Responsible AI Policy
This policy sets out how Shadow IT uses artificial intelligence (AI) — including generative AI, large language models, and AI-assisted tooling — across the content, documentation, and technical work published here and delivered to clients. It reflects a simple position: AI is a tool that can improve quality and speed, but it does not replace professional judgement, accountability, or the duty of care owed to the people who rely on this work.
Last reviewed: June 2026. This is a living document and will be updated as the technology, my practice, and relevant standards evolve.
Principles
Human oversight and accountability. A person — me — reviews and is accountable for anything AI helps produce. AI output is treated as a draft or a second opinion, never as a final answer to be published or actioned unchecked.
Accuracy and verification. AI systems can be confidently wrong. Technical claims, configuration steps, and security guidance are verified against primary sources (vendor documentation, standards, and testing) before they're relied on. Where something is uncertain, I say so.
Privacy and data protection. Client data, personal information, and confidential material are not pasted into public or consumer AI tools that may retain or train on inputs. Where AI is used on sensitive workloads, it's limited to services with appropriate data-handling and retention guarantees.
Security. AI tools are subject to the same security expectations as any other software: least-privilege access, no embedding of secrets or credentials in prompts, and awareness of risks such as prompt injection and data exfiltration.
Transparency. Where AI has materially shaped content, I'm comfortable saying so. I won't present AI-generated work as something it isn't, and I won't use AI to impersonate real people or fabricate quotes, credentials, or sources.
Fairness and proportionality. AI is applied where it genuinely helps and avoided where it adds risk without value. Decisions that affect people are not delegated wholesale to an automated system.
Acceptable use
AI tooling is used here to support work such as:
- Drafting, editing, and structuring documentation, blog posts, and runbooks
- Summarising public technical material and explaining concepts
- Generating and reviewing code, scripts, and configuration as a starting point
- Brainstorming approaches and surfacing alternatives or edge cases
In every case the output is reviewed, corrected, and validated before it's published or used.
What I won't do
- Submit client, personal, or confidential data to AI tools without an appropriate data-handling basis
- Publish AI-generated technical or security guidance without verifying it
- Use AI to produce misleading content, impersonate individuals, or fabricate sources or evidence
- Let AI make consequential decisions without human review and sign-off
Data handling
Inputs to AI tools are minimised and de-identified wherever practical. Sensitive or client-identifying information is kept out of tools that don't offer suitable privacy, retention, and residency controls. This aligns with my broader emphasis on governance: if a process can't be explained and defended, it shouldn't be running.
Review and feedback
This policy is reviewed periodically and whenever there's a significant change in the tools I use or the standards that apply. If you have questions, concerns, or spot something that warrants correction, please get in touch.