AI Policy

1. Purpose and Scope

This Artificial Intelligence Policy ("Policy") establishes the standards, responsibilities, and guardrails that govern how Quantus IT and its personnel use, develop, and deploy artificial intelligence tools and systems. It applies to all employees, contractors, and partners acting on behalf of Quantus IT, including in the delivery of client engagements.

The purpose of this Policy is to ensure that AI is used responsibly, ethically, securely, and in a manner consistent with Quantus IT's values, applicable law, and our clients' trust. Quantus IT provides AI training, AI-powered solutions, cloud migrations, and application modernization services. The responsible use of AI is therefore central to every dimension of our business.

This Policy covers:
  • Internal use of AI tools by Quantus IT personnel in day-to-day operations
  • AI solutions designed, built, or deployed by Quantus IT on behalf of clients
  • AI tools used in the delivery of AI training programs and workshops
  • Third-party AI services integrated into Quantus IT workflows or client solutions

This Policy does not supersede client-specific contractual obligations. Where a client agreement imposes stricter AI governance requirements, those requirements take precedence.

2. Ethical Principles

Quantus IT's use and deployment of AI is grounded in the following core ethical principles. These principles inform every decision we make about how AI is selected, configured, applied, and monitored - both internally and in solutions we deliver to clients.

2.1 Fairness

AI systems must treat all individuals equitably and must not produce outputs that discriminate against people on the basis of race, ethnicity, gender, age, disability, religion, national origin, or other protected characteristics. Where AI influences decisions affecting people, Quantus IT will actively assess and mitigate sources of unfair bias.

2.2 Transparency

Quantus IT will be open about when and how AI is used in our operations and client deliverables. AI-generated content will be identified as such where disclosure is appropriate. Clients will be informed when AI tools are materially involved in the work Quantus IT delivers on their behalf. Internally, AI usage will be documented in project records.

2.3 Accountability

Responsibility for AI-assisted decisions and outputs rests with the people and organization that deploy them - not with the AI system itself. Quantus IT personnel are accountable for all work they deliver, regardless of AI involvement. Quantus IT leadership is accountable for the organization's overall AI governance practices.

2.4 Non-Discrimination

AI must not be used in any way that creates, reinforces, or perpetuates discrimination. This applies to content generation, automated decision support, data analysis, and any other AI application. Personnel must actively identify and reject AI outputs that exhibit discriminatory patterns before those outputs are used or delivered.

2.5 Privacy

Individuals' personal data must be handled with respect for their privacy rights. AI systems that process personal data must do so lawfully, with appropriate consent where required, and with robust protections against unauthorized access or misuse. Data minimization is the default - collect and process only what is necessary for the stated purpose.

2.6 Reliability and Safety

AI systems used by Quantus IT or delivered to clients must be reliable, tested, and safe for their intended purpose. Systems that could cause harm if they fail or produce incorrect outputs must have appropriate safeguards, human checkpoints, and fallback procedures in place before deployment.

3. Definitions

The following terms are used throughout this Policy:
Artificial Intelligence (AI)
Software systems that perform tasks that typically require human intelligence, including natural language processing, image recognition, predictive analytics, code generation, and automated decision-making.
Generative AI
AI systems capable of generating new content - text, images, code, audio, or other media - based on patterns learned from training data. Examples include large language models (LLMs), image generators, and code completion tools.
AI-Assisted Decision-Making
Any decision made in whole or in part on the basis of output from an AI system, including recommendations, classifications, risk scores, or automated approvals.
Approved AI Tool
An AI tool or service that has been reviewed and authorized for use by Quantus IT through the procurement and approval process defined in Section 8 of this Policy.
Sensitive Data
Any data that is confidential, proprietary, personally identifiable (PII), protected health information (PHI), financial, or subject to regulatory protection. Client data is always treated as Sensitive Data unless otherwise specified in writing.
Human Oversight
Review, validation, or approval of AI-generated output by a qualified person before that output is acted upon, published, or delivered to a client.
AI Output
Any content, recommendation, prediction, code, or other artifact produced by an AI system in response to an input or prompt.
High-Risk AI Application
Any AI system whose outputs could directly affect an individual's legal rights, safety, financial standing, employment, or access to essential services, or that operates in a safety-critical environment without real-time human supervision.
AI Incident
Any event in which an AI system produces harmful, incorrect, or unauthorized output; experiences a security breach; or otherwise fails to operate as intended in a manner that has or could have a material impact on Quantus IT, its clients, or third parties.

4. Acceptable Use

4.1 Permitted Uses

Quantus IT personnel may use approved AI tools for the following purposes:
  • Content creation and drafting: Drafting proposals, reports, documentation, blog posts, presentations, and communications - subject to human review before distribution
  • Code development and review: Generating, reviewing, and refactoring code in client solutions and internal projects - subject to engineer review and testing before deployment
  • Data analysis: Summarizing, classifying, or drawing insights from non-sensitive datasets
  • Research and discovery: Exploring technical topics, summarizing documentation, and accelerating knowledge acquisition
  • Client AI training delivery: Demonstrating AI tools and capabilities as part of authorized training engagements
  • Automation and productivity: Automating repetitive internal tasks such as scheduling, note-taking, and workflow management
  • Customer service support: Assisting in drafting responses to client inquiries, subject to human review before sending

4.2 Prohibited Uses

The following uses of AI are strictly prohibited:
  • Inputting client Sensitive Data, PII, credentials, API keys, or proprietary business information into any AI tool that has not been approved and verified as meeting applicable data privacy and security requirements
  • Using AI to generate, distribute, or amplify content that is false, misleading, defamatory, discriminatory, or harmful
  • Using AI to impersonate another person, organization, or entity
  • Using AI to circumvent security controls, access management systems, or compliance requirements
  • Presenting AI-generated content as entirely original human work when the context requires disclosure (e.g., academic submissions, regulatory filings, or contracts)
  • Using AI to make autonomous decisions that carry significant legal, financial, health, or safety consequences without documented human oversight
  • Using unapproved AI tools on client systems, networks, or environments without explicit written client authorization
  • Training or fine-tuning AI models on client data without a formal data processing agreement and explicit client consent
  • Using AI to conduct surveillance, monitor individuals, or process biometric data without proper legal basis and explicit authorization

4.3 Human Oversight Requirement

All AI-generated output used in client deliverables, published communications, or consequential decisions must be reviewed, validated, and approved by a qualified Quantus IT team member before use. Personnel are responsible for the accuracy, appropriateness, and quality of any AI-assisted work they deliver or publish.

For High-Risk AI Applications, human oversight must be documented. Records must identify the reviewer, the nature of the review performed, and the date of approval.

5. Data Privacy and Security

5.1 Data Classification Before AI Use

Before submitting any data to an AI tool, personnel must assess the classification of that data. Only non-sensitive, non-proprietary, and non-client-identifiable data may be input into AI tools unless the tool has been explicitly approved for Sensitive Data processing with appropriate controls in place.

5.2 Client Data Protection

Client data is always treated as Sensitive Data. Client data must not be submitted to any AI tool - including generative AI assistants, code completion tools, or analytics platforms - without:
  • Written authorization from the client
  • A signed data processing agreement (DPA) governing the AI tool's handling of that data
  • Confirmation that the AI provider's data processing practices comply with all applicable privacy regulations and the client's own compliance requirements

5.3 Data Minimization and Anonymization

When AI-assisted analysis of real-world data is necessary, personnel must apply data minimization principles - using only the minimum data necessary for the task. Where feasible, data must be anonymized or pseudonymized before being submitted to an AI system.

5.4 AI and Security Controls

All AI workloads must be deployed with:
  • Network isolation using virtual networks and private endpoints where applicable
  • Role-Based Access Control (RBAC) limiting access to authorized personnel only
  • Data encryption at rest and in transit using platform-managed or customer-managed keys
  • Logging and monitoring via appropriate logging services
  • Secrets and credentials stored in secure platform services - never hardcoded in source code or configuration files

5.5 Data Retention and Deletion

Data submitted to or processed by AI systems must be retained only for as long as necessary to fulfill the purpose for which it was collected. When a client engagement concludes, Quantus IT will delete or return client data from any AI tool or platform used in that engagement, in accordance with the applicable services agreement and any data processing agreements in place.

5.6 Incident Reporting

Any suspected or confirmed data exposure, unauthorized AI use, or security incident involving an AI system must be reported to the Quantus IT principal immediately. Incidents involving client data must also be disclosed to the affected client in accordance with contractual obligations and applicable law. See Section 13 for crisis response procedures.

6. Intellectual Property and Ownership

6.1 AI-Generated Work Products

The intellectual property ownership of AI-assisted work products delivered to clients is governed by the applicable client services agreement. In the absence of an explicit agreement to the contrary, work products created by Quantus IT personnel using AI tools - and reviewed and validated by those personnel - are treated as work-for-hire delivered to the client.

6.2 Third-Party AI Tool Terms

Personnel must review and comply with the terms of service of any approved AI tool, particularly provisions relating to intellectual property in AI-generated outputs. If a third-party AI provider asserts a license or ownership interest in outputs generated using their platform, that tool may not be used to produce client deliverables without legal review.

6.3 Training Data and Model Ownership

Quantus IT will not use client data to train, fine-tune, or improve any AI model without explicit written consent from the client and a governing data processing agreement. Any AI model fine-tuned on client data for a client engagement remains the property of the client unless otherwise agreed in writing.

6.4 Open Source AI Components

When incorporating open source AI models or libraries into client solutions, personnel must review and comply with the applicable open source license terms. License obligations must be documented in project deliverables and disclosed to the client.

7. Employee Responsibilities and Training

All Quantus IT personnel who use AI tools have the following responsibilities:

7.1 Competence and Judgment

  • Develop sufficient understanding of any AI tool used to critically evaluate its outputs
  • Apply professional judgment - never accept AI output uncritically or without verification
  • Stay current on the capabilities, limitations, and known failure modes of AI tools used in their work

7.2 Transparency

  • Disclose the use of AI tools to clients where relevant to the nature of the deliverable or where the client has a reasonable expectation of disclosure
  • Accurately represent work products - do not misrepresent AI-assisted work as entirely human-authored when material disclosure is appropriate

7.3 Accountability

  • Take full professional responsibility for all work delivered, regardless of AI assistance
  • Correct errors in AI-generated work promptly and notify affected parties where material errors have been delivered
  • Report suspected Policy violations, misuse of AI tools, or security concerns immediately

7.4 Policy Adherence

  • Use only approved AI tools for work involving Sensitive Data or client environments
  • Complete any required AI ethics or responsible AI training as directed by Quantus IT leadership
  • Consult Quantus IT leadership before using any AI tool or capability not covered by this Policy

7.5 Education and Training

Quantus IT invests in ongoing AI literacy and ethical awareness for all personnel. Training expectations include:
  • Onboarding: All new personnel must review this Policy and complete any required AI responsible-use orientation before using AI tools on behalf of Quantus IT
  • Ongoing education: Personnel are expected to stay informed about developments in AI capabilities, risks, and regulatory requirements relevant to their role
  • Specialized training: Personnel who design, build, or configure AI systems for clients must demonstrate competency in responsible AI design principles, bias identification, and AI security controls
  • Client-facing training: Personnel who deliver AI training programs to clients must complete relevant Microsoft certifications or equivalent credentialing appropriate to the subject matter

Quantus IT leadership will identify and provide access to appropriate training resources, including Microsoft's Responsible AI training and industry guidance from NIST and other authoritative bodies.

8. Procurement and Approval

8.1 Approval Requirement

No AI tool or AI-powered service may be introduced into Quantus IT operations, client environments, or project delivery workflows without prior review and approval by Quantus IT leadership. This requirement applies regardless of cost, including free-tier tools and personal AI subscriptions used for business purposes.

8.2 Approval Criteria

AI tool evaluation considers the following criteria:
  • Data handling: How the provider processes, stores, and retains input data; whether inputs are used for model training; availability of a data processing agreement
  • Security posture: SOC 2 Type II or equivalent attestation; encryption standards; access control capabilities
  • Privacy compliance: Alignment with applicable privacy regulations (e.g., GDPR, CCPA, HIPAA where relevant)
  • Intellectual property: Tool's terms of service regarding ownership of AI-generated outputs
  • Ethical alignment: Provider's published responsible AI commitments and track record
  • Accessibility: Whether the tool meets accessibility standards for any personnel or client end users who require accommodations
  • Business case: Demonstrated productivity or quality benefit relative to risk and cost
  • Integration risk: Security implications of connecting the tool to existing systems or client environments

8.3 Approved Tool Registry

Quantus IT maintains an internal registry of approved AI tools. Personnel should contact Quantus IT leadership to confirm current approval status of any AI tool before first use in a business context.

8.4 Client-Mandated AI Tools

Where a client requires Quantus IT to use a specific AI tool as part of a project, that tool is subject to the same evaluation criteria. If the tool does not meet Quantus IT's security or privacy standards, Quantus IT will communicate the concern to the client and work to identify an acceptable alternative or document the accepted risk in writing.

9. Bias and Fairness

9.1 Awareness of AI Limitations

AI systems, including large language models and predictive analytics tools, can produce biased, incorrect, or unfair outputs as a result of biases present in training data, model architecture, or prompt design. Quantus IT personnel must be aware of this risk and actively work to identify and mitigate it.

9.2 High-Risk Decision Contexts

AI must not be used as the sole or primary basis for decisions that significantly affect individuals on the basis of protected characteristics, including hiring, promotion, lending, insurance, healthcare, or legal proceedings. Any AI-assisted decision in these contexts requires documented human review and the ability for affected individuals to request a human decision-maker.

9.3 Bias Assessment in Client Solutions

When designing or deploying AI solutions for clients that involve automated or AI-assisted decision-making affecting end users, Quantus IT will:
  • Identify and document potential sources of bias during the design phase
  • Recommend testing and evaluation procedures to detect bias in model outputs across relevant demographic groups
  • Advise clients on mitigation strategies, including data diversity, model selection, and output monitoring
  • Include bias and fairness considerations in solution documentation and client handoffs

9.4 Diverse and Inclusive Prompting

When using generative AI tools to create content, personnel should consider whether prompts may result in outputs that reflect or reinforce stereotypes, exclusionary assumptions, or discriminatory framing - and revise accordingly.

9.5 Ongoing Fairness Evaluation

For AI systems deployed in client environments that make recurring decisions affecting end users, Quantus IT recommends establishing a regular cadence of fairness evaluation - reviewing output distributions, monitoring for demographic disparities, and updating or retraining models where bias is detected. These recommendations will be documented in solution design deliverables.

10. Accessibility and Inclusion

10.1 Commitment to Accessible AI

Quantus IT is committed to ensuring that AI tools, AI-generated content, and AI-powered solutions are accessible to individuals with disabilities. Accessibility is not an afterthought - it is a design requirement evaluated from the outset of every engagement.

10.2 AI-Generated Content Accessibility

Content produced with AI assistance that will be published or delivered to end users must meet WCAG 2.2 Level AA accessibility standards. This includes:
  • Images and graphics generated by AI must include descriptive alternative text
  • AI-generated documents and reports must be structured with proper heading hierarchy, reading order, and color contrast
  • AI-generated audio or video content must be accompanied by transcripts or captions
  • AI-powered interfaces and chatbots must be keyboard-navigable and compatible with screen readers

10.3 Accessible AI Tool Selection

When evaluating AI tools for internal use or client deployment, accessibility compliance is a mandatory procurement criterion (see Section 8.2). Tools that are inaccessible to personnel or client end users who require accommodations must not be selected without an approved accommodation alternative.

10.4 Inclusion in AI Design

AI solutions designed for client end users must account for diverse user populations - including users with varying levels of digital literacy, users in low-bandwidth environments, and users who require assistive technologies. Quantus IT will document inclusive design decisions and trade-offs in solution architecture records.

11. Environmental and Social Considerations

11.1 Environmental Impact Awareness

AI systems - particularly large-scale model training and inference at scale - consume significant computational resources and carry a measurable energy and carbon footprint. Quantus IT acknowledges this impact and incorporates environmental considerations into AI solution design and tool selection.

11.2 Efficiency and Right-Sizing

When designing AI solutions, Quantus IT applies the following principles to reduce unnecessary resource consumption:
  • Select AI model sizes and compute SKUs appropriate to the task - avoid over-provisioning where smaller, more efficient models meet the requirement
  • Use sustainability guidance and scale-to-zero capabilities to minimize idle resource costs and energy use
  • Prefer retrieval-augmented generation (RAG) and fine-tuned specialized models over repeated full-context generation where technically feasible
  • Monitor inference costs and resource utilization as part of ongoing solution optimization

11.3 Social Responsibility

Quantus IT recognizes that AI has broad social implications beyond the immediate context of any single engagement. We are committed to:
  • Declining engagements that would require us to build or deploy AI systems designed to deceive, surveil, manipulate, or harm individuals
  • Advising clients on the social and workforce implications of AI automation, including the importance of transparent change management and employee communication
  • Supporting responsible AI adoption that augments human capability rather than eliminating human judgment in high-stakes contexts
  • Contributing to industry best practices through knowledge sharing, participation in professional communities, and publication of insights through our Insights program

12. Monitoring, Enforcement, and Audits

12.1 Compliance Monitoring

Quantus IT leadership is responsible for overseeing compliance with this Policy. This includes periodic review of AI tools in use, spot checks of AI-assisted deliverables, and assessment of emerging risks as AI capabilities evolve.

12.2 Logging and Auditability

Where technically feasible, AI usage in client-facing solutions must be logged in a manner that supports audit and incident investigation. Logs must include sufficient metadata to identify the AI system used, the nature of the input, and the output acted upon. Logs must be retained in accordance with applicable data retention requirements.

12.3 Reporting Mechanisms

Quantus IT maintains open channels for personnel to report AI-related concerns, policy questions, and potential violations:
  • Policy questions and guidance: Contact Quantus IT leadership directly at info@quantusit.com
  • Suspected violations: Report to Quantus IT leadership immediately - reports will be reviewed promptly and in confidence
  • Client-reported concerns: Clients who have concerns about AI use in a Quantus IT engagement should contact their primary Quantus IT point of contact or email info@quantusit.com

Quantus IT does not tolerate retaliation against personnel who report concerns in good faith.

12.4 Compliance Audits

Quantus IT conducts periodic audits of AI-related practices to assess adherence to this Policy and applicable regulations. Audits will review:
  • The current inventory of AI tools in use against the approved tool registry
  • A sample of AI-assisted deliverables to verify human oversight was applied
  • Data handling practices for AI tools processing Sensitive Data
  • Completion status of required employee training
  • Any AI incidents or near-misses reported since the last audit

Audit findings will be documented and used to drive Policy updates, training improvements, and corrective actions where required.

12.5 Consequences of Non-Compliance

Violations of this Policy may result in disciplinary action, including removal from client engagements, termination of employment or contract, and legal action where violations result in harm to clients, third parties, or Quantus IT. The severity of consequences will be proportionate to the nature, intent, and impact of the violation.

13. Crisis Response

13.1 AI Incident Categories

Quantus IT defines the following categories of AI incidents that trigger crisis response procedures:
  • Data breach: Unauthorized access to or exfiltration of data processed by an AI system
  • Harmful output: AI-generated content that causes or could cause material harm - including misinformation delivered to clients, content that violates privacy, or discriminatory outputs acted upon in a consequential decision
  • System failure: An AI system operating in a critical or safety-adjacent function that fails, produces systematically incorrect outputs, or becomes unavailable
  • Compliance violation: Discovery that an AI system has been operating in a manner that violates applicable law or regulation
  • Unauthorized use: Discovery that AI tools have been used in violation of this Policy in a manner that has or could have material impact on clients or Quantus IT

13.2 Immediate Response

Upon discovery of an AI incident, the following immediate actions apply:
  • Notify Quantus IT leadership immediately - do not attempt to resolve the incident independently before notification
  • Suspend or restrict use of the affected AI system pending assessment, if doing so is technically feasible and will not cause additional harm
  • Preserve relevant logs, records, and evidence - do not delete or overwrite data that may be needed for investigation
  • Do not communicate externally about the incident without authorization from Quantus IT leadership

13.3 Client Notification

Where an AI incident affects client data, client deliverables, or client systems, Quantus IT will notify the affected client promptly. Notification will include a description of the incident, an assessment of the impact, the steps taken to contain and remediate the issue, and any actions the client should take. Notification timelines will comply with applicable contractual obligations and legal requirements.

13.4 Post-Incident Review

Following resolution of any AI incident, Quantus IT will conduct a post-incident review to identify root causes, assess whether this Policy or existing controls failed, and implement corrective measures to prevent recurrence. Significant incidents will trigger an early review of this Policy under the procedures defined in Section 15.

14.1 Applicable Regulations

Quantus IT's use of AI is governed by applicable federal, state, and local laws, as well as sector-specific regulations applicable to client industries. Relevant frameworks include but are not limited to:
  • Data Privacy: California Consumer Privacy Act (CCPA), General Data Protection Regulation (GDPR) for engagements involving EU data subjects, and applicable state privacy laws
  • AI-Specific Regulation: Emerging federal and state AI legislation, including applicable provisions of the EU AI Act for solutions deployed in EU markets
  • Sector-Specific: HIPAA for healthcare AI applications; FINRA and SEC guidance for financial services AI; FERPA for educational applications
  • Federal Contracting: Applicable federal AI governance requirements for government-adjacent engagements, including NIST AI Risk Management Framework (AI RMF) alignment

14.2 NIST AI Risk Management Framework

Quantus IT aligns its internal AI governance practices with the NIST AI Risk Management Framework (AI RMF 1.0), which provides a voluntary framework for managing risks associated with AI design, development, deployment, and use. The four core functions - Govern, Map, Measure, and Manage - inform how Quantus IT approaches AI risk across the engagement lifecycle.

14.3 Microsoft Responsible AI Principles

Quantus IT adopts and supports Microsoft's Responsible AI principles: fairness, reliability and safety, privacy and security, inclusiveness, transparency, and accountability. These principles guide the design and deployment of AI solutions across all Quantus IT engagements.

14.4 GDPR Considerations for AI

Where Quantus IT or its clients process personal data of EU data subjects using AI systems, the following GDPR obligations apply:
  • Lawful basis: A valid legal basis must exist for processing personal data in any AI system (consent, legitimate interest, contractual necessity, or legal obligation)
  • Data subject rights: Individuals have the right to access, correct, and request deletion of their personal data, including data used in AI decision-making processes
  • Automated decision-making: Where AI makes decisions with significant legal or similarly significant effects on individuals, GDPR Article 22 requires that individuals have the right not to be subject to solely automated decisions and the right to request human review
  • Data Protection Impact Assessments (DPIAs): High-Risk AI Applications processing EU personal data require a DPIA before deployment

14.5 Contractual Compliance

All client agreements involving AI components must clearly address data processing responsibilities, model ownership, liability for AI-generated errors, and disclosure obligations. Quantus IT will not enter into AI engagements that require practices inconsistent with this Policy without documented legal review and leadership approval.

15. Policy Review

15.1 Review Cadence

This Policy will be reviewed and updated at least annually, or more frequently as warranted by material changes in AI technology, applicable law, industry standards, or Quantus IT's service offerings. The date of the most recent revision appears at the top of this document.

15.2 Triggers for Interim Review

An interim review will be initiated upon:
  • Enactment of new federal or state AI-specific legislation applicable to Quantus IT's operations
  • A significant AI incident or compliance finding (see Section 13)
  • Material changes to AI tools used in Quantus IT operations or client solutions
  • Changes to vendor AI Service terms or responsible AI guidelines that affect Quantus IT's delivery practices
  • Client or industry feedback indicating gaps in existing Policy coverage
  • Publication of significant new guidance from NIST, the EU AI Office, or other authoritative bodies that affects Quantus IT's risk posture

15.3 Version Control

All prior versions of this Policy are retained internally for audit purposes. Material changes will be summarized in an internal revision log accessible to Quantus IT personnel.

15.4 Questions and Feedback

Personnel with questions about this Policy, requests for clarification, or suggestions for improvement should contact Quantus IT leadership at:

Quantus IT
San Antonio, TX
info@quantusit.com