Executive summary

Purpose of this page: to explain how SafetyDocs Ltd governs the use of AI across its business, including internal tools, embedded AI features, supplier-provided systems and any customer-facing AI-enabled functionality.

Primary alignment: ISO/IEC 42001, the UK Government AI Playbook and the EU AI Act.[1] [2] [3]

Our approach is deliberately practical. It focuses on understanding what AI exists within the organisation, what it is used for, what risks it creates, what controls are required, and how decisions remain subject to meaningful oversight. This supports lawful, secure and transparent use of AI and helps us evidence good governance to clients, partners and regulators.[4]

Core reference framework

This governance approach is informed by four core reference points: ISO/IEC 42001, the UK Government AI Playbook, the EU AI Act, and NCSC secure AI guidance. Together, they provide a practical foundation for AI governance, risk management, transparency, accountability and secure deployment.

  • ISO/IEC 42001AI management system standard for governance, accountability, controls and continual improvement.
  • UK Government AI PlaybookPractical guidance on safe, responsible and effective AI adoption.
  • EU AI ActRisk-based legal framework shaping how AI systems are classified, governed and overseen.
  • NCSC secure AI guidanceCyber security guidance for developing, deploying and using AI systems securely.

Policy statement

Document control

  • Policy title: Artificial Intelligence Governance and Security Policy
  • Organisation: SafetyDocs Ltd
  • Version: 1.0
  • Executive owner: Managing Director / CEO
  • Policy owner: Risk & Compliance Lead or equivalent
  • Review cycle: At least annually, and on material change

AI policy statement

SafetyDocs Ltd will design, procure, deploy and use AI systems lawfully, securely, ethically and with appropriate human oversight, while maintaining documented governance, risk management, assurance and continuous improvement controls across the AI lifecycle.

Scope

This policy applies to:

  • all staff, contractors and third parties acting on behalf of SafetyDocs Ltd
  • all AI systems, models, tools, embedded AI features and experimental uses
  • all uses involving business data, client data, personal data, safety-related content or material business decisions

Policy principles

  • AI will only be used where it is proportionate, justified and the right tool for the task.
  • AI use must comply with applicable law, including privacy, intellectual property, equality, cyber security and sector-specific obligations.
  • AI systems must be risk assessed before use and periodically reassessed as they change.
  • Human oversight must be meaningful and proportionate to the risk and impact of the use case.
  • AI tools must be secure by design and monitored for misuse, drift, error and cyber risk.
  • AI use must be transparent, documented and communicated appropriately to relevant users and stakeholders.
  • Suppliers and third parties must be assessed against equivalent governance expectations.
  • Staff must receive role-appropriate guidance and training on approved AI use.
  • The organisation will maintain and continually improve its AI governance arrangements.

Alignment note: The management-system approach reflected here is designed to align with ISO/IEC 42001’s expectation that an AI management system is established, implemented, maintained and continually improved.[1]

Prohibited and restricted uses

SafetyDocs Ltd will not use AI in ways that are unlawful, deceptive, discriminatory, unsafe or inconsistent with this policy. Where the EU AI Act applies, prohibited practices must not be deployed. Where privacy, rights or significant effects on individuals may arise, the use case must be escalated for formal assessment and approval.[3] [6]

Transparency and communications

We will document material AI use and, where appropriate, disclose when users are interacting with AI or receiving AI-assisted or AI-generated outputs. Customer-facing AI use must have a clear route for review, escalation and correction where required.[2] [3]

Security and data handling

AI tools must be used securely, with rules governing what data may be entered, how outputs are validated, how access is controlled, and how incidents are identified and managed. AI suppliers must be assessed for security posture and supply chain risk.[5] [4]

Governance model

SafetyDocs Ltd operates an AI governance structure with clear ownership, review and escalation. At minimum, this includes: an executive owner, a policy owner, a risk/compliance lead, a security lead, a procurement lead, and a named owner for each relevant AI use case.

For higher-risk or customer-facing systems, formal review and approval is required, with documented decisions, restrictions and escalation paths.

Roles and responsibilities

Minimum governance roles for SafetyDocs Ltd AI use
Role Accountabilities Typical outputs
Executive owner Sets risk appetite, approves governance approach, receives assurance and exception reporting. Policy approval, governance direction, senior oversight.
Policy owner Maintains policy, standards, records and review process. Policy updates, governance records, evidence pack.
Risk / compliance lead Ensures risk assessments, legal mapping and compliance checks are completed. Risk records, compliance assessments, approvals.
Security lead Owns AI security controls, data handling rules, monitoring and incident response integration. Security requirements, supplier checks, incident actions.
Procurement lead Ensures supplier due diligence and governance requirements are built into procurement and contracts. Supplier assessments, contract controls, due diligence records.
Use-case owner Accountable for the safe and compliant operation of a specific AI use case. Use-case record, monitoring evidence, review actions.

Governance in practice

Our AI governance approach is structured around five practical stages. These stages are not presented here as a public toolkit, but as the operating model we use to maintain control, accountability and improvement over time.

Discover and inventory

We maintain visibility over AI tools, models, embedded AI features and experimental uses across the organisation. This includes understanding what exists, who owns it, what it is used for and what data it touches.

Classify and assess

We assess AI uses for legal, ethical, security, operational and reputational risk. Where relevant, we consider whether a use case may fall into prohibited, high-risk, transparency-sensitive or minimal-risk categories under the EU AI Act, and whether UK data protection obligations apply.[3] [6]

Control and assure

We apply controls for data handling, human oversight, testing, approvals, supplier management and incident response. Higher-risk uses require more formal assurance before go-live and periodic review afterwards.[5]

Train and enable

We provide role-appropriate guidance so staff understand what AI can and cannot be used for, how outputs should be checked, and how concerns should be escalated. Governance only works when supported by practical awareness and responsible use.[2]

Monitor and improve

We review AI tools and use cases for drift, quality issues, security concerns, incidents and changing legal obligations. Findings from reviews, errors, complaints and changes in suppliers or models are used to update controls and improve governance over time.

Governance records maintained

Core governance records maintained as part of AI oversight
Record type Purpose Why it matters
AI inventory Record what AI systems and features are in use Provides visibility and accountability
Use-case records Describe how AI is used in practice Supports proportional governance
Risk assessments Record legal, privacy, fairness, security and operational risks Supports evidence-based approval and review
Control records Document oversight, testing, monitoring and restrictions Demonstrates assurance
Supplier due diligence Record checks on AI providers and dependencies Supports supply chain governance
Training records Show who has received relevant guidance or training Supports capability and accountability
Incident and review records Capture issues, lessons learned and corrective actions Supports continual improvement

How this is implemented

SafetyDocs Ltd applies this policy through documented governance, designated ownership, risk-based approvals, supplier checks, staff guidance and periodic review. We review AI use at least annually and sooner where there is material change, such as:

  • a new AI tool, model or embedded feature being introduced
  • a change in supplier, processing arrangement or hosting location
  • a change in the type of data processed
  • a change in whether the use is customer-facing or decision-supporting
  • an incident, complaint, near miss or material output quality issue
  • a legal or regulatory development affecting AI governance or privacy obligations

Practical position: we use AI to improve speed, consistency and operational efficiency, but not as a substitute for judgment, governance or accountability. Final responsibility for decisions, outputs and services remains with SafetyDocs Ltd.

Sources and references

These references point to primary or official sources wherever possible.

  1. ISO — ISO/IEC 42001:2023, AI management systems. https://www.iso.org/standard/42001
  2. GOV.UK — Artificial Intelligence Playbook for the UK Government. https://www.gov.uk/government/publications/ai-playbook-for-the-uk-government/artificial-intelligence-playbook-for-the-uk-government-html
  3. European Commission — AI Act | Shaping Europe’s digital future. https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai
  4. Information Commissioner’s Office — Guidance on AI and data protection. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/artificial-intelligence/guidance-on-ai-and-data-protection/
  5. UK National Cyber Security Centre — Guidelines for secure AI system development. https://www.ncsc.gov.uk/files/Guidelines-for-secure-AI-system-development.pdf
  6. Information Commissioner’s Office — Rights related to automated decision making, including profiling. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/rights-related-to-automated-decision-making-including-profiling/

Back to top

© SafetyDocs Ltd — AI Governance and Security Policy.

This page is intended as a public-facing statement of how we govern and control the use of artificial intelligence within our organisation.