AI Governance
DiagnosticMind operates in regulated sectors where compliance is the baseline, not the achievement. This page exists to make the operating reality of how this platform uses artificial intelligence legible — not to perform compliance theatre. The detail below is the actual protocol.
01Why this page exists
Most AI governance pages are corporate ornament — a checkbox to satisfy an enterprise procurement form. This is not that.
DiagnosticMind uses AI as a substantive part of its product. Auditors and self-assessing organisations rely on AI-generated narratives, suggestions, and analyses. That makes the AI's role load-bearing — and load-bearing components must be documented honestly. This page documents what AI does in the platform, what it is allowed to decide, what it is not allowed to decide, and the commitments that follow from that classification.
02Models in use
| Use case | Model | Provider | Tier |
|---|---|---|---|
| Assessment scoring narrative (executive analysis) | Claude Sonnet 4.6 (claude-sonnet-4-6) | Anthropic | Standard API |
| Assessment Expert-AI chat | Claude Sonnet 4.6 | Anthropic | Standard API |
| Audit engine root-cause and corrective action suggestion | Claude Sonnet 4.6 | Anthropic | Standard API |
| Audit engine report conclusion generation | Claude Sonnet 4.6 | Anthropic | Standard API |
| Audit engine management review summary | Claude Sonnet 4.6 | Anthropic | Standard API |
| Audit engine annual programme objectives | Claude Sonnet 4.6 | Anthropic | Standard API |
Anthropic's Commercial Terms govern the API use. Inputs and outputs sent to the Anthropic API are not used to train Anthropic's models. Default retention is 30 days for abuse monitoring on the Standard API tier. Source: privacy.claude.com.
Zero Data Retention is available on enterprise request from Anthropic and will be pursued at the first paid SaaS contract that requires it.
03What AI does, and what it does not decide
The fundamental architectural commitment is this: AI suggests; the lead auditor decides. Every AI feature in the platform follows this pattern.
- Assessment scoring narrative — presentational only. The user makes all decisions about what to do with the analysis.
- Audit engine root-cause and corrective action suggestion — suggestion only. The lead auditor edits, accepts, or replaces. The final record is human-confirmed.
- Audit engine report conclusions — AI-generated drafts. The lead auditor reviews and signs the audit record.
- Expert-AI chat — informational dialogue. The chat never executes platform actions or modifies data.
- All AI outputs in the audit engine are reviewable and editable before becoming part of the official audit record.
Currently not implemented (in active development backlog):
- Audit rating suggestion (AI proposes a rating for an individual audit response)
- Contradiction detection across audit responses
When implemented, both will follow the same human-in-the-loop pattern: suggestion only, lead auditor decides, full audit log of AI suggestion plus human decision retained.
04EU AI Act classification
Self-classification: Limited Risk. Article 50 transparency obligations apply from 2 August 2026.
Reasoning:
- AI is used as professional assistance to certified auditors and self-assessing organisations.
- AI does not make decisions about individuals' fundamental rights, employment, education, essential services, or biometric or emotion recognition.
- Outputs are reviewable, editable, and final decisions are made by humans.
- The use case does not appear in Annex III high-risk categories.
Regulatory timeline (current as of July 2026). The EU AI Act's high-risk obligations for standalone Annex III systems were deferred by the Digital Omnibus simplification package — endorsed by the European Parliament on 16 June 2026 and approved by the Council on 29 June 2026, with publication in the Official Journal expected shortly after — from 2 August 2026 to 2 December 2027 (embedded Annex I systems to 2 August 2028). The Article 50 transparency obligations were not deferred: they apply from 2 August 2026, and from that date the AI Office and national authorities may impose fines of up to €15 million or 3% of total worldwide annual turnover for breaches. The narrower machine-readable marking duty under Article 50(2) applies from 2 December 2026 for AI systems already on the market before 2 August 2026. DiagnosticMind's Limited-Risk position is unaffected by the high-risk deferral — the transparency obligations are the relevant ones here, and the disclosure practices documented above are built to meet them.
05User transparency — current state and committed gaps
Implemented today
- Audit engine — all AI action buttons are prefixed with the 🤖 emoji (Generate, Suggest Root Cause, etc.). Persistent loading states use "🤖 A gerar..." or "🤖 Generating..." text.
- Audit engine — a dedicated AI & Data Transparency modal is accessible from any screen in the audit engine. It declares AI use, data handling, and standards alignment.
- Assessment intake — explicit description of "AI-generated analysis" in the introduction screens.
- Assessment email confirmation — "Your AI-generated diagnostic report will be sent..."
- Assessment loading state — "Generating your personalised executive analysis..." and "Our AI specialist is connecting the dots across your responses".
- Expert-AI chat — component is explicitly labelled "Expert AI" with active loading indicator.
Committed for resolution
- Q3 2026 — Persistent "AI-generated" badges on the three sections of the executive analysis result page (Executive Analysis, Priority Actions, What Self-Assessment Cannot Reach). Currently these rely on contextual labelling; the commitment is to add a per-section persistent badge.
- Q4 2026 — Global "Disable AI features" toggle for SaaS platform users who prefer purely manual auditing. Currently AI in the audit engine is opt-in via explicit click; the commitment is to add an account-level setting that hides AI suggestion buttons entirely.
06Human oversight and decision authority
The lead auditor is the trust authority in the platform. Specifically:
- The lead auditor is the only role authorised to finalise audit records, accept or reject AI-generated suggestions, sign audit reports, and approve corrective actions.
- AI features in the audit engine are opt-in by explicit click. They do not run automatically on data without the lead auditor's action.
- The lead auditor can override any AI output. AI does not have veto power over auditor judgement.
- For self-assessing organisations using public assessments, the user occupies the equivalent decision-authority role — the AI narrative is presentational and prompts reflection; it does not declare conclusions.
07Bias mitigation
Honest minimum statement. Claude Sonnet 4.6 is a general-purpose model from Anthropic. Independent bias testing of its outputs in audit and compliance contexts has not been conducted. Auditor judgement is the primary control: every AI output is reviewable and editable before it enters an audit record.
Any pattern of biased suggestions reported by users will be investigated and may result in prompt engineering changes or model replacement.
Independent bias testing (€5–15k of expert work) is deferred at this stage as a best-effort defensible commitment. It is on the upgrade path tied to the first enterprise contract.
08Audit logging of AI interactions
- All AI suggestions in the audit engine are logged with timestamp, user, prompt context, response, and resulting human action.
- Logs are retained for the full audit trail availability period (matches audit data retention).
- Logs are available for export to customers in the Enterprise tier on request.
09Data handling for AI processing
Cross-reference: full data handling, sub-processors, and lawful basis are documented on the Privacy Policy page and the Data Processing Addendum page.
Specific to AI processing:
- Inputs and outputs sent to Anthropic are not used to train Anthropic's models, per the Anthropic Commercial Terms.
- Default retention by Anthropic on the Standard API tier is 30 days for abuse monitoring; this is independent of the Provider's own retention policy.
- Lawful basis for AI processing is legitimate interest under Article 6(1)(f) GDPR; the substantive balancing test has been considered, and formal Legitimate Interest Assessment documentation is committed at the first enterprise contract.
10Acknowledged residual risks
For full transparency:
- EU AI Act classification is operator self-determined as Limited Risk — not regulator pre-approved.
- Independent bias testing of Claude Sonnet 4.6 outputs in audit context — deferred; honest minimum statement above is the current control.
- Persistent per-section AI badges committed for Q3 2026; "Disable AI" toggle committed for Q4 2026 — not yet implemented.
- Lawyer review of this classification is committed at the first enterprise contract.
These residuals are accepted consciously, not concealed.