Document IIS-GOV-AI-001 • Version 1.0 • Effective 01 May 2026
Integrated IT Support Inc. (the “Company”) embraces artificial intelligence (AI) as a means of delivering faster, more reliable, and more affordable services to its clients. The Company is equally committed to ensuring that AI systems it builds, deploys, or uses internally are developed and operated in a manner that is lawful, ethical, transparent, secure, and consistent with respect for human rights and client interests.
This Policy sets out the standards that govern the Company's use of AI, in alignment with leading frameworks including ISO/IEC 42001:2023 (AI Management System), the NIST AI Risk Management Framework (AI RMF 1.0), the Government of Canada Directive on Automated Decision-Making, the OECD AI Principles, and the principles of the EU AI Act.
This Policy applies to all use of AI by the Company and its personnel, whether for internal productivity, service delivery to clients, embedded product features, or experimental and research purposes. It applies to:
AI systems developed in-house by the Company.
Third-party AI systems and APIs used by the Company (including generative AI chat tools, copilots, and agent platforms).
AI systems used by suppliers and sub-contractors on the Company's or its clients' behalf.
AI System: a machine-based system that, for a given set of human-defined objectives, makes predictions, recommendations, or decisions influencing real or virtual environments.
Generative AI: an AI system capable of generating text, code, images, audio, video, or other content in response to prompts.
High-Risk AI System: an AI system used in a context that could materially affect an individual's rights, opportunities, safety, or finances (e.g., automated screening of job applicants, credit decisions, healthcare triage).
Confidential / Restricted Information: as defined in the Information Security Policy (IIS-GOV-SEC-001).
Executive accountability for AI rests with the CEO and the executive AI Sponsor (typically the CISO or a designated AI Lead).
The Governance, Risk & Compliance Office maintains the AI Inventory (IIS-GOV-AI-INV-001) — a documented register of AI systems used by the Company, their purposes, risk classification, and approval status.
Every new AI use case must be reviewed and approved through the AI Use-Case Intake Process before being placed in production for client-impacting work.
Subject to the controls below, the Company permits the use of approved AI tools for:
Drafting internal documentation, code, and communications, with mandatory human review before reliance or external distribution.
Research, summarisation of public information, brainstorming, and learning.
Automation of well-bounded, internally-facing operational tasks (e.g., ticket triage, report generation) where errors are recoverable and a human-in-the-loop control is present.
Development of client-facing AI services that have passed the AI Use-Case Intake Process, including a risk assessment, transparency disclosure to the client, and explicit contractual permission where required.
Personnel must NOT, under any circumstances, do any of the following without explicit prior written authorisation from the GRC Office or a duly authorised executive:
Submit Confidential or Restricted client data, personal information, credentials, secrets, source code, security configurations, or non-public business information to any public, free-tier, or non-approved AI tool, or to any AI tool that may use that input to train its models.
Use AI to generate content that infringes the intellectual-property rights of any party.
Use AI to impersonate any individual, including by deepfake audio or video, or to fabricate identities.
Use AI to generate or distribute deceptive content, misleading marketing, or content intended to manipulate financial markets or electoral processes.
Use AI to make automated decisions about hiring, performance, termination, credit, or access to services without a documented human-in-the-loop review and explicit notice to the affected individual.
Use AI to engage in surveillance, profiling, or discriminatory behaviour against any protected group.
Use AI in a manner that violates applicable law, regulation, client contract, or this Policy.
Use of Confidential or Restricted information with AI is permitted only with approved enterprise-grade AI services that operate under contractual data-protection commitments, including: no use of customer data for model training without explicit consent; encryption in transit and at rest; appropriate data residency; and contractual breach-notification obligations.
The Company maintains a list of Approved AI Services (IIS-GOV-AI-APV-001) reviewed at least quarterly.
Personal information processed via AI is subject to the Privacy Policy (IIS-GOV-PRV-001) and PIPEDA; clients are notified where AI processing of their personal information occurs outside Canada.
Where the Company uses AI in delivering services to clients, the Company will disclose this fact to the client, including the categories of AI used and any human-oversight controls applied.
AI-generated content shared externally on the Company's behalf is reviewed for accuracy, completeness, and appropriateness by a qualified human before publication.
Where required by applicable law (e.g., EU AI Act provisions on AI-generated content), AI-generated outputs are labelled accordingly.
AI systems developed or operated by the Company that materially affect individuals' rights or opportunities undergo a documented Bias & Fairness Assessment before deployment and at least annually thereafter.
High-risk AI systems include a human-in-the-loop or human-on-the-loop control proportionate to the risk.
Personnel are trained to recognise hallucinations, fabrications, and other typical failure modes of generative AI and to validate outputs against authoritative sources before reliance.
AI systems are subject to the Company's Information Security Policy (IIS-GOV-SEC-001). The Company specifically addresses AI-specific risks including:
Prompt injection and indirect prompt injection.
Training-data poisoning.
Model extraction and inference attacks.
Insecure use of agentic AI with elevated privileges (least-privilege and human-confirm boundaries are enforced for agent actions involving data exfiltration, account changes, or financial transactions).
Before adding any AI service to the Approved list, the GRC Office reviews:
The vendor's security posture (SOC 2 / ISO 27001 evidence).
The vendor's data-handling, training-data, and retention practices.
The contractual terms regarding ownership of inputs and outputs.
Data-residency options and sub-processor disclosure.
The vendor's published responsible-AI practices, model-card or system-card disclosures, and incident-disclosure history.
Personnel must not rely on AI outputs as final deliverables without verification and customisation by a qualified human.
The Company does not claim copyright in content that is purely AI-generated where copyright law does not provide protection.
Personnel must not introduce open-source or copyrighted code into client deliverables via AI tools without confirming license compatibility.
All personnel using AI in the course of their work must complete the Company's AI Acceptable Use training upon joining and at least annually. Targeted training is provided to client-facing technical roles on responsible-AI engineering, prompt-injection defence, and privacy-by-design.
The GRC Office maintains the AI Risk Register and reviews AI-related incidents, near-misses, and corrective actions.
AI use cases are reviewed at least annually for continued necessity, performance, and compliance with this Policy.
Material changes to AI use cases are subject to re-approval through the Intake Process.
Any person — internal or external — may report a concern about the Company's use of AI through the Company's grievance mechanism (ahmad.wasee@iisupp.net or iisupp.net/ethics-grievance). The Company will investigate concerns in good faith and apply its non-retaliation guarantee.
Approval and Authority
This document has been reviewed and approved by the Executive Leadership of Integrated IT Support Inc. and is issued under the authority of the Office of the Chief Executive Officer. The document is subject to periodic review and may be amended by the Approving Authority. Material amendments are communicated to all employees and key suppliers within thirty (30) days of issuance.
Signed for and on behalf of Integrated IT Support Inc.
Ahmad
Ahmad — Chief Executive Officer
Integrated IT Support Inc.
Date: 11 May 2026
Approved electronically by Ahmad, Chief Executive Officer, on 11 May 2026. This electronic signature is applied with the authority of the named signatory and is valid under the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Ontario Electronic Commerce Act, 2000.