2.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Scope of Application<\/h1>\n
This Policy applies to all Group companies, business units, and employees involved in the development, deployment, and management of AI systems. It also includes external vendors.<\/p>\n
The scope covers, where applicable:<\/p>\n
- \n
- Generative AI tools (e.g., ChatGPT, Copilot, Claude, Gemini, etc.).<\/li>\n
- Internal Machine Learning (ML) models.<\/li>\n
- Software as a Service (SaaS) solutions with AI capabilities.<\/li>\n
- AI-driven automations.<\/li>\n
- Software integrations that process corporate data through AI.<\/li>\n
- In-house development of AI systems.<\/li>\n<\/ul>\n
It is mandatory to use only AI tools authorized and provided by the company, avoiding open source<\/em> or otherwise unapproved, to prevent serious security risks and data leakage<\/em>.<\/p>\n
3.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Governance and Responsibilities<\/h1>\n
The implementation of the AI Security Governance Framework requires the assignment of formalized roles and responsibilities:<\/p>\n
\n\n
\n Role<\/em><\/td>\n Responsibilities<\/em><\/td>\n<\/tr>\n<\/thead>\n\n \n ICT \/ Security Management<\/td>\n Oversight of the AI Security Framework.<\/td>\n<\/tr>\n \n DPO<\/td>\n Ensuring compliance with privacy regulations and GDPR.<\/td>\n<\/tr>\n \n Compliance \/ Risk<\/td>\n Regulatory risk assessment.<\/td>\n<\/tr>\n \n Process Owners<\/td>\n Formal approval of AI use cases.<\/td>\n<\/tr>\n \n Users \/ Employees<\/td>\n Compliant use and reporting of anomalies.<\/td>\n<\/tr>\n \n AI Vendors<\/td>\n Compliance with contractual requirements and security\/GDPR standards.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n
4.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Principles for the Use of AI<\/h1>\n
The use of any AI system must adhere to the following principles:<\/p>\n
- \n
- Ethical and Responsible Use:<\/strong> Promoting use that respects human rights and corporate values, preventing bias and discrimination.<\/li>\n
- Human Oversight (Human-in-the-Loop<\/em>):<\/strong> AI must act as a support for human decisions. Mandatory human validation is required for all output<\/em> generated by AI before they are used in critical decisions or in contexts involving third parties (e.g., clients).<\/li>\n
- Transparency and Explainability (XAI):<\/strong> Ensure maximum transparency regarding the use of AI systems and, where required by the level of criticality, the understandability of the decision-making process (Explainable AI<\/em>), especially in high-risk areas. If Generative AI produces content (visual, audio, video), it must be clearly indicated that it has been artificially generated or modified.<\/li>\n
- Data Minimization and Data Protection:<\/strong> Process only the necessary data and classify usable data. It is strictly prohibited to input into unauthorized AI systems:\n
- \n
- Special categories of personal data (sensitive data).<\/li>\n
- Classified information or trade secrets.<\/li>\n
- Passwords or access credentials.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
5.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Security Controls and Mandatory Architectures<\/h1>\n
For security management, the following controls are required:<\/p>\n
- \n
- Access Control (ACL Sync<\/em>):<\/strong> Access to AI systems must be granted only to authorized users and managed through dedicated corporate accounts, with Multi-Factor Authentication (MFA) where available. Specifically, for systems accessing document repositories, a granular permission synchronization must be implemented (Identity-Aware RAG<\/em>) so that the AI cannot access data that the user is not authorized to view at the source.<\/li>\n
- Leak Monitoring (AI Gateway<\/em>):<\/strong> For AI tools that process corporate data, the adoption of an AI Gateway is mandatory to act as proxy<\/em> between the user and the model. The Gateway must perform:\n
- \n
- Prompt Filtering<\/em><\/strong>: Preventive blocking of confidential data in input<\/em> (Pre-processing).<\/li>\n
- Output Inspection<\/em><\/strong>: Response analysis to intercept and block accidental sensitive data before it reaches the user (Post-processing).<\/li>\n<\/ul>\n<\/li>\n
- Agentic AI Management:<\/strong> Autonomous AI systems capable of controlling user interfaces (UI) or accessing the operating system must be subjected to:\n
- \n
- Isolated Environments (Sandboxed OS<\/em>):<\/strong> The agent must operate within a virtual machine o container<\/em> isolated environment with limited privileges.<\/li>\n
- Approval Gates:<\/strong> Requirement for explicit approval for each critical action (e.g., sending emails, system modifications).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
6.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AI Risk Management<\/h1>\n
A structured process for AI risk management is required:<\/p>\n
- \n
- Risk Classification:<\/strong> Categorization of each use case into low, medium, or high risk.<\/li>\n
- Preventive Assessment:<\/strong> Prior to adoption, an impact assessment is required covering security, privacy (DPIA for high-risk processing), reputational risk, and bias<\/em> and operational impact.<\/li>\n
- Approval:<\/strong> High-risk use cases must obtain formal approval from ICT\/Security, the DPO, and Compliance.<\/li>\n<\/ul>\n
7.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AI Lifecycle<\/h1>\n
Security controls must be applied throughout the entire AI system lifecycle:<\/p>\n
\n\n
\n Phase<\/em><\/td>\n Security Controls<\/em><\/td>\n<\/tr>\n<\/thead>\n\n \n Vendor Selection<\/td>\n Due Diligence, Vendor Assessment (GDPR compliance verification, data localization, certifications).<\/td>\n<\/tr>\n \n Development<\/td>\n Secure coding<\/em>, code<\/em> review, control of the training<\/em> dataset.<\/td>\n<\/tr>\n \n Testing<\/td>\n Output validation, security testing, Red Teaming, Prompt injection tests.<\/td>\n<\/tr>\n \n Deployment<\/td>\n Formal approval and responsible release, with clear indications of system limitations provided to users.<\/td>\n<\/tr>\n \n Exercise<\/td>\n Continuous performance monitoring and vulnerability management.<\/td>\n<\/tr>\n \n Review<\/td>\n Periodic audits.<\/td>\n<\/tr>\n \n Decommissioning<\/td>\n Secure data deletion.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n <\/p>\n
8.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Regulatory Compliance<\/h1>\n
The Policy aligns with applicable regulatory requirements, including, but not limited to:<\/p>\n
- \n
- Regulation UE 2016\/679 (GDPR).<\/li>\n
- Regulation UE 2024\/1689 (EU AI Act).<\/li>\n
- NIS 2 Directive<\/li>\n
- ISO\/IEC 27001 (Information Security) and ISO\/IEC 42001 (Artificial Intelligence Management System) standards.<\/li>\n<\/ul>\n
9.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Training and Awareness<\/h1>\n
The human factor is a critical element of security. For this reason, a mandatory training and awareness program is established:<\/p>\n
- \n
- Training on AI risks and security principles.<\/li>\n
- Specific guidelines for secure and responsible prompt usage.<\/li>\n
- Awareness of the risks of data leakage<\/em> and on the importance of incident reporting.<\/li>\n<\/ul>\n
10.\u00a0\u00a0 Monitoring and Audit<\/h1>\n
Compliance with this Policy is subject to continuous monitoring and periodic review:<\/p>\n
- \n
- Riesame Annuale:<\/strong> The Policy and Framework must be reviewed and updated at least annually.<\/li>\n
- Audit<\/strong>: Internal and, where necessary, external audits will be conducted to verify compliance.<\/li>\n
- Incident Management<\/strong>: An AI incident management process must be in place, along with a system for the timely reporting of anomalies by users.<\/li>\n<\/ul>\n
11.\u00a0\u00a0 Enforcement and Sanctions<\/h1>\n
Compliance with this Policy is mandatory. As outlined in the previous section, the company conducts periodic reviews and audits to verify compliance with this Policy. Any violation of the rules on the responsible use of Artificial Intelligence exposes the company to severe legal, reputational, and security risks. Consequently, any conduct contrary to the provisions herein will be treated as a breach of corporate cybersecurity procedures and sanctioned in accordance with internal disciplinary regulations and applicable laws.<\/p>\n
<\/p>\n
___________________________________________________________________________________________<\/p>\n
Document Type: Annex to the AIMS<\/p>\n
Issued by: Innovaway S.p.A. \u2013 IMS Area<\/p>\n
Code: ALL_26 - Corporate Policy for AI Security and Responsible Use<\/p>\n
Ed. 1. Rev. 00<\/p>\n
<\/p>\n
Naples, January 29, 2026<\/p>\n
General Manager<\/p>\n
Antonio Burinato<\/p>\n
![\"\"](\"https:\/\/innovaway.it\/wp-content\/uploads\/2026\/05\/Senza-titolo.png\")
<\/p>","protected":false},"excerpt":{"rendered":"1.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Obiettivo La presente Policy definisce le modalit\u00e0 di utilizzo […]<\/p>\n","protected":false},"author":3,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"class_list":["post-6807","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"\n
Policy Aziendale per la Sicurezza e l'Utilizzo Responsabile dell'Intelligenza Artificiale - Innovaway<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/innovaway.it\/en\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Policy Aziendale per la Sicurezza e l'Utilizzo Responsabile dell'Intelligenza Artificiale\" \/>\n<meta property=\"og:description\" content=\"1.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Obiettivo La presente Policy definisce le modalit\u00e0 di utilizzo […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/innovaway.it\/en\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\/\" \/>\n<meta property=\"og:site_name\" content=\"Innovaway\" \/>\n<meta property=\"article:modified_time\" content=\"2026-05-28T14:42:43+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/innovaway.it\/wp-content\/uploads\/2026\/05\/Senza-titolo.png\" \/>\n\t<meta property=\"og:image:width\" content=\"265\" \/>\n\t<meta property=\"og:image:height\" content=\"55\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/innovaway.it\\\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\\\/\",\"url\":\"https:\\\/\\\/innovaway.it\\\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\\\/\",\"name\":\"Policy Aziendale per la Sicurezza e l'Utilizzo Responsabile dell'Intelligenza Artificiale - Innovaway\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/innovaway.it\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/innovaway.it\\\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/innovaway.it\\\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/innovaway.it\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Senza-titolo.png\",\"datePublished\":\"2026-05-28T08:01:30+00:00\",\"dateModified\":\"2026-05-28T14:42:43+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/innovaway.it\\\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/innovaway.it\\\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/innovaway.it\\\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\\\/#primaryimage\",\"url\":\"https:\\\/\\\/innovaway.it\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Senza-titolo.png\",\"contentUrl\":\"https:\\\/\\\/innovaway.it\\\/wp-content\\\/uploads\\\/2026\\\/05\\\/Senza-titolo.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/innovaway.it\\\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/innovaway.it\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Policy Aziendale per la Sicurezza e l'Utilizzo Responsabile dell'Intelligenza Artificiale\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/innovaway.it\\\/#website\",\"url\":\"https:\\\/\\\/innovaway.it\\\/\",\"name\":\"Innovaway\",\"description\":\"Always By Your Side per supportare la tua trasformazione digitale\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/innovaway.it\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Policy Aziendale per la Sicurezza e l'Utilizzo Responsabile dell'Intelligenza Artificiale - Innovaway","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/innovaway.it\/en\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\/","og_locale":"en_GB","og_type":"article","og_title":"Policy Aziendale per la Sicurezza e l'Utilizzo Responsabile dell'Intelligenza Artificiale","og_description":"1.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Obiettivo La presente Policy definisce le modalit\u00e0 di utilizzo […]","og_url":"https:\/\/innovaway.it\/en\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\/","og_site_name":"Innovaway","article_modified_time":"2026-05-28T14:42:43+00:00","og_image":[{"width":265,"height":55,"url":"https:\/\/innovaway.it\/wp-content\/uploads\/2026\/05\/Senza-titolo.png","type":"image\/png"}],"twitter_card":"summary_large_image","twitter_misc":{"Estimated reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/innovaway.it\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\/","url":"https:\/\/innovaway.it\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\/","name":"Policy Aziendale per la Sicurezza e l'Utilizzo Responsabile dell'Intelligenza Artificiale - Innovaway","isPartOf":{"@id":"https:\/\/innovaway.it\/#website"},"primaryImageOfPage":{"@id":"https:\/\/innovaway.it\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\/#primaryimage"},"image":{"@id":"https:\/\/innovaway.it\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\/#primaryimage"},"thumbnailUrl":"https:\/\/innovaway.it\/wp-content\/uploads\/2026\/05\/Senza-titolo.png","datePublished":"2026-05-28T08:01:30+00:00","dateModified":"2026-05-28T14:42:43+00:00","breadcrumb":{"@id":"https:\/\/innovaway.it\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/innovaway.it\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/innovaway.it\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\/#primaryimage","url":"https:\/\/innovaway.it\/wp-content\/uploads\/2026\/05\/Senza-titolo.png","contentUrl":"https:\/\/innovaway.it\/wp-content\/uploads\/2026\/05\/Senza-titolo.png"},{"@type":"BreadcrumbList","@id":"https:\/\/innovaway.it\/policy-aziendale-per-la-sicurezza-e-lutilizzo-responsabile-dellintelligenza-artificiale\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/innovaway.it\/"},{"@type":"ListItem","position":2,"name":"Policy Aziendale per la Sicurezza e l'Utilizzo Responsabile dell'Intelligenza Artificiale"}]},{"@type":"WebSite","@id":"https:\/\/innovaway.it\/#website","url":"https:\/\/innovaway.it\/","name":"Innovaway","description":"Always By Your Side to Support Your Digital Transformation","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/innovaway.it\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"}]}},"_links":{"self":[{"href":"https:\/\/innovaway.it\/en\/wp-json\/wp\/v2\/pages\/6807","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/innovaway.it\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/innovaway.it\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/innovaway.it\/en\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/innovaway.it\/en\/wp-json\/wp\/v2\/comments?post=6807"}],"version-history":[{"count":7,"href":"https:\/\/innovaway.it\/en\/wp-json\/wp\/v2\/pages\/6807\/revisions"}],"predecessor-version":[{"id":6818,"href":"https:\/\/innovaway.it\/en\/wp-json\/wp\/v2\/pages\/6807\/revisions\/6818"}],"wp:attachment":[{"href":"https:\/\/innovaway.it\/en\/wp-json\/wp\/v2\/media?parent=6807"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}} - Audit<\/strong>: Internal and, where necessary, external audits will be conducted to verify compliance.<\/li>\n
- Riesame Annuale:<\/strong> The Policy and Framework must be reviewed and updated at least annually.<\/li>\n
- Preventive Assessment:<\/strong> Prior to adoption, an impact assessment is required covering security, privacy (DPIA for high-risk processing), reputational risk, and bias<\/em> and operational impact.<\/li>\n
- Approval Gates:<\/strong> Requirement for explicit approval for each critical action (e.g., sending emails, system modifications).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n
- Output Inspection<\/em><\/strong>: Response analysis to intercept and block accidental sensitive data before it reaches the user (Post-processing).<\/li>\n<\/ul>\n<\/li>\n
- Leak Monitoring (AI Gateway<\/em>):<\/strong> For AI tools that process corporate data, the adoption of an AI Gateway is mandatory to act as proxy<\/em> between the user and the model. The Gateway must perform:\n
- Access Control (ACL Sync<\/em>):<\/strong> Access to AI systems must be granted only to authorized users and managed through dedicated corporate accounts, with Multi-Factor Authentication (MFA) where available. Specifically, for systems accessing document repositories, a granular permission synchronization must be implemented (Identity-Aware RAG<\/em>) so that the AI cannot access data that the user is not authorized to view at the source.<\/li>\n
- Human Oversight (Human-in-the-Loop<\/em>):<\/strong> AI must act as a support for human decisions. Mandatory human validation is required for all output<\/em> generated by AI before they are used in critical decisions or in contexts involving third parties (e.g., clients).<\/li>\n
- Ethical and Responsible Use:<\/strong> Promoting use that respects human rights and corporate values, preventing bias and discrimination.<\/li>\n