Skip to content
AI data and safeguards

Clear rules for AI, data and human checks.

AI and automation are useful only when people understand what information is used, what the system can do, what still needs checking and what happens when something goes wrong.

Start small

Use descriptions, sample or redacted data where possible.

The first discussion usually needs the shape of the workflow, not live client records. More detailed information is considered only when it is needed for an agreed task.

Approved tools and information

Agree what can be used before connecting live work.

The scope names the provider, account, information types, permitted purpose and people responsible for approval.

Use only what is required

Remove fields and detail the workflow does not need.

Data minimisation reduces unnecessary exposure and makes the system easier to test and explain.

Access and ownership

Use named owners and appropriate access levels.

The business keeps an owner for provider accounts, source information, approvals and access changes. Shared access is avoided where named access is practical.

Human review

People approve important messages and decisions.

The workflow shows what a person checks, the evidence available and when the work must be escalated.

Testing

Test expected work, uncertainty and failure.

Testing covers representative examples, missing information, weak results, access, connected-tool problems and the agreed manual path.

Failure and manual fallback

Keep a clear way to finish the work without the tool.

A named person receives uncertain or failed work. The team knows what to record, who to contact and how to continue manually.

Documentation

Write down the approved version and its limits.

Instructions cover inputs, access, approvals, known limits, fallback, provider ownership and support.

Third-party providers

Review the provider, account and relevant settings.

Third-party terms, storage, model-training settings, regions, prices and availability vary. The relevant choices are recorded for the agreed workflow, and material changes may require another decision.

Retention and deletion

Agree what is kept, where and for how long.

The workflow should not keep information simply because it can. Business, provider and project records need a named owner and a practical deletion path.

Limits of the service

No system removes all risk or replaces specialist advice.

oOMF! does not claim certification, complete security, legal compliance or zero risk. Legal, privacy, cyber-security, data or engineering specialists may be needed for higher-risk work.

Next step

Start with a general description.

Explain the workflow and the kinds of information involved. Do not send credentials or sensitive records.

Ask about a workflow