AI Act Group Policy

1. Introduction & Scope

The Blue Sky Creations Group is committed to maintaining the confidentiality, integrity, and availability of information assets, including those related to Artificial Intelligence (AI) systems development and provision.

Compliance with the New Zealand and Australia Privacy Acts, European General Data Protection Regulation (EU GDPR), United Kingdom General Data Protection Regulation (UK GDPR), and more recently introduced, the European Union AI Act (Act) is a prerequisite.

This policy outlines the principles, responsibilities, and procedures that govern the management of information security within our organization, specifically addressing the requirements of the Act.

The policy applies to all employees, contractors, suppliers, and other parties working on behalf of our organisation. It encompasses all information assets, systems, processes, and activities related to AI systems development and provision, including but not limited to algorithm development, data processing, model training, and deployment.

2. Reference documents

The following documents support this Policy and should be read in conjunction with it:

  • Statement of Applicability,
  • ISMS Scope,
  • Privacy Policy,
  • General Data Protection Policy,
  • Information Security Policy,
  • Incident Management Procedure,
  • Supplier Security Policy,
  • Secure Development Policy,
  • Data Classification Policy,
  • Artificial Intelligence Risk Assessment Procedure, and
  • Artificial Intelligence Register.

3. AI Act Introduction

The Act is a European Union regulation on artificial intelligence in the European Union. Proposed by the European Commission on 21 April 2021 and passed on 13 March 2024, it aims to establish a common regulatory and legal framework for AI.

Its scope encompasses all types of AI in a broad range of sectors (exceptions include AI systems used solely for military, national security, research, and non-professional purposes). As a piece of product regulation, it would not confer rights on individuals, but does regulate the providers of AI systems, and entities using AI in a professional context.

3.1 AI Governance

The Blue Sky Creations Group maintains an Artificial Intelligence Governance Framework to ensure AI systems are implemented, operated, monitored, and reviewed in a lawful, secure, ethical, and transparent manner.

The AI Governance Framework shall include:

  • Artificial Intelligence Register,
  • Artificial Intelligence Risk Assessments,
  • Human Oversight Controls,
  • Supplier Assessments,
  • Incident Management Processes,
  • Annual Reviews, and
  • Management Oversight.

All Artificial Intelligence systems used internally or provided to customers must be assigned an accountable owner responsible for ensuring compliance with this Policy and applicable legal, contractual, and regulatory requirements.

The Act was revised following the rise in popularity of generative AI systems such as ChatGPT, whose general-purpose capabilities present different stakes and did not fit the defined framework. More restrictive regulations are planned for powerful generative AI systems with systemic impact.

The Act aims to classify and regulate AI applications based on their risk to cause harm.

4. Act Classifications

Classification includes four categories as follows.

  1. Unacceptable Risks - AI applications deemed to represent unacceptable risks are
  2. High-Risk - AI applications must comply to security, transparency and quality obligations and undergo conformity assessments.
  3. Limited-Risk - AI applications only have transparency
  4. Minimal risk - AI applications are not

For general-purpose AI, transparency requirements are imposed, with additional and thorough evaluations when representing particularly high risks.

The Act further proposes the introduction of a European Artificial Intelligence Board to promote national cooperation and ensure compliance with the regulation.

5. Risk Categories

There are different risk categories depending on the type of application, and one specifically dedicated to general-purpose generative AI.

AI Act Risk Categories
  • Unacceptable risk: AI applications that fall under this category are This includes AI applications that manipulate human behaviour, those that use real-time remote biometric identification (including facial recognition) in public spaces, and those used for social scoring (ranking people based on their personal characteristics, socio-economic status, or behaviour).
  • High-risk: AI applications that pose significant threats to health, safety, or the fundamental rights of persons. Notably, AI systems used in health, education, recruitment, critical infrastructure management, law enforcement, or justice. They are subject to quality, transparency, human oversight, and safety obligations, and in some cases a Fundamental Rights Impact Assessment is required. They must be evaluated before they are placed on the market, as well as during their life cycle. The list of high-risk applications can be expanded without requiring modifying the Act itself.
  • General-purpose AI(GPAI): This category was added in 2023 and includes in particular foundation models like ChatGPT. They are subject to transparency requirements. High-impact general-purpose AI systems which could pose systemic risks (notably those trained using a computation capability of more than 102FLOPS) must also undergo a thorough evaluation process.
  • Limited risk: These systems are subject to transparency obligations aimed at informing users that they are interacting with an artificial intelligence system and allowing them to exercise their choices. This category includes, for example, AI applications that make it possible to generate or manipulate images, sound, or videos (like deepfakes). In this category, free and open-source models whose parameters are publicly available are not regulated, with some
  • Minimal risk: This includes for example AI systems used for video games or spam. Most AI applications are expected to be in this category. They are not regulated, and Member States are prevented from further regulating them via maximum harmonization. Existing national laws related to the design or use of such systems are disapplied. However, a voluntary code of conduct is suggested.

6. Information Security Objectives

This Policy ensures our organisation achieves the following objectives.

  • Compliance with the provisions of the Act, including but not limited to requirements related to data protection, transparency, accountability, and ethical use of AI systems.
  • Protect the confidentiality, integrity, and availability of information assets, including AI algorithms, datasets, and proprietary information, in accordance with the principles and requirements of the
  • Minimize the risk of unauthorized access, disclosure, alteration, or destruction of information assets, particularly those containing sensitive or personal data used in AI systems.
  • Implement appropriate technical and organizational measures to mitigate the risks associated with AI systems development and provision, including measures to address bias, fairness, interpretability, and accountability.
  • Promote a culture of security awareness and accountability among employees and stakeholders involved in AI systems development and provision, emphasizing compliance with the Act and related policies and procedures.
  • Ensure Artificial Intelligence systems are developed and operated in accordance with the principles of fairness, transparency, accountability, and human oversight.
  • Maintain an inventory of Artificial Intelligence systems used within the organisation.
  • Prevent unauthorised disclosure of confidential, proprietary, or personal information through Artificial Intelligence technologies.
  • Ensure Artificial Intelligence generated outputs are reviewed and validated before being relied upon for operational, commercial, or customer-facing activities.
  • Promote responsible and ethical use of Artificial Intelligence technologies throughout the organisation.

7. Information Security Responsibilities

Our organisation manages AI information security as follows.

  • Management Commitment: Senior management is committed to ensuring that information security measures are implemented and maintained in compliance with the Act and other relevant laws, regulations, and standards.
  • Information Security Coordinator: The Information Security Coordinator is responsible for overseeing the implementation and maintenance of information security measures related to AI systems development and provision, including compliance with the Act.
  • Employees: All employees are responsible for complying with information security policies, procedures, and guidelines, particularly those related to AI systems development and Employees involved in AI-related activities are expected to adhere to ethical principles and legal requirements outlined in the Act.

8. Risk Management

Our organisation manages AI risk management as follows:

  • Risk Assessment: Our organisation conducts regular risk assessments to identify, evaluate, and prioritize information security risks related to AI systems development and provision, considering the requirements of the Act.
  • Risk Treatment: Based on the results of risk assessments, appropriate controls are implemented to mitigate identified risks to an acceptable level, including controls to address legal and regulatory requirements of the Act.

8.1 Artificial Intelligence Risk Assessment

Prior to implementation, procurement, development, deployment or significant modification of an Artificial Intelligence system, a documented risk assessment shall be completed.

Risk assessments shall consider, where applicable:

  • Information Security Risks,
  • Privacy Risks,
  • Bias and Discrimination Risks,
  • Transparency and Explainability,
  • Intellectual Property Risks,
  • Regulatory Compliance Risks,
  • Data Residency Risks,
  • Customer Impact Risks,
  • Operational Risks, and
  • Business Continuity Risks.

Risk assessment outcomes shall be documented and retained in accordance with the organisation's Information Security Management System.

8.2 Artificial Intelligence Register

The organisation shall maintain an Artificial Intelligence Register containing, at a minimum:

  • System Name,
  • Business Owner,
  • Supplier or Developer,
  • Intended Purpose,
  • Risk Classification,
  • Personal Information Processed,
  • Approval Status, and
  • Review Date.

The register shall be reviewed annually and updated whenever new Artificial Intelligence systems are introduced or existing systems are materially changed.

9. Access Control

Our organisation controls access as follows:

  • Access Rights: Access to AI systems, databases, and sensitive information is granted on a need-to-know basis and is regularly reviewed and updated as necessary to ensure compliance with the Act and in line with our Access Control policy.
  • Authentication and Authorization: Strong authentication mechanisms and access controls are implemented to ensure that only authorized individuals can access and modify information assets, particularly those containing sensitive or personal data used in AI systems.

9.1 Acceptable Use of Artificial Intelligence

Employees, contractors, and authorised users must use Artificial Intelligence technologies responsibly and in accordance with legal, regulatory, contractual, and ethical obligations.

Users must not:

  • Upload confidential customer information into publicly accessible Artificial Intelligence platforms unless specifically authorised.
  • Upload personal information into Artificial Intelligence platforms unless legally permitted and approved.
  • Upload source code, proprietary algorithms, or intellectual property into publicly available Artificial Intelligence systems without approval.
  • Circumvent security controls associated with Artificial Intelligence systems.
  • Present Artificial Intelligence generated outputs as verified facts without appropriate validation.

Users must:

  • Verify the accuracy of Artificial Intelligence generated outputs before use.
  • Apply professional judgement when using Artificial Intelligence technologies.
  • Escalate concerns relating to inaccurate, biased, harmful, or inappropriate outputs.
  • Comply with all relevant information security and privacy requirements.

9.2 Human Oversight

  • Appropriate human oversight shall be maintained over Artificial Intelligence systems and outputs.
  • No significant decision affecting an individual's rights, employment, financial position, opportunities, or access to services shall be made solely by an Artificial Intelligence system.
  • Human review and approval shall be applied to Artificial Intelligence generated outputs used within:
    • Recruitment Activities
    • Workforce Management
    • Payroll Processing
    • Scheduling Activities
    • Optimisation Activities
    • Customer Reporting
    • Business Decision Making

10. Security Awareness and Training

Our organisation undertakes the following:

  • Security Awareness: We provide ongoing security awareness training to employees, contractors, and other relevant parties involved in AI systems development and provision to promote understanding of information security risks, ethical principles, and legal requirements outlined in the Act.
  • Incident Response: Employees are trained to recognize and report security incidents promptly, including those related to potential violations of the AI Act, to facilitate timely response and

10.1 Artificial Intelligence Incident Management

Artificial Intelligence related incidents shall be managed through the organisation's Incident Management Process.

Examples of Artificial Intelligence incidents include:

  • Data Leakage,
  • Hallucinations resulting in business impact,
  • Bias or Discriminatory Outcomes,
  • Prompt Injection Attacks,
  • Model Manipulation,
  • Unauthorised Access,
  • Security Vulnerabilities, and
  • Regulatory Non-Compliance.

All incidents shall be investigated, documented and subject to corrective action where appropriate.

11. Compliance

Our commercial and compliance team undertake the following:

  • Legal and Regulatory Compliance: We comply with the provisions of the Act, including requirements related to data protection, transparency, accountability, and ethical use of AI systems, as well as other relevant laws, regulations, and standards.
  • Contractual Obligations: We ensure that contracts with clients, suppliers, and other relevant parties include appropriate information security requirements and provisions, particularly those related to AI systems development and provision and compliance with the Act.

11.1 Third Party Artificial Intelligence Providers

Prior to adoption or use of third-party Artificial Intelligence services, an assessment shall be undertaken to determine whether the provider satisfies the organisation's security, privacy, and compliance requirements.

Assessments should consider:

  • Information Security Controls,
  • Privacy Controls,
  • Data Residency Arrangements,
  • Supplier Stability,
  • Intellectual Property Provisions,
  • Contractual Protections,
  • Regulatory Compliance, and
  • Incident Management Capabilities.

The results of supplier assessments shall be documented and retained.

11.2 Cross Border Data Transfers

Where Artificial Intelligence systems process, store or transfer personal information outside Australia, New Zealand, the European Union or the United Kingdom, appropriate safeguards shall be implemented.

Cross-border transfers must comply with:

  • Australian Privacy Principle 8,
  • New Zealand Privacy Act 2020,
  • European Union General Data Protection Regulation (EU GDPR),
  • United Kingdom General Data Protection Regulation (UK GDPR),
  • Applicable contractual obligations, and
  • The organisation shall assess the legal and regulatory implications of cross-border processing prior to implementation.

11.3 Intellectual Property Protection

The organisation shall take reasonable measures to protect intellectual property used within or generated through Artificial Intelligence systems.

Employees and contractors must not disclose:

  • Source Code,
  • Proprietary Algorithms,
  • System Architecture,
  • Trade Secrets,
  • Customer Confidential Information, and
  • Proprietary Business Information.

Employees and contractors must not disclose the above information to external Artificial Intelligence services unless expressly authorised.

Artificial Intelligence generated outputs shall be reviewed for potential copyright, licensing, and intellectual property implications before use.

12. Monitoring and Review

Our organisation undertakes the following:

  • Performance Monitoring: We regularly monitor the effectiveness of information security controls, processes, and practices related to AI systems development and provision through audits, reviews, and performance measurements, with specific attention to compliance with the Act.
  • Management Review: Senior management conducts periodic reviews of the Information Security Management System (ISMS) to assess its continued suitability, adequacy, and effectiveness, including compliance with the AI Act, and to identify opportunities for improvement.

12.1 Records Management

The organisation shall maintain records demonstrating compliance with this Policy and applicable Artificial Intelligence governance requirements.

Records may include:

  • Artificial Intelligence Risk Assessments,
  • Artificial Intelligence Register Entries,
  • Incident Reports,
  • Supplier Assessments,
  • Audit Records,
  • Training Records, and
  • Management Review Records.

Records shall be retained and protected in accordance with the Information Security Management System and applicable legal requirements.

13. Continual Improvement

Our organisation is committed to continually improving its information security management processes, controls, and practices related to AI systems development and provision, with a focus on enhancing compliance with the Act and addressing emerging threats and vulnerabilities.

14. Document Control

This Policy is maintained, reviewed, and updated as necessary to ensure its continued relevance and effectiveness, particularly in relation to compliance with the Act and other legal and regulatory requirements.

15. Policy Compliance

Failure to comply with this Policy, including its specific provisions related to compliance with the Act, may result in disciplinary action, up to and including termination of employment or contractual relationship, as well as legal consequences in cases of serious non-compliance.

16. Validity and document management

This document is valid as of June 6, 2026.

The owners of this document are the Chief Operations Officer and Head of Development, who are jointly responsible for reviewing this Policy at least annually and following any significant changes to legal, regulatory, contractual or business requirements relating to Artificial Intelligence governance.

Any questions? Please get in touch.

Contact us