AI Governance
Version: 1.0 | Effective from: 1 January 2026
1. Purpose
This directive defines how the organization manages the development, deployment, and use of AI systems in compliance with the AI Act (EU 2024/1689).
2. Scope
This directive applies to:
- All AI/ML systems developed internally
- Third-party AI (Claude, GPT, etc.)
- AI embedded in products
- AI used in internal processes
3. AI Classification & Risk Assessment
3.1 AI systems inventory
Every AI system must be documented:
| Field | Description |
|---|---|
| AI System ID | Unique identifier |
| Name | Descriptive name |
| Type | Internal / Third-party / Embedded |
| Purpose | Business use case |
| Responsible person | Who is responsible |
| Risk Level | Prohibited / High / Medium / Low |
| Status | Development / Testing / Production / Retired |
3.2 Risk Classification
Step 1: Identify the AI system
Step 2: Classify by risk:
| Category | Examples | Action |
|---|---|---|
| Prohibited | Real-time biometric ID, social scoring, manipulation | STOP — do not use |
| High-Risk | Credit scoring, employment, health, education | Full compliance |
| Medium-Risk | Chatbots, deepfakes, emotion recognition | Transparency |
| Low-Risk | Spam filters, analytics, recommendations | Minimal |
Step 3: Document the decision
4. High-Risk AI — Mandatory Controls
4.1 Pre-deployment
| Control | Description |
|---|---|
| Design Audit | Is AI necessary? Is there an alternative? |
| Data Assessment | Training data quality, bias check |
| DPIA | Data Protection Impact Assessment |
| Technical Documentation | Model card, limitations, testing |
| Human Oversight Design | Appeal process, override capability |
4.2 Post-deployment
| Control | Frequency |
|---|---|
| Performance Monitoring | Continuous |
| Bias Testing | Monthly |
| Accuracy Validation | Quarterly |
| Incident Review | On incident |
| Re-certification | Annually |
5. GPAI (Third-Party AI)
5.1 Permitted use
| Vendor | Permitted use cases | Restrictions |
|---|---|---|
| Claude (Anthropic) | Content, analysis, coding | No PII without encryption |
| GPT-4 (OpenAI) | Content, analysis, coding | No PII without encryption |
| Perplexity | Research, search | No confidential data |
5.2 Mandatory Controls
Before using GPAI:
- DPA signed
- Terms of Service reviewed
- Data classification: NO PII/confidential
- Audit logging enabled
- User informed about AI use
5.3 Prohibited practices with GPAI
- Sending PII (names, emails, numbers)
- Sending health data
- Sending financial data
- Sending confidential business data
- Automated decision-making without human review
6. AI Development Lifecycle
6.1 Development phases
%3btext-align:center%3b%7d%23mermaid-0 .edgeLabel p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .edgeLabel rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .labelBkg%7bbackground-color:rgba(232%2c 232%2c 232%2c 0.5)%3b%7d%23mermaid-0 .cluster rect%7bfill:%23ffffde%3bstroke:%23aaaa33%3bstroke-width:1px%3b%7d%23mermaid-0 .cluster text%7bfill:%23333%3b%7d%23mermaid-0 .cluster span%7bcolor:%23333%3b%7d%23mermaid-0 div.mermaidTooltip%7bposition:absolute%3btext-align:center%3bmax-width:200px%3bpadding:2px%3bfont-family:arial%2csans-serif%3bfont-size:12px%3bbackground:hsl(80%2c 100%25%2c 96.2745098039%25)%3bborder:1px solid %23aaaa33%3bborder-radius:2px%3bpointer-events:none%3bz-index:100%3b%7d%23mermaid-0 .flowchartTitleText%7btext-anchor:middle%3bfont-size:18px%3bfill:%23333%3b%7d%23mermaid-0 rect.text%7bfill:none%3bstroke-width:0%3b%7d%23mermaid-0 .icon-shape%2c%23mermaid-0 .image-shape%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3btext-align:center%3b%7d%23mermaid-0 .icon-shape p%2c%23mermaid-0 .image-shape p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bpadding:2px%3b%7d%23mermaid-0 .icon-shape .label rect%2c%23mermaid-0 .image-shape .label rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .label-icon%7bdisplay:inline-block%3bheight:1em%3boverflow:visible%3bvertical-align:-0.125em%3b%7d%23mermaid-0 .node .label-icon path%7bfill:currentColor%3bstroke:revert%3bstroke-width:revert%3b%7d%23mermaid-0 :root%7b--mermaid-font-family:arial%2csans-serif%3b%7d%3c/style%3e%3cg%3e%3cmarker id='mermaid-0_flowchart-v2-pointEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 0 L 10 5 L 0 10 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-pointStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='4.5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 5 L 10 10 L 10 0 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-circleEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='11' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-circleStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='-1' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-crossEnd' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='12' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-crossStart' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='-1' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cg class='root'%3e%3cg class='clusters'/%3e%3cg class='edgePaths'%3e%3cpath d='M138%2c134L138%2c138.167C138%2c142.333%2c138%2c150.667%2c138%2c158.333C138%2c166%2c138%2c173%2c138%2c176.5L138%2c180' id='L_I_DC_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_I_DC_0' data-points='W3sieCI6MTM4LCJ5IjoxMzR9LHsieCI6MTM4LCJ5IjoxNTl9LHsieCI6MTM4LCJ5IjoxODR9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M138%2c334L138%2c338.167C138%2c342.333%2c138%2c350.667%2c138%2c358.333C138%2c366%2c138%2c373%2c138%2c376.5L138%2c380' id='L_DC_DEV_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_DC_DEV_0' data-points='W3sieCI6MTM4LCJ5IjozMzR9LHsieCI6MTM4LCJ5IjozNTl9LHsieCI6MTM4LCJ5IjozODR9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M138%2c534L138%2c538.167C138%2c542.333%2c138%2c550.667%2c138%2c558.333C138%2c566%2c138%2c573%2c138%2c576.5L138%2c580' id='L_DEV_PRE_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_DEV_PRE_0' data-points='W3sieCI6MTM4LCJ5Ijo1MzR9LHsieCI6MTM4LCJ5Ijo1NTl9LHsieCI6MTM4LCJ5Ijo1ODR9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M138%2c806L138%2c810.167C138%2c814.333%2c138%2c822.667%2c138%2c830.333C138%2c838%2c138%2c845%2c138%2c848.5L138%2c852' id='L_PRE_DEP_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_PRE_DEP_0' data-points='W3sieCI6MTM4LCJ5Ijo4MDZ9LHsieCI6MTM4LCJ5Ijo4MzF9LHsieCI6MTM4LCJ5Ijo4NTZ9XQ==' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M138%2c982L138%2c986.167C138%2c990.333%2c138%2c998.667%2c138%2c1006.333C138%2c1014%2c138%2c1021%2c138%2c1024.5L138%2c1028' id='L_DEP_POST_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_DEP_POST_0' data-points='W3sieCI6MTM4LCJ5Ijo5ODJ9LHsieCI6MTM4LCJ5IjoxMDA3fSx7IngiOjEzOCwieSI6MTAzMn1d' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_I_DC_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_DC_DEV_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_DEV_PRE_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_PRE_DEP_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_DEP_POST_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg class='node default' id='flowchart-I-0' transform='translate(138%2c 71)'%3e%3crect class='basic label-container' style='' x='-119.375' y='-63' width='238.75' height='126'/%3e%3cg class='label' style='' transform='translate(-89.375%2c -48)'%3e%3crect/%3e%3cforeignObject width='178.75' height='96'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3e1. IDEATION%3cbr /%3eBusiness case review%3cbr /%3eInitial risk assessment%3cbr /%3eApproval: Product Owner%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-DC-2' transform='translate(138%2c 259)'%3e%3crect class='basic label-container' style='' x='-119.828125' y='-75' width='239.65625' height='150'/%3e%3cg class='label' style='' transform='translate(-89.828125%2c -60)'%3e%3crect/%3e%3cforeignObject width='179.65625' height='120'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3e2. DATA COLLECTION%3cbr /%3eData source identification%3cbr /%3eGDPR legal basis check%3cbr /%3eBias assessment%3cbr /%3eApproval: DPO%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-DEV-4' transform='translate(138%2c 459)'%3e%3crect class='basic label-container' style='' x='-128.7421875' y='-75' width='257.484375' height='150'/%3e%3cg class='label' style='' transform='translate(-98.7421875%2c -60)'%3e%3crect/%3e%3cforeignObject width='197.484375' height='120'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3e3. DEVELOPMENT%3cbr /%3eModel training%3cbr /%3eTesting %26amp%3b validation%3cbr /%3eDocumentation%3cbr /%3eApproval: Engineering Lead%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-PRE-6' transform='translate(138%2c 695)'%3e%3crect class='basic label-container' style='' x='-130' y='-111' width='260' height='222'/%3e%3cg class='label' style='' transform='translate(-100%2c -96)'%3e%3crect/%3e%3cforeignObject width='200' height='192'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3e4. PRE-DEPLOYMENT REVIEW%3cbr /%3eRisk classification finalization%3cbr /%3eDPIA -- if high-risk%3cbr /%3eHuman oversight check%3cbr /%3eApproval: CTO %2b Legal -- high-risk: %2b CEO%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-DEP-8' transform='translate(138%2c 919)'%3e%3crect class='basic label-container' style='' x='-94.015625' y='-63' width='188.03125' height='126'/%3e%3cg class='label' style='' transform='translate(-64.015625%2c -48)'%3e%3crect/%3e%3cforeignObject width='128.03125' height='96'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3e5. DEPLOYMENT%3cbr /%3eStaged rollout%3cbr /%3eMonitoring setup%3cbr /%3eUser notification%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-POST-10' transform='translate(138%2c 1095)'%3e%3crect class='basic label-container' style='' x='-118.0234375' y='-63' width='236.046875' height='126'/%3e%3cg class='label' style='' transform='translate(-88.0234375%2c -48)'%3e%3crect/%3e%3cforeignObject width='176.046875' height='96'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3e6. POST-DEPLOYMENT%3cbr /%3eContinuous monitoring%3cbr /%3eIncident management%3cbr /%3eRegular re-validation%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
7. AI Incident Management
7.1 AI incident definition
| Type | Example | Severity |
|---|---|---|
| Bias | Discriminatory outputs | High |
| Hallucination | Factually incorrect information | Medium |
| Privacy breach | PII in outputs | Critical |
| Malfunction | System not working | Medium |
| Security | Adversarial attack | Critical |
7.2 Response Process
%3btext-align:center%3b%7d%23mermaid-1 .edgeLabel p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-1 .edgeLabel rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-1 .labelBkg%7bbackground-color:rgba(232%2c 232%2c 232%2c 0.5)%3b%7d%23mermaid-1 .cluster rect%7bfill:%23ffffde%3bstroke:%23aaaa33%3bstroke-width:1px%3b%7d%23mermaid-1 .cluster text%7bfill:%23333%3b%7d%23mermaid-1 .cluster span%7bcolor:%23333%3b%7d%23mermaid-1 div.mermaidTooltip%7bposition:absolute%3btext-align:center%3bmax-width:200px%3bpadding:2px%3bfont-family:arial%2csans-serif%3bfont-size:12px%3bbackground:hsl(80%2c 100%25%2c 96.2745098039%25)%3bborder:1px solid %23aaaa33%3bborder-radius:2px%3bpointer-events:none%3bz-index:100%3b%7d%23mermaid-1 .flowchartTitleText%7btext-anchor:middle%3bfont-size:18px%3bfill:%23333%3b%7d%23mermaid-1 rect.text%7bfill:none%3bstroke-width:0%3b%7d%23mermaid-1 .icon-shape%2c%23mermaid-1 .image-shape%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3btext-align:center%3b%7d%23mermaid-1 .icon-shape p%2c%23mermaid-1 .image-shape p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bpadding:2px%3b%7d%23mermaid-1 .icon-shape .label rect%2c%23mermaid-1 .image-shape .label rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-1 .label-icon%7bdisplay:inline-block%3bheight:1em%3boverflow:visible%3bvertical-align:-0.125em%3b%7d%23mermaid-1 .node .label-icon path%7bfill:currentColor%3bstroke:revert%3bstroke-width:revert%3b%7d%23mermaid-1 :root%7b--mermaid-font-family:arial%2csans-serif%3b%7d%3c/style%3e%3cg%3e%3cmarker id='mermaid-1_flowchart-v2-pointEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 0 L 10 5 L 0 10 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-1_flowchart-v2-pointStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='4.5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 5 L 10 10 L 10 0 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-1_flowchart-v2-circleEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='11' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-1_flowchart-v2-circleStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='-1' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-1_flowchart-v2-crossEnd' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='12' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-1_flowchart-v2-crossStart' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='-1' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cg class='root'%3e%3cg class='clusters'/%3e%3cg class='edgePaths'%3e%3cpath d='M138%2c62L138%2c66.167C138%2c70.333%2c138%2c78.667%2c138%2c86.333C138%2c94%2c138%2c101%2c138%2c104.5L138%2c108' id='L_A_B_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_A_B_0' data-points='W3sieCI6MTM4LCJ5Ijo2Mn0seyJ4IjoxMzgsInkiOjg3fSx7IngiOjEzOCwieSI6MTEyfV0=' marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)'/%3e%3cpath d='M138%2c190L138%2c194.167C138%2c198.333%2c138%2c206.667%2c138%2c214.333C138%2c222%2c138%2c229%2c138%2c232.5L138%2c236' id='L_B_C_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_B_C_0' data-points='W3sieCI6MTM4LCJ5IjoxOTB9LHsieCI6MTM4LCJ5IjoyMTV9LHsieCI6MTM4LCJ5IjoyNDB9XQ==' marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)'/%3e%3cpath d='M138%2c294L138%2c298.167C138%2c302.333%2c138%2c310.667%2c138%2c318.333C138%2c326%2c138%2c333%2c138%2c336.5L138%2c340' id='L_C_D_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_C_D_0' data-points='W3sieCI6MTM4LCJ5IjoyOTR9LHsieCI6MTM4LCJ5IjozMTl9LHsieCI6MTM4LCJ5IjozNDR9XQ==' marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)'/%3e%3cpath d='M138%2c422L138%2c426.167C138%2c430.333%2c138%2c438.667%2c138%2c446.333C138%2c454%2c138%2c461%2c138%2c464.5L138%2c468' id='L_D_E_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_D_E_0' data-points='W3sieCI6MTM4LCJ5Ijo0MjJ9LHsieCI6MTM4LCJ5Ijo0NDd9LHsieCI6MTM4LCJ5Ijo0NzJ9XQ==' marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)'/%3e%3cpath d='M138%2c550L138%2c554.167C138%2c558.333%2c138%2c566.667%2c138%2c574.333C138%2c582%2c138%2c589%2c138%2c592.5L138%2c596' id='L_E_F_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_E_F_0' data-points='W3sieCI6MTM4LCJ5Ijo1NTB9LHsieCI6MTM4LCJ5Ijo1NzV9LHsieCI6MTM4LCJ5Ijo2MDB9XQ==' marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)'/%3e%3cpath d='M138%2c654L138%2c658.167C138%2c662.333%2c138%2c670.667%2c138%2c678.333C138%2c686%2c138%2c693%2c138%2c696.5L138%2c700' id='L_F_G_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_F_G_0' data-points='W3sieCI6MTM4LCJ5Ijo2NTR9LHsieCI6MTM4LCJ5Ijo2Nzl9LHsieCI6MTM4LCJ5Ijo3MDR9XQ==' marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)'/%3e%3cpath d='M138%2c758L138%2c762.167C138%2c766.333%2c138%2c774.667%2c138%2c782.333C138%2c790%2c138%2c797%2c138%2c800.5L138%2c804' id='L_G_H_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_G_H_0' data-points='W3sieCI6MTM4LCJ5Ijo3NTh9LHsieCI6MTM4LCJ5Ijo3ODN9LHsieCI6MTM4LCJ5Ijo4MDh9XQ==' marker-end='url(%23mermaid-1_flowchart-v2-pointEnd)'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_A_B_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_B_C_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_C_D_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_D_E_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_E_F_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_F_G_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_G_H_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg class='node default' id='flowchart-A-0' transform='translate(138%2c 35)'%3e%3crect class='basic label-container' style='' x='-102.046875' y='-27' width='204.09375' height='54'/%3e%3cg class='label' style='' transform='translate(-72.046875%2c -12)'%3e%3crect/%3e%3cforeignObject width='144.09375' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eAI Incident Detected%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-B-1' transform='translate(138%2c 151)'%3e%3crect class='basic label-container' style='' x='-130' y='-39' width='260' height='78'/%3e%3cg class='label' style='' transform='translate(-100%2c -24)'%3e%3crect/%3e%3cforeignObject width='200' height='48'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eNotify: CTO %2b CISO -- immediate%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-C-3' transform='translate(138%2c 267)'%3e%3crect class='basic label-container' style='' x='-122.2578125' y='-27' width='244.515625' height='54'/%3e%3cg class='label' style='' transform='translate(-92.2578125%2c -12)'%3e%3crect/%3e%3cforeignObject width='184.515625' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eAssess: Severity %2b Impact%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-D-5' transform='translate(138%2c 383)'%3e%3crect class='basic label-container' style='' x='-130' y='-39' width='260' height='78'/%3e%3cg class='label' style='' transform='translate(-100%2c -24)'%3e%3crect/%3e%3cforeignObject width='200' height='48'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eContain: Disable/rollback if needed%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-E-7' transform='translate(138%2c 511)'%3e%3crect class='basic label-container' style='' x='-130' y='-39' width='260' height='78'/%3e%3cg class='label' style='' transform='translate(-100%2c -24)'%3e%3crect/%3e%3cforeignObject width='200' height='48'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eInvestigate: Root cause analysis%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-F-9' transform='translate(138%2c 627)'%3e%3crect class='basic label-container' style='' x='-105.8125' y='-27' width='211.625' height='54'/%3e%3cg class='label' style='' transform='translate(-75.8125%2c -12)'%3e%3crect/%3e%3cforeignObject width='151.625' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eRemediate: Fix %2b test%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-G-11' transform='translate(138%2c 731)'%3e%3crect class='basic label-container' style='' x='-122.046875' y='-27' width='244.09375' height='54'/%3e%3cg class='label' style='' transform='translate(-92.046875%2c -12)'%3e%3crect/%3e%3cforeignObject width='184.09375' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eDocument: Incident report%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-H-13' transform='translate(138%2c 835)'%3e%3crect class='basic label-container' style='' x='-119.3828125' y='-27' width='238.765625' height='54'/%3e%3cg class='label' style='' transform='translate(-89.3828125%2c -12)'%3e%3crect/%3e%3cforeignObject width='178.765625' height='24'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eReview: Lessons learned%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
8. User Transparency
8.1 Mandatory disclosures
| Situation | Disclosure |
|---|---|
| Chatbot | ”You are communicating with an AI assistant” |
| AI recommendation | ”This content is recommended by AI” |
| AI decision | ”This decision was supported by AI” |
| Deepfake/synthetic | ”This content was generated by AI” |
8.2 Right to Explanation
If AI affects decisions about a person:
- The data subject has the right to know that AI was used
- The data subject has the right to an explanation of the factors involved
- The data subject has the right to human review
9. Documentation Requirements
9.1 Model Card (for each AI system)
| Section | Content |
|---|---|
| Overview | Purpose, owner, status |
| Training Data | Sources, size, preprocessing |
| Architecture | Model type, parameters |
| Performance | Accuracy, limitations |
| Fairness | Bias testing results |
| Limitations | Known issues, edge cases |
| Intended Use | Approved use cases |
| Prohibited Use | What NOT to use it for |
9.2 Retention
| Document | Retention |
|---|---|
| Model Card | Lifetime of model + 5 years |
| Training Data Info | Lifetime of model + 5 years |
| Testing Results | 5 years |
| Incident Reports | 5 years |
| Audit Logs | 5 years |
10. Training & Awareness
| Role | Training | Frequency |
|---|---|---|
| All employees | AI basics, acceptable use | Annually |
| Data Science | Bias testing, fairness | Quarterly |
| Product | AI transparency, UX | Semi-annually |
| Legal | AI Act requirements | Annually |
| Leadership | AI governance, risk | Annually |
11. Policy Review
- Quarterly: Review AI inventory, incidents
- Semi-annually: Update per regulatory changes
- Annually: Full policy review + board approval
Next review: Q2 2026