Skip to main content

AI Policy

1. Purpose

Defines how Sensei teams may use AI tools to develop Sensei IQ while safeguarding client data, IP, and security.

2. Scope

Applies to all Sensei staff and contractors working on Sensei IQ and related assets. Covers all AI tools used, including GitHub Copilot, Claude, and Microsoft Copilot. Client-specific AI use must follow both this policy and the client’s policy.

3. Approved AI Tools

  • GitHub Copilot: IDE code suggestions, PR reviews, and test generation within Sensei repositories.
  • Microsoft Copilot for Microsoft 365: Summarizing and drafting content in Sensei’s or client tenants (for use in a client tenant, the Sensei Engagement Lead account must be licensed and usage must adhere to client policies).
  • Claude: Ideation and problem-solving, with strict data rules.
  • Additional tools require approval from leadership.

4. Principles

  • Human accountability for AI use and output.
  • AI provides input, not authority.
  • Security and privacy take priority.
  • Transparency around AI involvement is required.

5. Permitted Use

Allowed uses (with data handling rules):

  • Generate or refactor code, tests, and deployment scripts.
  • Draft specifications, design documents, communications, and meeting summaries.
  • Suggest solution options and test cases.
  • Any artifact generated through an AI agent must be reviewed and accepted by a human before merging, sharing, or publishing.

6. Prohibited Use

Not allowed:

  • Entering secrets or identifiable client information into public AI tools.
  • Uploading client content outside Sensei or client tenants.
  • Merging unreviewed AI code or bypassing controls.
  • License or IP violations, or replicating competitors’ features.
  • When unsure, consult leadership.

7. Data Handling Rules

  • Prefer Microsoft-hosted copilots for internal and client work.
  • For public AI tools, only use anonymized or synthetic data, avoid sensitive architecture details.
  • Use GitHub Copilot only in Sensei enterprise environments and do not include sensitive values in prompts for suggestions.

8. Code and Content Review

  • AI-generated deliverables must meet or exceed current review standards.
  • Code: Subject to static analysis, human review, and security checks.
  • Docs/Comms: Checked by a human for accuracy, tone, confidentiality, and compliance, key facts must be verified.

9. Logging and Transparency

  • Disclose AI use in pull requests and major deliverables.
  • Encourage sharing effective prompts internally.

10. Incidents and Reporting

Handle AI-related incidents per existing response processes: contain, notify leadership, document, and remediate as needed.

11. In-Product AI (Connected Intelligence)

Sections 1–10 govern how Sensei builds Sensei IQ using AI tools. This section governs AI within the product — the optional Connected Intelligence advisors that clients may enable.

  • Connected Intelligence is opt-in and off by default; each advisor is enabled per environment by the client's administrator.
  • When invoked, an advisor sends only a defined, scoped set of fields — held in a client-reviewable configuration setting — to a Sensei-managed Azure Function and a commercial AI provider's API (currently Anthropic's Claude), and returns a suggestion the user accepts, edits, or rejects. The AI proposes; the human decides.
  • Client content sent for in-product AI is not used to train models (per the provider's commercial terms), is encrypted in transit, and is retained by the provider only per those terms (Anthropic deletes API inputs and outputs within 30 days by default).
  • The human-accountability, transparency, and review principles in this policy apply equally to in-product AI: advisors inform decisions, they do not make them.
  • The full, client-facing data-handling description is maintained in the Connected Intelligence Advisors FAQ.

Connected Intelligence subprocessors

Connected Intelligence is opt-in and off by default. The subprocessors below process client data only when an administrator enables an advisor and a user invokes it. Unlike AI features that are on by default, there is no opt-out deadline: if you do not enable Connected Intelligence, none of these subprocessors ever process your data.

SubprocessorPurposeLocation
Anthropic, PBCAI model provider — generates advisor responses via the Claude APIUnited States
Microsoft Azure (Sensei-managed subscription)Hosts the Connected Intelligence Function App that assembles and relays the scoped requestUnited States (Azure West US)

When the future "bring your own model" option is available, the client provides and controls the AI provider and hosting environment, and these Sensei-managed subprocessors no longer apply to that deployment.

12. Policy Review

Annual review, or as needed based on tool changes, compliance updates, or significant incidents.


References

Responsible AI and Governance

Secure Use of Copilots and AI Tools

Data Handling, Security, and Least Privilege

Code Review, SDLC, and Quality

Incident Response