1. Purpose
This Policy defines the procedures for the safe, compliant, and responsible use of Artificial Intelligence (AI) technologies within the organization, with the aim of establishing a structured AI Security Governance Framework.
The Policy ensures:
- Data protection
- Regulatory compliance (ex. GDPR and AI Act).
- AI risk management
- Access control
- Continuous human oversight of outputs
- Traceability and logging of decisions.
- Continuous monitoring of AI systems.
2. Scope of Application
This Policy applies to all Group companies, business units, and employees involved in the development, deployment, and management of AI systems. It also includes external vendors.
The scope covers, where applicable:
- Generative AI tools (e.g., ChatGPT, Copilot, Claude, Gemini, etc.).
- Internal Machine Learning (ML) models.
- Software as a Service (SaaS) solutions with AI capabilities.
- AI-driven automations.
- Software integrations that process corporate data through AI.
- In-house development of AI systems.
It is mandatory to use only AI tools authorized and provided by the company, avoiding open source or otherwise unapproved, to prevent serious security risks and data leakage.
3. Governance and Responsibilities
The implementation of the AI Security Governance Framework requires the assignment of formalized roles and responsibilities:
| Role |
Responsibilities |
| ICT / Security Management |
Oversight of the AI Security Framework. |
| DPO |
Ensuring compliance with privacy regulations and GDPR. |
| Compliance / Risk |
Regulatory risk assessment. |
| Process Owners |
Formal approval of AI use cases. |
| Users / Employees |
Compliant use and reporting of anomalies. |
| AI Vendors |
Compliance with contractual requirements and security/GDPR standards. |
4. Principles for the Use of AI
The use of any AI system must adhere to the following principles:
- Ethical and Responsible Use: Promoting use that respects human rights and corporate values, preventing bias and discrimination.
- Human Oversight (Human-in-the-Loop): AI must act as a support for human decisions. Mandatory human validation is required for all output generated by AI before they are used in critical decisions or in contexts involving third parties (e.g., clients).
- Transparency and Explainability (XAI): Ensure maximum transparency regarding the use of AI systems and, where required by the level of criticality, the understandability of the decision-making process (Explainable AI), especially in high-risk areas. If Generative AI produces content (visual, audio, video), it must be clearly indicated that it has been artificially generated or modified.
- Data Minimization and Data Protection: Process only the necessary data and classify usable data. It is strictly prohibited to input into unauthorized AI systems:
- Special categories of personal data (sensitive data).
- Classified information or trade secrets.
- Passwords or access credentials.
5. Security Controls and Mandatory Architectures
For security management, the following controls are required:
- Access Control (ACL Sync): Access to AI systems must be granted only to authorized users and managed through dedicated corporate accounts, with Multi-Factor Authentication (MFA) where available. Specifically, for systems accessing document repositories, a granular permission synchronization must be implemented (Identity-Aware RAG) so that the AI cannot access data that the user is not authorized to view at the source.
- Leak Monitoring (AI Gateway): For AI tools that process corporate data, the adoption of an AI Gateway is mandatory to act as proxy between the user and the model. The Gateway must perform:
- Prompt Filtering: Preventive blocking of confidential data in input (Pre-processing).
- Output Inspection: Response analysis to intercept and block accidental sensitive data before it reaches the user (Post-processing).
- Agentic AI Management: Autonomous AI systems capable of controlling user interfaces (UI) or accessing the operating system must be subjected to:
- Isolated Environments (Sandboxed OS): The agent must operate within a virtual machine o container isolated environment with limited privileges.
- Approval Gates: Requirement for explicit approval for each critical action (e.g., sending emails, system modifications).
6. AI Risk Management
A structured process for AI risk management is required:
- Risk Classification: Categorization of each use case into low, medium, or high risk.
- Preventive Assessment: Prior to adoption, an impact assessment is required covering security, privacy (DPIA for high-risk processing), reputational risk, and bias and operational impact.
- Approval: High-risk use cases must obtain formal approval from ICT/Security, the DPO, and Compliance.
7. AI Lifecycle
Security controls must be applied throughout the entire AI system lifecycle:
| Phase |
Security Controls |
| Vendor Selection |
Due Diligence, Vendor Assessment (GDPR compliance verification, data localization, certifications). |
| Development |
Secure coding, code review, control of the training dataset. |
| Testing |
Output validation, security testing, Red Teaming, Prompt injection tests. |
| Deployment |
Formal approval and responsible release, with clear indications of system limitations provided to users. |
| Exercise |
Continuous performance monitoring and vulnerability management. |
| Review |
Periodic audits. |
| Decommissioning |
Secure data deletion. |
8. Regulatory Compliance
The Policy aligns with applicable regulatory requirements, including, but not limited to:
- Regulation UE 2016/679 (GDPR).
- Regulation UE 2024/1689 (EU AI Act).
- NIS 2 Directive
- ISO/IEC 27001 (Information Security) and ISO/IEC 42001 (Artificial Intelligence Management System) standards.
9. Training and Awareness
The human factor is a critical element of security. For this reason, a mandatory training and awareness program is established:
- Training on AI risks and security principles.
- Specific guidelines for secure and responsible prompt usage.
- Awareness of the risks of data leakage and on the importance of incident reporting.
10. Monitoring and Audit
Compliance with this Policy is subject to continuous monitoring and periodic review:
- Riesame Annuale: The Policy and Framework must be reviewed and updated at least annually.
- Audit: Internal and, where necessary, external audits will be conducted to verify compliance.
- Incident Management: An AI incident management process must be in place, along with a system for the timely reporting of anomalies by users.
11. Enforcement and Sanctions
Compliance with this Policy is mandatory. As outlined in the previous section, the company conducts periodic reviews and audits to verify compliance with this Policy. Any violation of the rules on the responsible use of Artificial Intelligence exposes the company to severe legal, reputational, and security risks. Consequently, any conduct contrary to the provisions herein will be treated as a breach of corporate cybersecurity procedures and sanctioned in accordance with internal disciplinary regulations and applicable laws.
___________________________________________________________________________________________
Document Type: Annex to the AIMS
Issued by: Innovaway S.p.A. – IMS Area
Code: ALL_26 - Corporate Policy for AI Security and Responsible Use
Ed. 1. Rev. 00
Naples, January 29, 2026
General Manager
Antonio Burinato
