Artificial Intelligence Management System Policy.

Artificial Intelligence Management System Policy

 

Published: July 6th, 2026

 

Qualifyze  is  committed  to  the  responsible  development  and  use  of  Artificial  Intelligence  in support   of   its   business Objectives and   regulatory   obligations.   This   policy   defines   the overarching principles and governance framework for AI systems used or developed by the organization.

It reflects Qualifyze’s commitment to trust, compliance, risk management, and accountability.

This policy forms Part of Qualifyze’s integrated management system and supports the continuous improvement of AI governance.

Business strategy, regulatory context, and AI governance

The  way  we  manage  AI  in  Qualifyze  is  linked  to how  we  operate  as  an  organization. Qualifyze delivers digital services in highly regulated  environments, where trust, traceability, auditability, and effective risk control are not optional, but essential to our business model.

For  this  reason,  AI  governance  is  naturally  embedded  within  our  existing  management systems  and  is  supported  by  recognized frameworks  such  as ISO/IEC  42001,ISO/IEC 27001, and ISO/IEC  27701.  We  also  take  into  account Regulation  (EU)  2024/1689  on Artificial  Intelligence  (AI  Act),  as  well  as  the  guidance  and  recommendations  issued  by the European  Commission and  the Spanish  Agency  for  the  Supervision  of  Artificial Intelligence (AESIA), acknowledging that the regulatory landscape for AI continues to evolve and that we must adapt to it in a progressive and responsible manner.

Depending  on  the  specific  context, Qualifyze may  act  as  a developer  of  AI  systems,  as a user  or  deployer  of third -party AI,  or  as  both simultaneously.  Our  AI  governance framework  takes  these distinct  roles into  account  and  adjusts  controls,  assessments, and responsibilities accordingly.

How we understand and govern IA risk At Qualifyze,   not   all   AI   systems   are   treated   in   the   same   way.   We   apply   a risk -based approach, under which each AI system is assessed considering

its intended purpose, its context of use, and its potential impact.

Our assessment considers, among other aspects, legal and contractual risks, information security and data protection risks, bias, misuse, and unintended effects. This analysis is not limited to the initial stage, but is reviewed over time, particularly when there are changes to usage conditions, the technical environment, or the regulatory context.

Artificial  Intelligence  does  not  replace  human  responsibility.  We  always  define appropriate levels of   human   oversight (HITL),   especially   in   cases   where   AI   supports   sensitive processes or contributes to relevant decisions.

Principles guiding our use and development of AI 

All AI related activities at Qualifyze are governed by a set of clear and shared principles that guide how we design, develop, deploy, and use AI systems across the organization.

We develop and use AI only for legitimate, clearly defined, and documented purposes, and always in compliance with applicable legislation, contractual commitments, and internal policies. The controls applied to each AI system are proportionate to its level of risk and criticality , allowing us to avoid both irresponsible use and unnecessary overregulation.

In Qualifyze, our approach to AI is guided by the following principles:

  • Lawfulness  and  regulatory  compliance:

We comply  with all  applicable  laws  and regulations, contractual obligations and internal policies when developing or using AI systems.

  • Clear  and  documented  purpose:

Each  AI  system  has  a  defined,  legitimate, and approved purpose, which is documented and understood prior to its use.

  • Proportionality and riskbased control:

Controls and safeguards are tailored to the risk profile and criticality of the AI system, ensuring effective risk management without excessive constraints.

  • Responsible  transparency:

We  promote  transparency  that  is appropriate  to the context and avoid opaque or misleading uses of AI, particularly in sensitive or regulated environments.

  • Human oversight and accountability (HITL):

Critical decisions are not delegated to AI    systems    without appropriate   human oversight.    Accountability    and    human responsibility remain central to the way we work with AI.

These    principles    reflect Qualifyze’s commitment    to    using    Artificial    Intelligence    in a responsible, trustworthy, and controlled manner, aligned with our business objectives and the expectations of our clients and other interested parties.

Development of inhouse AI systems 

When Qualifyze develops  AI  systems  internally,  these  are  integrated  into  our  technical processes  and  risk  management  practices.  Prior  to  deployment,  the  purpose, scope, and limitations of each system are clearly defined, and the necessary assessments are carried out to identify and mitigate relevant risks.

Inhouse  AI  systems  are appropriately  documented and monitored throughout  their  lifecycle, enabling the detection of deviations, performance

Degradation, or changes in behaviour. This approach is consistent with practices observed in organizations with mature and certifiable AI management systems.

Use of third-party AI systems

Qualifyze   uses   third-party   AI   systems   only   when   they   have   successfully   undergone a structured  prior  evaluation  process.  At  a  minimum,  this  process  includes  a  risk assessment,  a  contractual  review,  and  specific  assessments  related  to  data  protection  and information security.

These  evaluations  are  carried  out  by  the legal  and  technical  teams

and  form  part  of  our established supplier management processes. The use of third-party AI is authorized only when residual  risks  are  acceptable  and  consistent  with  our  risk  appetite  and  with  our  clients’ expectations.

Impact assessments and protection of interested parties

Where appropriate, Qualifyze performs specific assessments to analyse the potential impact of AI systems on individuals, organizations, and other interested parties. These assessments help identify risks  such  as  bias,  systematic  errors,  unintended  uses, or indirect  negative impacts, and to define suitable mitigation measures.

This  approach  reinforces  our  commitment  to  responsible  AI  and  to  alignment  with  the principles promoted at both European and national levels.

Relationship with other policies and management systems

This policy does not exist in isolation. It is integrated with other corporate policies at Qualifyze, particularly   those   related   to   information   security,   privacy,   risk   management,   supplier management, and acceptable use of technology.

Where  necessary,   these   policies   are   updated   or cross-referenced to   ensure   coherent governance and to avoid inconsistencies.

Deviations, exceptions, and control

Any   deviation   from   this   policy   must   be   properly   documented,  assessed   from   a risk perspective and approved in accordance with

internal processes. Exceptions should not become standard practice without a formal review and a conscious decision.

Roles, review, and continuous improvement

Qualifyze’s management designates the    roles    responsible    for maintaining this    policy, overseeing AI governance, and coordinating the teams involved. This policy is reviewed on a periodic  basis  and  whenever  significant  changes  occur  in  business  strategy,  the regulatory environment, technology, or AI use cases.

Communication and Compliance

This policy is communicated internally, and compliance with it is mandatory. Inappropriate use of AI systems may result in corrective actions in accordance with the organization’s internal procedures.