relationships, and ensures alignment with business objectives and governance standards.
  • AIMS Manager: Ensures AI management system compliance, maintains documentation, coordinates risk and impact assessments, and reports AI governance performance to management.
  • Information Security Team: Conducts security assessments, monitors compliance, and manages incident response related to AI systems.
  • Legal and Compliance: Assesses contractual obligations and advises on data protection and privacy implications for AI capabilities.
  • Department Leaders and Employees: Department leaders ensure their teams follow this policy and complete required training. Individual employees are accountable for using AI tools responsibly, protecting client data, and reporting any suspected policy violations or concerns.

Policy violations may result in disciplinary action, up to and including termination of employment, depending on the severity and nature of the violation.

16. Policy Review and Continuous Improvement

This policy is reviewed annually and updated to reflect changes in AI technology and capabilities, new regulatory requirements, lessons learned from incidents or audits, management review outcomes, and evolving industry best practices.

The results of management reviews are used as inputs to the policy review process to ensure the policy’s continuing suitability, adequacy, and effectiveness.

Privacy Overview
ansira logomark

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.

Essential Cookies

Essential Cookies should be enabled at all times so that we can save your preferences for cookie settings.

Powered by GDPR  GDPR Cookie Compliance