We believe AI should augment human capability, not replace human responsibility. Every application of AI within our business is evaluated against our five principles before adoption. We maintain a formal AI tools register that documents each tool in use, its purpose, the data it processes, the controls applied, who approved it, and when it is next due for review.

Our principles align with the requirements of the EU AI Act (Reg 2024/1689) for transparency and human oversight, the ICO AI and Data Protection Code of Practice (SI 2026/425), and the ISO 42001 standard for AI management systems. Although as a UK business we are not directly subject to all EU AI Act obligations, we apply its principles because they represent current best practice and because many of the organisations we serve operate in the EU.

We classify AI applications using a risk framework aligned to the EU AI Act's risk tiers. General productivity tools with no material impact on individuals are classified as minimal risk. Tools that inform decisions about clients or their data are classified as limited or higher risk and are subject to additional controls, including documented review processes, access restrictions, and mandatory human oversight.

Risk assessments are documented in our AI tools register and reviewed at minimum annually, or sooner if a tool's capabilities, terms of service, or data processing commitments change materially. Where a tool is reclassified to a higher risk tier, we review its deployment and implement additional safeguards before continuing use. Copies of our risk framework documentation are available to clients on request.

In the UK, we operate in accordance with the UK GDPR, the Data (Use and Access) Act 2025, and the ICO AI and Data Protection Code of Practice (SI 2026/425), which came into statutory force in May 2026. We follow ICO guidance on AI governance, automated decision-making, and transparency obligations. We also reference the UK AI Safety Institute's frameworks as they develop.

At the EU level, we apply the principles of the EU AI Act (Reg 2024/1689), including its requirements for transparency, human oversight, and risk classification. We additionally reference the NIST AI Risk Management Framework and ISO 42001 as internationally recognised standards. Our position is that robust AI governance is a commercial advantage as well as a compliance requirement, and we invest in it accordingly.

As a sole-principal consultancy, ultimate accountability for all AI use rests with the business owner. We maintain a log of AI-related incidents or near-misses, however minor, as part of our commitment to continuous learning. We do not delegate accountability to tools, processes, or third parties — if something AI-assisted falls short of the standard expected, that is ours to resolve.

Clients who engage us for AI governance work can expect us to demonstrate our own governance practices as part of the engagement. We do not advise clients to adopt standards we do not hold ourselves to, and where we identify gaps in our own practices during a client engagement, we disclose and address them. This policy is published publicly because transparency about AI governance starts with us.

We review our AI governance framework at minimum every six months. Reviews consider changes in the regulatory environment, updates to tools we use, any incidents or near-misses logged during the period, and feedback from clients or industry peers. Review outcomes are documented and, where material, reflected promptly in updates to this policy and our supporting documentation.

We publish this policy publicly because we believe transparency drives accountability, and because we are in the business of helping others do the same. If you have feedback on our governance practices, or would like to explore how the Aria platform can support your own AI governance journey, we welcome that conversation. Contact us at [[email protected]] or visit www.quantisys.co.uk.