AOIS. Agentic Operating Intelligent System
AOIS. Agentic Operating Intelligent System
  • Home
  • About AOIS
  • Solutions
  • In Action
  • ESG
  • Contact
  • More
    • Home
    • About AOIS
    • Solutions
    • In Action
    • ESG
    • Contact
  • Home
  • About AOIS
  • Solutions
  • In Action
  • ESG
  • Contact

Responsible ai Policy

Last Updated: 1st March 2025


Applies to: AOIS Sentinel™, AOIS Agents, AOIS Professor, AOIS Validator, AOIS DevFactory and associated services (the “Services”).


1. Purpose & Scope

This Responsible AI Policy (the “Policy”) sets binding principles, controls, and accountabilities for the design, development, deployment and oversight of AI systems operated by or through AOIS (the “Agentic Operating Intelligence System”). It applies to AOIS personnel, contractors, partners, and Client organisations and their Authorised Users who access or integrate with the Services.


This Policy aligns with leading regulatory frameworks and standards, including: the EU Artificial Intelligence Act (Regulation (EU) 2024/1689) risk-based regime, the UK government’s pro-innovation approach to AI regulation, the UAE PDPL and national AI ethics initiatives, U.S. federal executive guidance and NIST AI RMF 1.0, and Singapore’s PDPA, Model AI Governance Framework (GenAI) and sectoral MAS FEAT principles (finance). 


2. Definitions

  • AI System: Software that, for a given set of human-defined objectives, infers how to generate outputs (predictions, content, decisions, actions).
  • High-risk / Prohibited uses: As classified by applicable law (e.g., EU AI Act), and by AOIS internal risk taxonomy in Annex A.
  • Client Content / Data: Information supplied by a Client or its users.
  • Human-in-the-Loop (HITL): A control ensuring qualified human review/override for defined decisions.
  • General-Purpose AI (GPAI) / Foundation Models: Broadly capable models that may be adapted across tasks.
     

3. Governance Model & Accountability

3.1 Roles

  • Board & Executive (AOIS): Own the Responsible AI strategy; approve prohibited/restricted uses; ensure resourcing. 
  • Chief Governance & Compliance Officer (CGCO): Accountable owner of this Policy; signs off risk assessments, exceptions, and public transparency reports.
  • Security & Privacy (CISO/DPO): Ensure security and data protection by design; lead DPIAs/AIAs and incident response.
  • AI Safety & Model Risk (AIMR): Sets model validation standards (bias, robustness, explainability), red-team testing, monitoring and model cards.
  • Product & Engineering Leads: Embed controls in lifecycle; ensure runtime guardrails are enforced.
  • Client Responsible Officer: Named by each Client to ensure their own compliance, lawful basis, and sectoral obligations.
     

3.2 Committees & Escalation

  • Responsible AI Committee (RAIC): Multi-disciplinary body (legal, privacy, safety, security, product, domain experts). Approves risk classifications, restricted deployments, and post-incident remediations. 
  • Ethics & Risk Reviews: Mandatory at design, pre-deployment, and material change.
  • Escalation: Safety, privacy or ethics incidents trigger AOIS incident playbooks, QMS/incident queues, regulator notifications where required.
     

4. AOIS Principles for Responsible AI

  1. Lawfulness & Human Rights: All processing must have a lawful basis; AOIS prohibits use that infringes fundamental rights or anti-discrimination law. 
  2. Safety & Robustness: Systems must be resilient to misuse, distribution shift and adversarial attack; pre-deployment and continuous validation are mandatory.
  3. Fairness & Non-discrimination: Measure and mitigate bias; document fairness trade-offs; apply sectoral rules (e.g., financial fairness).
  4. Transparency & Notice: Users are informed when they interact with AI; capabilities, limits and material risk are disclosed in proportion to risk.
  5. Explainability & Contestability: Provide explanations appropriate to risk; enable human appeal and effective challenge.
  6. Privacy & Data Governance: Data minimisation, purpose limitation, retention controls, security by design, cross-border safeguards.
  7. Human Oversight: Clear decision boundaries; HITL or human-on-the-loop is mandatory for defined risk classes.
  8. Security & Abuse Prevention: Defence-in-depth; content provenance/watermarking where appropriate; misuse prevention.
     
  9. Accountability & Auditability: Full lifecycle records, auditable logs, and regulator-ready evidence.
     
  10. Sustainability & Societal Benefit: Consider environmental impact; prefer uses with demonstrable public value.
     

These principles are consistent with the NIST AI RMF (Govern–Map–Measure–Manage), the UK’s risk-based approach, and Singapore’s model frameworks.


5. Regulatory Alignment & Commitments

5.1 EU (including EU AI Act)

  • Risk Classification: AOIS adopts the EU AI Act taxonomy (unacceptable, high, limited, minimal) for all deployments serving EU markets and mirrors it globally as a baseline. High-risk systems meet conformity assessment, technical documentation, quality management, human oversight, and post-market monitoring requirements.
     
  • GPAI/Model Provider Duties: For GPAI/foundation models used within AOIS, we implement documentation, training data transparency (as permitted by IP and law), cybersecurity controls, and model evaluation consistent with the Act.
     

5.2 United Kingdom

  • Pro-innovation Regime: AOIS aligns with the UK’s cross-regulator principles (safety, transparency, fairness, accountability, contestability) and will cooperate with the UK AI Safety Institute and relevant regulators (ICO, FCA, CMA, MHRA) as applicable.
     

5.3 United Arab Emirates

  • PDPL Compliance: Personal data processing adheres to the UAE Federal Decree-Law No. 45 of 2021 (PDPL) and implementing decisions; AOIS also aligns with national AI ethics guidance (e.g., Smart Dubai/Digital Dubai; MOCAI).
     

5.4 United States

  • Federal Direction & NIST: AOIS follows applicable federal executive guidance (including EO 14110 and subsequent directives), and operationalises the NIST AI RMF 1.0 for risk management. Sectoral laws (e.g., HIPAA, GLBA, ECOA/Reg B, FCRA, COPPA) are applied where relevant.
     

5.5 Singapore

  • PDPA & Model AI Governance (GenAI): AOIS complies with PDPA obligations, and implements controls consistent with Singapore’s Model AI Governance Framework for Generative AI and the MAS FEAT principles for financial services.
     

5.6 International Standards

AOIS builds its management system to ISO/IEC 42001:2023 (AI management systems) and uses ISO/IEC 23894:2023 for AI risk management guidance. ISO+1


6. Lifecycle Controls (from concept to retirement)

6.1 Design & Scoping

  • Use-case Qualification: Map purpose, harms, stakeholders, rights impacts; screen for prohibited/restricted uses (Annex A). 
  • Legal & Privacy Screening: Identify lawful basis, DPA/contract needs, international transfers; initiate DPIA/AI Impact Assessment (AIA).
  • Risk Tiering: Apply EU-style risk classification globally as baseline; determine oversight mode (HITL, human-on-the-loop) and transparency duties. EUR-Lex
     

6.2 Data Governance

  • Source Hygiene: Catalogue data sources; verify provenance, licences, and restrictions; exclude unlawfully obtained or harmful content. 
  • Minimisation & Quality: Limit to necessary attributes; monitor drift and data quality; annotate data lineage.
  • Sensitive & Special Category Data: Apply heightened controls; ban usage where law prohibits or where unmitigable harm exists.
     

6.3 Development & Training

  • Secure SDLC: Threat modelling, secure coding, code review; dependency & supply-chain checks. 
  • Model Cards & Datasets Docs: Maintain “model cards” and “data sheets” detailing intended use, limits, training sources, benchmarks and known risks.
  • Safety Tuning & Red-teaming: Adversarial tests for jailbreaks, prompt injection, toxicity, bias; document mitigations.
     

6.4 Testing & Validation

  • Pre-deployment Validation: Bias/fairness metrics, accuracy/robustness, explainability checks, privacy leakage tests, content provenance/watermark checks (where feasible), reproducibility; finance deployments also tested against FEAT-aligned methodologies.  
  • Human Factors: Validate instructions, escalation paths, and UI/UX for meaningful human control and contestability.
     

6.5 Deployment & Runtime Enforcement (AOIS-specific)

  • Runtime Guardrails: AOIS Sentinel™ enforces protected rules and Client policies before an agent action executes; non-compliant actions are blocked or quarantined. 
  • Observability & Audit: Every action logs TX–BX–CM milestones with positive confirmation; audit trails are immutable and regulator-ready.
  • Escalation: Anomalies route automatically to incident/QMS queues; Clients may receive real-time notifications based on severity.
     

6.6 Monitoring, Drift & Change Control

  • Continuous Monitoring: Statistical drift, performance, safety signals, bias and complaint trends; retraining thresholds. 
  • Change Management: Material updates require RAIC review and, where relevant, renewed DPIA/AIA and Client notice.
  • Decommissioning: Safe retirement, data retention/erasure, and model archival for accountability.
     

7. Prohibited & Restricted Uses (baseline)

7.1 Prohibited (non-exhaustive; stricter regimes prevail)

  • Unlawful discrimination or denial of rights; 
  • Social scoring by public authorities that infringes rights;
  • Unauthorised biometric categorisation or emotion inference in sensitive contexts;
  • Fully autonomous decisions with no meaningful route for human appeal where legally required;
  • Deceptive practices that materially mislead users;
  • Any use breaching export controls, sanctions, or safety laws. EUR-Lex
     

7.2 Restricted (subject to approvals, enhanced controls)

  • High-risk deployments (e.g., safety-critical, credit, employment, education, essential services); 
  • Biometric identification/verification in constrained, lawful settings;
  • Generative content that could be misattributed (requires provenance, watermarking where feasible, and robust misuse controls).
     

8. Human Oversight, Explainability & User Rights

  • Decision Boundaries: Define which outcomes are advisory vs. determinative; mandate HITL for defined classes. 
  • Explanations: Provide model- and decision-level explanations proportionate to risk and audience; publish system cards for high-risk classes.
  • Contestability: Effective channels to challenge outcomes; resolution SLAs; recording of reversals and lessons learned.
     

9. Privacy & Cross-Border Data

  • Lawful Basis: Contract, legitimate interests, consent or other bases as required; children’s data receives heightened protection. 
  • DPIAs / AIAs: Conduct and retain assessments for high-risk processing; implement documented mitigations.
  • International Transfers: Use EU Standard Contractual Clauses/UK Addendum or equivalent safeguards; comply with UAE PDPL and Singapore PDPA transfer rules.
     

10. Security & Abuse Prevention

  • Controls: Encryption in transit/at rest; key management; network segregation; least-privilege IAM; vulnerability management; secure secrets handling. 
  • Content Provenance: Prefer C2PA-compatible mechanisms and watermarking where practical to deter misuse.
  • Abuse Monitoring: Rate-limiting; misuse classifiers; behavioural analytics; takedown mechanisms; law-enforcement cooperation as required.
     

(See AOIS Security Policy for full technical measures.)


11. Documentation, Auditability & Assurance

  • Records: Model cards, data sheets, DPIAs/AIAs, validation reports, risk registers, decision logs, incident reports, and transparency notes are retained to regulator-ready standards. 
  • Independent Assurance: AOIS targets assurance against ISO/IEC 42001 and uses ISO/IEC 23894 for risk processes; engages independent audits and publishes high-level transparency updates.
     

12. Incident Response & Notifications

  • Triggering Events: Safety failures, significant bias findings, privacy/security incidents, harmful content, or material policy breaches. 
  • Process: Triage → containment → eradication → recovery → post-mortem; Client and regulator notifications made within legal timelines (e.g., ICO for UK personal-data breaches).
  • Learning Loop: RAIC tracks corrective and preventative actions; protected rules and guardrails updated accordingly.
     

13. Third-Party & Client Responsibilities

  • Suppliers/Models/Tools: Third parties must meet AOIS standards, sign data protection and security terms, and supply sufficient documentation for audit. 
  • Client Duties: Clients remain responsible for lawful purposes, sectoral compliance (e.g., finance, health), appropriate disclosures to individuals, and for not circumventing AOIS guardrails.
     

14. Training, Culture & Accountability

  • Mandatory Training: AOIS personnel complete annual privacy, security and Responsible AI training; role-specific training for engineers, data scientists and product managers. 
  • Consequences: Policy breaches may lead to disciplinary action, contract suspension, or termination.
     

15. Transparency & Public Engagement

  • Notices & Labels: Clear user notices for AI interactions; channel for questions and complaints. 
  • Reports: AOIS will publish periodic transparency summaries (scope, incidents, improvements) proportionate to risk and confidentiality.
     

16. Review, Versioning & Exceptions

  • Review Cycle: Annual or upon material legal/technical change (including EU AI Act implementing acts; UK regulatory updates; US federal guidance; Singapore updates). 
  • Exceptions: Must be approved by the CGCO and RAIC with time-bound mitigations and documented rationale.
  • Effective Date & Version: [Insert] / Version [Insert].
     

Annex A — AOIS Baseline Risk Classification (summary)

  • Unacceptable: Uses banned by law or AOIS (e.g., unlawful social scoring, manipulative systems causing harm). Blocked.
     
  • High-Risk: Safety-critical; essential services; education, employment, credit, migration/justice use-cases. Requires HITL, extensive documentation, monitoring, and conformity/assurance steps.
     
  • Limited-Risk: Transparency duties; optional HITL depending on context; basic testing and monitoring.
     
  • Minimal-Risk: General productivity aids; standard controls.
     

Annex B — External Framework Mapping (illustrative)

  • EU: EU AI Act risk regime; Data Act intersections; GDPR for personal data.
     
  • UK: Cross-regulator principles; ICO guidance; cooperation with UK AI Safety Institute..
     
  • UAE: PDPL; Dubai/MOCAI AI ethics guidance and self-assessment tool.
     
  • USA: NIST AI RMF 1.0; current Executive Orders and sectoral laws.
     
  • Singapore: PDPA; Model AI Governance (GenAI); MAS FEAT (finance).
     
  • Standards: ISO/IEC 42001 (AIMS); ISO/IEC 23894 (AI risk).
     

Important notice

This Policy is drafted to be globally interoperable and does not constitute legal advice. AOIS will localise contractual terms and operational measures per jurisdiction and sector. Please have your counsel validate prior to publication.

This website uses cookies.

We use cookies to analyse site traffic and improve your experience. You can choose to Accept or Decline non-essential cookies. For more details about cookies we use and your options, please visit our Cookie Policy.

DeclineAccept