Policy Owner: CTO (AIMS Owner)
Co-signers: CISO, General Counsel
Effective Date: June 13, 2026
Reviewed: Annually and on material AI change
Frameworks: ISO/IEC 42001:2023 (Annex A.5 / clause 6.1); NIST AI RMF; EU AI Act Art. 9
Co-signers: CISO, General Counsel
Effective Date: June 13, 2026
Reviewed: Annually and on material AI change
Frameworks: ISO/IEC 42001:2023 (Annex A.5 / clause 6.1); NIST AI RMF; EU AI Act Art. 9
Purpose
Establish how AI-specific risks are governed within the AI Management System (AIMS). It extends the enterprise Risk Management Policy (which holds AI/Model risk as a category) to the AI-specific dimensions the AIMS requires, and feeds the AI System Life Cycle Process.Relationship to the enterprise risk program
AI risks are assessed on the same 5×5 methodology, register, and cadence as all other risks (see Risk Management Policy and Annual Risk Assessment). This policy adds the AI-specific risk tolerance, measurement strategy, resource allocation, and training that ISO/IEC 42001 expects, and the AI-system impact dimension (harm to individuals and groups), which ordinary security risk does not capture.AI risk tolerance
Neuroscale’s AI risk appetite is low for risks that affect individuals’ rights, employment outcomes, or safety, and moderate for internal-efficiency AI with human oversight. Concretely:- Not acceptable (must be eliminated or the system not shipped): any EU AI Act Art. 5 prohibited practice; a consequential employment decision made solely by AI without human oversight; deployment of a high-risk feature without a completed bias audit; training on data lacking a lawful basis or failing the Deidentification Standard.
- Acceptable only with treatment and sign-off: high-risk (Annex III) features (require bias audit, human oversight, impact assessment, and AI-review approval); synthetic media of persons (require consent, labeling, abuse controls).
- Acceptable with monitoring: limited-risk assistive features with AI-interaction disclosure and post-market monitoring.
AI risk measurement strategy
AI risks are scored on the standard likelihood × impact scale, with impact assessed across four AI-specific dimensions in addition to security/availability:- Individual/group harm — bias, discrimination, denial of opportunity, dignity (measured via disparate-impact / subgroup-parity metrics from the Employment-AI Bias-Audit Procedure).
- Privacy — re-identification, training-data leakage (measured via the Re-identification Audit and Deidentification Standard parameters).
- Robustness/accuracy — failure modes, hallucination, drift (measured via the AI System Evaluation).
- Transparency/oversight — adequacy of disclosure and human-in-the-loop controls.
AI risk treatment
The four treatment options (mitigate, transfer, avoid, accept) apply. Treatment decisions and any cost-benefit considerations are recorded in the AI risk review and the AI Model Registry feature card. Avoidance (not shipping, or geofencing out of a market) is the default where residual risk exceeds tolerance.Resource allocation
The AIMS Owner ensures adequate resources for AI risk management: the AI risk review group (CTO, CISO, GC, product owner); evaluation/bias-audit tooling and, for high-risk features, an independent bias auditor; compute and data-governance tooling; and the privacy/legal resources for DPIA/FRIA. Resourcing gaps are raised at the ISMS Management Review.Competence & training
Personnel involved in AI development, deployment, or oversight complete AI-risk training appropriate to their role, covering responsible-AI principles, bias and fairness, the tiering/obligations of applicable AI law, and incident handling. The curriculum is maintained in the Training Catalog; completion is tracked in Vanta. This satisfies the AIMS competence requirement and the “AI risk security awareness training” control.Records
AI risk register entries, measurement records, treatment decisions, and training completion — retained per the Records Retention Schedule.Cross-references
- Risk Management Policy — enterprise risk program.
- AI Acceptable Use Policy → AIMS
- AI System Life Cycle Process
- DPIA · Employment-AI Bias-Audit · Re-identification Audit
- AIMS Statement of Applicability
Version history
| Version | Date | Description | Author | Approved by |
|---|---|---|---|---|
| 1.0 | June 13, 2026 | Initial version. | Cameron Wolfe | Ishan Jadhwani |