AI Governance Policy

Executive summary

AI Governance as a trust capability

Yaripo understands that the use of artificial intelligence must be governed by criteria of accountability, traceability, risk control, security, data quality and human oversight proportionate to the impact of the use case. This policy aims to establish that operational framework for enterprise, commercial and technology contexts.

Practical purpose. This document serves as the governing AI framework for clients, partners, due diligence processes and internal service design, and does not imply any formal certification currently in force.

Reference framework

Aligned with international standards

Yaripo may structure its approach to AI governance drawing on reference frameworks such as ISO/IEC 42001, the NIST AI Risk Management Framework and emerging market best practices in security, accountability and AI system quality.

Correct reading. Reference to these frameworks expresses methodological alignment and progressive maturity, not formal certification or audited conformity unless express accreditation exists.

Objective

Purpose of the policy

The objective of this policy is to establish principles, responsibilities and controls to ensure that the artificial intelligence systems, tools and services used by Yaripo are deployed and operated in a responsible, secure, legally prudent manner aligned with enterprise expectations.

Scope

Systems, services and covered use cases

This policy applies, as appropriate, to:

AI models integrated into consulting services, products or automations;
advanced analytics solutions with generative, predictive or classification components;
labs, demos, pilots, PoCs and technology validation environments;
content, courses, tools or assistants used in the academy;
integrations with external AI providers, foundational models or related APIs.

Guiding principles of responsible AI

Responsible use, control and oversight

Yaripo orients its use of AI around principles such as:

legality and legitimate use;
human oversight proportionate to risk;
security, resilience and operational control;
data quality and governance;
reasonable transparency regarding the role of AI;
mitigation of bias and material errors where applicable;
protection of sensitive, personal or confidential information.

Core principle. Artificial intelligence must not be treated as an automatic substitute for human judgment in contexts of critical, regulated or sensitive impact.

Governance and accountability

Responsibilities and decision-making

AI governance involves defining owners responsible for system design, implementation, review, monitoring and use. At Yaripo, responsibility for high-impact decisions must not be blindly delegated to the model; it must be retained under human professional judgment and, where appropriate, subject to review by the client or authorised user.

Use cases must be assessed considering their purpose, impact, criticality and dependence on the model.

AI risk management

Identification, assessment and mitigation

Yaripo may adopt an AI risk management approach that considers, among others:

risk of material errors, hallucinations or misleading outputs;
risk of bias, discrimination or improper inferences;
risk of exposure of sensitive or confidential information;
risk of misuse by the user or by a third-party integrator;
operational risk associated with excessive automation;
reputational, contractual or regulatory risk.

Proportionate approach. The greater the criticality of the use case, the higher the level of review, control, validation and documentation that must be applied.

Data, datasets and inputs

Use of datasets, inputs and protection

The use of data in AI systems must observe criteria of legitimacy, necessity, quality, security and purpose. Yaripo may process or interact with datasets, prompts, files, client inputs, technical documentation and metadata associated with the operation of AI solutions.

Accordingly:

data must not be used without a legitimate basis or sufficient authorisation;
improper use of sensitive or highly confidential data in unprepared environments must be avoided;
the use of client datasets for training, fine-tuning or model improvement must be expressly enabled where applicable;
the quality of input data directly affects the reliability of the output.

Security of AI models and systems

Technical and operational controls

AI security encompasses both the security of the model itself and that of its surrounding ecosystem. Yaripo may apply or promote controls such as:

access control to models, endpoints, prompts or associated environments;
protection against prompt injection, instruction bypass or context manipulation;
prevention of improper exposure of data, secrets or contextual memory;
environment segregation and configuration review;
monitoring for anomalous use, abuse or systematic extraction;
hardening of system components and dependencies.

Emerging risk. AI security is not limited to traditional cybersecurity: it also includes specific risks arising from interactions with prompts, context, data and outputs.

Prohibited or unauthorised uses

Explicit limits on permitted use

The following uses of Yaripo's AI systems or outputs are prohibited, among others:

fraud, deception, manipulation or impersonation;
deliberate disinformation or generation of content intended to harm third parties;
use for unlawful surveillance or illicit profiling;
attempts at mass extraction, replication or reverse engineering of logic, prompts or system behaviour;
use of outputs to train, improve or develop competing systems without express authorisation;
automation of critical decisions without human validation proportionate to the risk.

Business model protection. Yaripo's outputs, structures, prompts, methodologies and AI assets may not be used to reproduce, train or enable solutions that directly or indirectly compete with Yaripo without express authorisation.

Human oversight and critical decisions

Critical decisions and validation

Where an AI solution influences or may influence decisions material to people, operations, reputation, compliance or business, Yaripo recommends and may require a layer of human validation appropriate to the context.

This is especially relevant in financial, legal, regulatory, employment, privacy, security or materially impactful decisions affecting third parties.

Monitoring, review and continuous improvement

Tracking, review and improvement

AI systems must be reviewed periodically based on performance, risk, observed errors, context changes, user feedback and technical evolution of the provider or environment.

AI governance at Yaripo is conceived as a continuous process, not a one-time validation prior to deployment.

Third parties, external models and dependencies

External models and providers

When Yaripo uses models, APIs, components or infrastructure provided by third parties, governance must account for the limitations, risks, terms of use, security, privacy and continuity considerations associated with that provider.

Reliance on third parties does not eliminate the need for control, validation and risk assessment in relation to the final use case.

Policy evolution and future maturity

Maturity and future updates

Yaripo may update this policy to reflect regulatory, technological, contractual or business changes, including the evolution of standards, new enterprise client requirements, changes in AI providers or greater formalisation of its governance system.

Progressive maturity. AI governance is a capability in evolution. Yaripo may progressively strengthen its documentary framework, traceability, controls and alignment with standards such as ISO/IEC 42001 as its operations, exposure and commercial demand grow.