Skip to main content

Policy

Artificial Intelligence Policy

Last updated: March 2026 · Cliffside Cybersecurity Pty Ltd

AI is a tool at Cliffside, not a substitute for professional judgement. We use it to improve efficiency, accuracy and consistency, but final decisions, findings, recommendations and deliverables remain the responsibility of qualified Cliffside personnel.

Cliffside uses third-party AI tools to support its services. We do not develop, train, or sell AI systems. This policy covers all AI use within Cliffside's operations and service delivery, and applies to all personnel, contractors, and third parties acting on our behalf.

We are committed to meeting applicable legal, regulatory, and contractual requirements in our use of AI. We are closely following developments in AI, including emerging risks, legal changes, regulatory guidance and evolving industry practice. This policy is a living document. As we identify new risks, improve our controls or adopt better ways to govern AI use, we update it.

This page explains how we use AI, where we draw hard boundaries, and how we protect client information.

Our approach

We use AI cautiously, with human oversight and clear operational controls.

Our approach is built on eight principles:

  • human accountability
  • fairness and non-discrimination
  • privacy and confidentiality
  • data minimisation
  • security by default
  • safety
  • transparency
  • controlled use and review

Anyone advising clients on AI should be willing to apply the same discipline internally. That is our standard.

How we use AI

Cliffside may use approved AI tools for limited and controlled purposes such as:

  • drafting outlines, summaries and first-pass working notes
  • improving grammar, structure and readability
  • supporting research and analysis
  • transcribing meetings where consent has been obtained
  • assisting with administrative efficiency

Where AI is used in these ways, Cliffside personnel review the output, make any required corrections, and determine whether it is suitable for use.

What AI does not do

AI does not replace consultant judgement or sign-off.

We do not use AI to:

  • make final risk decisions, severity ratings or recommendations without human judgement
  • approve deliverables without human review and sign-off
  • input client-identifiable information into unauthorised or consumer-grade AI tools
  • record or transcribe meetings without appropriate consent
  • use client data to train or improve AI models unless expressly agreed in writing by the client
  • use AI in a way that is inconsistent with legal, regulatory, contractual or confidentiality obligations

Protecting client data

We treat client information as confidential and apply controls designed to reduce privacy, confidentiality and security risk when AI is used in connection with client work.

These controls may include:

Approved tools only

Only AI tools approved by Cliffside may be used for client-related work.

Enterprise and contractual controls

Approved tools are assessed for security, privacy, data handling and contractual safeguards.

Data minimisation and sanitisation

Before using AI, we aim to remove or replace client-identifying information where reasonably practicable. This may include names, organisation names, email addresses, IP addresses, domain names and other identifying details.

Restricted access

Access to AI tools and AI-generated outputs is limited to authorised personnel with a legitimate business need.

Secure handling

AI-related records are handled within Cliffside's managed systems and subject to our security controls, access controls and retention practices.

Retention and deletion

AI-generated records are retained only for as long as reasonably necessary, subject to client commitments, legal obligations and records management requirements.

Meeting transcription

Cliffside may use AI-powered transcription to support accurate meeting records and follow-up. We do this only under controlled conditions.

Our approach is straightforward:

  • we notify participants when transcription is proposed
  • we obtain appropriate consent before transcription begins
  • if consent is not provided, transcription does not proceed
  • participants may ask for transcription to be paused or stopped
  • transcripts are treated as confidential client records and handled under our standard security controls

For sensitive discussions, Cliffside may recommend that transcription be disabled.

Approved AI platforms

Cliffside maintains an internal process for approving AI platforms. Approval is based on factors such as:

  • security and privacy safeguards
  • contractual protections
  • organisational access controls
  • suitability for the intended purpose
  • data handling practices
  • ability to support audit and oversight requirements

Third-party AI models carry inherent limitations, including the potential for inaccuracy, bias, and inconsistency. Known constraints are considered during platform approval and factored into how we use each tool.

Unapproved AI tools must not be used for client-related work.

Human review and quality control

AI output is not accepted at face value. Cliffside personnel are responsible for reviewing and validating AI-assisted work before it is used in client deliverables or relied on internally for material decisions.

This includes checking for:

  • factual accuracy
  • completeness
  • relevance
  • bias, unfairness, or discriminatory content
  • confidentiality or privacy issues
  • language that could mislead or overstate certainty

We also monitor the ongoing performance, accuracy, and suitability of approved AI tools. Where an AI tool no longer meets our standards, we restrict or discontinue its use.

Employee and contractor responsibilities

Cliffside personnel and contractors must:

  • follow this policy and related security, privacy and acceptable use requirements
  • use only approved AI tools for client-related work
  • avoid entering unnecessary or identifying information into AI systems
  • maintain competence in the responsible use of AI tools relevant to their role
  • escalate any concerns about AI use, output quality or data handling
  • report suspected misuse, unauthorised access or security incidents promptly

Personnel may raise AI-related concerns without fear of retaliation. We treat these reports seriously and investigate them promptly.

Failure to comply with this policy may result in disciplinary action or termination of engagement, as appropriate.

Incident response

If we become aware of a suspected AI-related privacy, confidentiality or security incident, we investigate and respond in line with our incident management processes. Where required, we take further steps in accordance with applicable legal and regulatory obligations.

Policy governance and review

We closely monitor developments in AI, including new technical risks, regulatory expectations and changes in good practice. This policy is reviewed periodically and updated when needed to reflect changes in technology, law, regulation, client expectations and Cliffside practices.

This policy is maintained as part of Cliffside's information security management system (aligned with ISO/IEC 27001) and AI management system (aligned with ISO/IEC 42001). We continuously implement and refine processes, controls and tools to reduce risk, improve oversight and strengthen the safe use of AI over time.

As part of our governance, we consider the broader societal and environmental implications of AI use in our operations and service delivery.

Because AI risk is changing quickly, this policy is intended to remain a living document. As we learn more, identify new risks or improve our controls, we update it accordingly.

The current version published on our website is the operative version.

Transparency and disclosure

Cliffside is open about its use of AI. This policy is part of that commitment.

Clients may ask whether AI was used in connection with their engagement. Where AI contributed materially to a client deliverable, Cliffside can explain the nature and extent of that contribution upon request.

We do not present AI-generated output as solely human work. Human review, judgement and sign-off remain central to everything we deliver.

Questions

If you have questions about how Cliffside uses AI, contact Cliffside through the usual channels.

Cliffside Cybersecurity Pty Ltd
Level 1, 66 King Street, Sydney NSW 2000
(02) 8916 6389
Contact us

Not sure where to start?

Book a free 30-minute consultation. Honest, no lock-in, no sales pitch.

Book a Free Consultation