CyberAI Logo
AutoCyber AI
Back to Home
Legal · Responsible AI

AI Policy

Effective date: 1 January 2026 · Last reviewed: 1 January 2026 · Version: 3.0

This is the AI Policy of AutoCyber AI Pty Ltd (ABN 22 697 087 166), issued under ISO/IEC 42001:2023 Clause 5.2 and aligned with the EU AI Act (Regulation (EU) 2024/1689), the NIST AI Risk Management Framework (AI RMF 1.0), the OECD AI Principles, and the Australian AI Ethics Principles.

1. Purpose

This policy establishes the principles, responsibilities, and controls that AutoCyber AI applies to the design, development, deployment, and operation of AI systems — including our own products (WASA AI, NAD AI, Spark AI, SecureEasy AI), the CRP™ reference implementation, third-party AI we integrate, and internal AI use.

2. Scope

This policy applies to every AI system that AutoCyber AI develops (as a provider), deploys (as a deployer), or materially integrates, and to every director, employee, contractor, and authorised third party involved in those AI systems. It is the top-level “AI policy” required by ISO/IEC 42001:2023 Clause 5.2.

3. Our Commitments (Responsible AI Principles)

  • Human agency & oversight. Humans remain in or on the loop for any AI use that materially affects people.
  • Technical robustness & safety. AI systems are tested for accuracy, robustness, cyber-security, and graceful degradation.
  • Privacy & data governance. Data minimisation, purpose limitation, and local-first processing wherever feasible.
  • Transparency & explainability. Users are told when they interact with AI; outputs are auditable; the Context Relay Protocol™ provides machine-readable provenance.
  • Diversity, non-discrimination & fairness. We assess and mitigate bias; we do not deploy AI for prohibited purposes (see §5).
  • Societal & environmental wellbeing. We consider broader impacts, including energy use.
  • Accountability. Documented roles, traceable decisions, and a clear escalation path.

4. EU AI Act Risk Classification (Article 6 & Annex III)

Every AI system we provide or deploy is classified into one of the EU AI Act risk tiers before launch and re-assessed on material change:

  • Prohibited (Art. 5) — never deployed (see §5).
  • High-risk (Art. 6 & Annex III) — full compliance programme under Arts. 9–15 plus Art. 27 FRIA where applicable.
  • Limited-risk / transparency obligations (Art. 50) — clear labelling and disclosure.
  • Minimal-risk — voluntary application of best practice.
  • General-Purpose AI (GPAI) — Arts. 53–55 obligations where we develop or materially adapt a GPAI model; Annex XI technical documentation maintained.

5. Prohibited Practices (EU AI Act Art. 5)

AutoCyber AI will not develop, deploy, sell, or support AI systems used for any practice prohibited under Article 5 of the EU AI Act, including:

  • subliminal, manipulative, or deceptive techniques that materially distort behaviour and cause significant harm;
  • exploitation of vulnerabilities due to age, disability, or socio-economic situation;
  • social scoring by public authorities or private actors leading to detrimental treatment;
  • predictive policing based solely on profiling or personality traits;
  • untargeted scraping of facial images to build or expand facial-recognition databases;
  • emotion inference in workplace and education contexts (except for medical or safety reasons);
  • biometric categorisation to deduce special categories of data (race, political opinions, etc.);
  • real-time remote biometric identification in publicly accessible spaces for law-enforcement (outside the narrow exceptions allowed and subject to authorisation).

6. High-Risk AI Requirements (EU AI Act Arts. 9–15)

For any AI system classified as high-risk, we operate:

  • Art. 9 Risk management system — continuous, iterative, documented across the lifecycle.
  • Art. 10 Data & data governance — relevance, representativeness, freedom from errors, bias examination.
  • Art. 11 Technical documentation — Annex IV-compliant package maintained per release.
  • Art. 12 Record-keeping — automatic logs sufficient for traceability (the Context Relay Protocol™ supports this natively).
  • Art. 13 Transparency & information to deployers — instructions for use, capabilities, limitations.
  • Art. 14 Human oversight — designed-in oversight controls, including override and stop.
  • Art. 15 Accuracy, robustness & cybersecurity — measured, monitored, and improved; aligned with our Information Security Policy.

For deployers using our high-risk AI products on people in the EU, we support the Fundamental Rights Impact Assessment (FRIA) required by Article 27 and provide the evidentiary artefacts needed via the CRP™ compliance evidence chain.

7. Transparency to Users (EU AI Act Art. 50)

  • Users are clearly informed when they interact with an AI system, unless this is obvious from context.
  • AI-generated or AI-manipulated text, audio, image, or video is labelled as such where required.
  • Emotion-recognition or biometric-categorisation systems (where lawful) trigger explicit notification.
  • Synthetic media (“deepfakes”) are disclosed.

8. General-Purpose AI Models (Arts. 53–55)

Where AutoCyber AI develops, fine-tunes, or materially adapts a general-purpose AI model, we:

  • maintain up-to-date technical documentation per Annex XI;
  • publish a sufficiently detailed summary of training content;
  • implement a copyright-compliance policy, including respect for rights reservations under Directive (EU) 2019/790;
  • for models posing systemic risk, conduct model evaluations, adversarial testing, incident reporting, and cyber-security protection per Art. 55.

9. ISO/IEC 42001:2023 AI Management System

We operate an AI Management System (AIMS) aligned with ISO/IEC 42001:2023, including:

Clause / AnnexHow we satisfy it
Cl. 4 ContextDocumented internal/external issues, interested parties, AIMS scope.
Cl. 5 LeadershipDirector accountability; this AI Policy; defined roles & authorities.
Cl. 6 PlanningAI risk & AI impact assessments; objectives; change management.
Cl. 7 SupportResources, competence, awareness, communication, documented information.
Cl. 8 OperationOperational planning & control; AI risk treatment; AI impact assessment outputs.
Cl. 9 PerformanceMonitoring, measurement, internal audit, management review.
Cl. 10 ImprovementNonconformity, corrective action, continual improvement.
Annex A.2 PoliciesThis AI Policy plus aligned sub-policies (privacy, security, data, third party).
Annex A.3 Internal organisationRoles, segregation of duties, reporting lines.
Annex A.4 ResourcesResource planning for data, tooling, compute, human resources.
Annex A.5 AI impact assessmentAI impact assessment performed before deployment of any non-trivial AI system; updated on material change.
Annex A.6 AI system lifecycleDocumented lifecycle: requirements, design, data, build, verification, validation, deployment, operation, monitoring, retirement.
Annex A.7 Data for AIData acquisition, quality, lineage, privacy, security; provenance via CRP™.
Annex A.8 Information for interested partiesUser-facing documentation, system cards, model cards, change logs.
Annex A.9 Use of AI systemsAcceptable-use guidance, intended purpose, foreseeable misuse.
Annex A.10 Third-party & customer relationshipsSupplier & customer obligations, including DPAs and AI-specific addenda.

10. AI Impact & Fundamental Rights Assessments

Before deployment, every non-trivial AI system undergoes an AI Impact Assessment (ISO 42001 Annex A.5) covering intended purpose, stakeholders, foreseeable misuse, harms to individuals and groups, mitigations, and residual risk. Where EU AI Act Article 27 applies (high-risk AI used by certain deployers on natural persons), we conduct a Fundamental Rights Impact Assessment (FRIA) and support customer FRIAs with the necessary technical artefacts.

11. Data Governance for AI

  • Documented data sources, lawful basis, and licensing.
  • Bias examination on training, validation, and test data.
  • Special-category data handled only with explicit lawful basis and additional safeguards.
  • Synthetic and augmented data flagged with provenance.
  • Local-first processing: customer data stays with the customer wherever feasible.

12. Human Oversight (EU AI Act Art. 14)

  • Every high-risk AI system has documented human-oversight measures.
  • Override and stop controls are tested and visible to operators.
  • Automation-bias risks are addressed through interface design and training.
  • Multi-agent flows are bounded by the CRP™ safety-budget mechanism (see CRP Safety Case).

13. Accuracy, Robustness & Cybersecurity (EU AI Act Art. 15)

  • Performance metrics defined per use case and tracked over time.
  • Adversarial robustness testing for high-risk and security-critical systems.
  • Resilience against data poisoning, model evasion, and prompt-injection.
  • Aligned with our Information Security Policy (OWASP Top 10 (2025) and OWASP LLM Top 10).

14. Roles & Responsibilities

  • Director — accountable for the AIMS.
  • AI Governance Officer — owns this policy, the AIMS, and the AI risk register.
  • Security Officer — owns AI-system security controls.
  • Privacy Officer — owns AI-related data-protection compliance.
  • Engineering leads — implement controls in design, build, and operation.
  • All personnel — comply with this policy and report concerns.

15. Reporting Concerns & Incidents

Anyone — employee, customer, user, or member of the public — may raise an AI-related concern, incident, or near-miss to ai-governance@autocyberai.com. We will investigate, log, and respond. Material incidents involving high-risk AI are reported to the relevant authorities under EU AI Act Article 73 within the required deadlines.

16. Training & Awareness

All personnel receive AI-literacy training (EU AI Act Art. 4) proportionate to their role. Role-specific training covers AI risk, secure development for AI, prompt-injection mitigation, fairness, and applicable regulation.

17. Mappings & Related Frameworks

This policy maps to and supports compliance with ISO/IEC 42001:2023, ISO/IEC 23894:2023 (AI risk management), NIST AI RMF 1.0, the EU AI Act, the OECD AI Principles, the Australian AI Ethics Principles, and the UN AI Advisory Body recommendations.

18. Review

This policy is reviewed at least annually and on material change in technology, risk, or regulation. The next scheduled review is January 2027.

19. Contact

Document control

Owner: AI Governance Officer · Approver: Director · Review cadence: annually or upon material change · Next review: January 2027 · Issued under ISO/IEC 42001:2023 Clause 5.2.