Purpose
The purpose of this policy is to establish governance and security requirements for the use of Artificial Intelligence (AI), including generative AI, to ensure the confidentiality, integrity, and availability of Zuar and customer data and systems.
Scope
This policy applies to:
- All employees and contractors using AI for Zuar work
- AI-assisted engineering and support workflows
- Any AI-enabled product/service integrations operated by Zuar
- Third-party AI tools, APIs, and managed AI services
Definitions
- AI Tool / Service: Any system that generates, transforms, or summarizes content using AI models (including code assistants).
- Customer Confidential Data: Any non-public customer data, confidential business information, regulated data, secrets, credentials, or security-sensitive configuration.
- AI Integration: An application feature or internal service that programmatically calls an AI model endpoint (e.g., AWS Bedrock).
Approved AI Tools and Use
Zuar currently approves the following AI services for engineering/support use, subject to the requirements of this policy:
- Claude Code
- Abacus Route LLM
- AWS Bedrock
Use of any other AI tool for Zuar work requires prior review and approval under Zuar’s vendor/security review process.
Data Protection Requirements
Prohibited Inputs
Employees and contractors must not enter or transmit the following into AI tools or prompts:
- Credentials (passwords, API keys, tokens, private keys)
- Security secrets, secret material, or sensitive authentication information
- Sensitive data unless explicitly approved for a specific controlled integration
Handling of Sensitive Data
Zuar’s standard practice is not to share sensitive data with AI tools used for engineering/support. Where an approved AI integration requires processing of controlled data, it must comply with Section 7 (AI Integrations) and the organization’s existing security controls for access, encryption, and monitoring.
Human Oversight and Quality Controls
- All AI-generated code is reviewed by a human prior to merge, deployment, or production release.
- AI output must be treated as untrusted until validated (e.g., correctness, security, licensing implications where applicable).
- AI is used to assist productivity; it does not replace engineering judgment or established SDLC controls.
AI Integrations (Product/Service Use of AI)
Zuar operates an AI integration with the following controls:
- The integration uses a dedicated AWS Bedrock environment.
- The integration uses embedded/encrypted credentials for one environment (as required for the integration to function).
- Credentials are not exposed to end users and are protected using encryption and appropriate access controls.
- Customer data is not stored for AI training or long-term retention as part of the integration.
- Customer data is not used to train an AI model.
- Access to the model and related operations is governed by AWS Bedrock controls (including AWS IAM-based access control and AWS service-level security controls).
Any new AI integration or material change to an existing integration must follow change management and security review prior to production deployment.
Access Control
- Access to AI tools and AI integration resources must follow least privilege principles.
- Access must be limited to authorized personnel and managed through standard identity and access processes.
- Administrative access to AI integration infrastructure (e.g., AWS accounts, Bedrock configuration, IAM roles) is restricted to approved roles.
Vendor and Service Risk Management
Zuar evaluates AI vendors/services prior to approval and periodically thereafter, considering:
- Data handling and data usage terms (including training restrictions where applicable)
- Security posture and access control options
- Operational reliability and supportability
Monitoring, Logging, and Auditing
- AI integration usage is monitored consistent with Zuar’s security monitoring practices.
- Logs (where used) must not intentionally capture secrets/credentials.
- Logs and operational telemetry are protected as sensitive operational data.
Incident Response
AI-related incidents (including suspected exposure of sensitive data via prompts/outputs, misuse, or unauthorized access to AI integration resources) are handled under Zuar’s incident response process, including:
- Containment (e.g., disabling the integration, revoking access, rotating credentials)
- Investigation and root cause analysis
- Corrective actions and documented remediation
Policy Exceptions
Any exception to this policy must be:
- Documented
- Risk-assessed
- Approved by designated security and leadership stakeholders
- Time-bounded with compensating controls as appropriate
Review Cycle
This policy will be reviewed at least annually, and upon material changes to AI usage, AI integrations, or applicable legal/security requirements.
Related Policies