AI Policy
1. Purpose
Defines how Sensei teams may use AI tools to develop Sensei IQ while safeguarding client data, IP, and security.
2. Scope
Applies to all Sensei staff and contractors working on Sensei IQ and related assets. Covers all AI tools used, including GitHub Copilot, Claude, and Microsoft Copilot. Client-specific AI use must follow both this policy and the client’s policy.
3. Approved AI Tools
- GitHub Copilot: IDE code suggestions, PR reviews, and test generation within Sensei repositories.
- Microsoft Copilot for Microsoft 365: Summarizing and drafting content in Sensei’s or client tenants (for use in a client tenant, the Sensei Engagement Lead account must be licensed and usage must adhere to client policies).
- Claude: Ideation and problem-solving, with strict data rules.
- Additional tools require approval from leadership.
4. Principles
- Human accountability for AI use and output.
- AI provides input, not authority.
- Security and privacy take priority.
- Transparency around AI involvement is required.
5. Permitted Use
Allowed uses (with data handling rules):
- Generate or refactor code, tests, and deployment scripts.
- Draft specifications, design documents, communications, and meeting summaries.
- Suggest solution options and test cases.
- Any artifact generated through an AI agent must be reviewed and accepted by a human before merging, sharing, or publishing.
6. Prohibited Use
Not allowed:
- Entering secrets or identifiable client information into public AI tools.
- Uploading client content outside Sensei or client tenants.
- Merging unreviewed AI code or bypassing controls.
- License or IP violations, or replicating competitors’ features.
- When unsure, consult leadership.
7. Data Handling Rules
- Prefer Microsoft-hosted copilots for internal and client work.
- For public AI tools, only use anonymized or synthetic data, avoid sensitive architecture details.
- Use GitHub Copilot only in Sensei enterprise environments and do not include sensitive values in prompts for suggestions.
8. Code and Content Review
- AI-generated deliverables must meet or exceed current review standards.
- Code: Subject to static analysis, human review, and security checks.
- Docs/Comms: Checked by a human for accuracy, tone, confidentiality, and compliance, key facts must be verified.
9. Logging and Transparency
- Disclose AI use in pull requests and major deliverables.
- Encourage sharing effective prompts internally.
10. Incidents and Reporting
Handle AI-related incidents per existing response processes: contain, notify leadership, document, and remediate as needed.
11. In-Product AI (Connected Intelligence)
Sections 1–10 govern how Sensei builds Sensei IQ using AI tools. This section governs AI within the product — the optional Connected Intelligence advisors that clients may enable.
- Connected Intelligence is opt-in and off by default; each advisor is enabled per environment by the client's administrator.
- When invoked, an advisor sends only a defined, scoped set of fields — held in a client-reviewable configuration setting — to a Sensei-managed Azure Function and a commercial AI provider's API (currently Anthropic's Claude), and returns a suggestion the user accepts, edits, or rejects. The AI proposes; the human decides.
- Client content sent for in-product AI is not used to train models (per the provider's commercial terms), is encrypted in transit, and is retained by the provider only per those terms (Anthropic deletes API inputs and outputs within 30 days by default).
- The human-accountability, transparency, and review principles in this policy apply equally to in-product AI: advisors inform decisions, they do not make them.
- The full, client-facing data-handling description is maintained in the Connected Intelligence Advisors FAQ.
Connected Intelligence subprocessors
Connected Intelligence is opt-in and off by default. The subprocessors below process client data only when an administrator enables an advisor and a user invokes it. Unlike AI features that are on by default, there is no opt-out deadline: if you do not enable Connected Intelligence, none of these subprocessors ever process your data.
| Subprocessor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | AI model provider — generates advisor responses via the Claude API | United States |
| Microsoft Azure (Sensei-managed subscription) | Hosts the Connected Intelligence Function App that assembles and relays the scoped request | United States (Azure West US) |
When the future "bring your own model" option is available, the client provides and controls the AI provider and hosting environment, and these Sensei-managed subprocessors no longer apply to that deployment.
12. Policy Review
Annual review, or as needed based on tool changes, compliance updates, or significant incidents.
References
Responsible AI and Governance
- Microsoft Responsible AI Standard v2 – General Requirements
https://aka.ms/responsibleaistandard - Microsoft Responsible AI Principles and Approach
https://www.microsoft.com/en-us/ai/principles-and-approach - What is Responsible AI? (Azure Machine Learning)
https://learn.microsoft.com/en-us/azure/machine-learning/concept-responsible-ai - NIST AI Risk Management Framework (AI RMF)
https://www.nist.gov/itl/ai-risk-management-framework
Secure Use of Copilots and AI Tools
- Data, Privacy, and Security for Microsoft 365 Copilot
https://learn.microsoft.com/en-us/copilot/microsoft-365/microsoft-365-copilot-privacy - Data Privacy and Security for Microsoft 365 Copilot Extensibility
https://learn.microsoft.com/en-us/microsoft-365-copilot/extensibility/data-privacy-security - GitHub Copilot Security, Privacy, and Data Controls
https://learn.microsoft.com/en-us/enterprise/copilot - Power Platform Copilot Data Security and Privacy FAQ
https://learn.microsoft.com/en-us/power-platform/faqs-copilot-data-security-privacy
Data Handling, Security, and Least Privilege
- Enhance security with the principle of least privilege (Microsoft Identity Platform)
https://learn.microsoft.com/en-us/entra/identity-platform/secure-least-privileged-access - Security planning for LLM-based applications
https://learn.microsoft.com/en-us/ai/playbook/technology-guidance/generative-ai/mlops-in-openai/security/security-plan-llm-application
Code Review, SDLC, and Quality
- Microsoft Security Development Lifecycle (SDL)
https://learn.microsoft.com/en-us/security/sdl - Azure DevOps – Code quality and security scanning
https://learn.microsoft.com/en-us/azure/devops/repos/git/pull-request?view=azure-devops
Incident Response
- Azure Well-Architected – Incident Management
https://learn.microsoft.com/en-us/azure/well-architected/design-guides/incident-management - NIST 800-61 Computer Security Incident Handling Guide
https://csrc.nist.gov/pubs/sp/800/61/r2/final