Artificial Intelligence Management System Policy.
Artificial Intelligence Management System Policy
Published: July 6th, 2026
Qualifyze is committed to the responsible development and use of Artificial Intelligence in support of its business Objectives and regulatory obligations. This policy defines the overarching principles and governance framework for AI systems used or developed by the organization.
It reflects Qualifyze’s commitment to trust, compliance, risk management, and accountability.
This policy forms Part of Qualifyze’s integrated management system and supports the continuous improvement of AI governance.
Business strategy, regulatory context, and AI governance
The way we manage AI in Qualifyze is linked to how we operate as an organization. Qualifyze delivers digital services in highly regulated environments, where trust, traceability, auditability, and effective risk control are not optional, but essential to our business model.
For this reason, AI governance is naturally embedded within our existing management systems and is supported by recognized frameworks such as ISO/IEC 42001,ISO/IEC 27001, and ISO/IEC 27701. We also take into account Regulation (EU) 2024/1689 on Artificial Intelligence (AI Act), as well as the guidance and recommendations issued by the European Commission and the Spanish Agency for the Supervision of Artificial Intelligence (AESIA), acknowledging that the regulatory landscape for AI continues to evolve and that we must adapt to it in a progressive and responsible manner.
Depending on the specific context, Qualifyze may act as a developer of AI systems, as a user or deployer of third -party AI, or as both simultaneously. Our AI governance framework takes these distinct roles into account and adjusts controls, assessments, and responsibilities accordingly.
How we understand and govern IA risk At Qualifyze, not all AI systems are treated in the same way. We apply a risk -based approach, under which each AI system is assessed considering
its intended purpose, its context of use, and its potential impact.
Our assessment considers, among other aspects, legal and contractual risks, information security and data protection risks, bias, misuse, and unintended effects. This analysis is not limited to the initial stage, but is reviewed over time, particularly when there are changes to usage conditions, the technical environment, or the regulatory context.
Artificial Intelligence does not replace human responsibility. We always define appropriate levels of human oversight (HITL), especially in cases where AI supports sensitive processes or contributes to relevant decisions.
Principles guiding our use and development of AI
All AI related activities at Qualifyze are governed by a set of clear and shared principles that guide how we design, develop, deploy, and use AI systems across the organization.
We develop and use AI only for legitimate, clearly defined, and documented purposes, and always in compliance with applicable legislation, contractual commitments, and internal policies. The controls applied to each AI system are proportionate to its level of risk and criticality , allowing us to avoid both irresponsible use and unnecessary overregulation.
In Qualifyze, our approach to AI is guided by the following principles:
- Lawfulness and regulatory compliance:
We comply with all applicable laws and regulations, contractual obligations and internal policies when developing or using AI systems.
- Clear and documented purpose:
Each AI system has a defined, legitimate, and approved purpose, which is documented and understood prior to its use.
- Proportionality and risk–based control:
Controls and safeguards are tailored to the risk profile and criticality of the AI system, ensuring effective risk management without excessive constraints.
- Responsible transparency:
We promote transparency that is appropriate to the context and avoid opaque or misleading uses of AI, particularly in sensitive or regulated environments.
- Human oversight and accountability (HITL):
Critical decisions are not delegated to AI systems without appropriate human oversight. Accountability and human responsibility remain central to the way we work with AI.
These principles reflect Qualifyze’s commitment to using Artificial Intelligence in a responsible, trustworthy, and controlled manner, aligned with our business objectives and the expectations of our clients and other interested parties.
Development of inhouse AI systems
When Qualifyze develops AI systems internally, these are integrated into our technical processes and risk management practices. Prior to deployment, the purpose, scope, and limitations of each system are clearly defined, and the necessary assessments are carried out to identify and mitigate relevant risks.
Inhouse AI systems are appropriately documented and monitored throughout their lifecycle, enabling the detection of deviations, performance
Degradation, or changes in behaviour. This approach is consistent with practices observed in organizations with mature and certifiable AI management systems.
Use of third-party AI systems
Qualifyze uses third-party AI systems only when they have successfully undergone a structured prior evaluation process. At a minimum, this process includes a risk assessment, a contractual review, and specific assessments related to data protection and information security.
These evaluations are carried out by the legal and technical teams
and form part of our established supplier management processes. The use of third-party AI is authorized only when residual risks are acceptable and consistent with our risk appetite and with our clients’ expectations.
Impact assessments and protection of interested parties
Where appropriate, Qualifyze performs specific assessments to analyse the potential impact of AI systems on individuals, organizations, and other interested parties. These assessments help identify risks such as bias, systematic errors, unintended uses, or indirect negative impacts, and to define suitable mitigation measures.
This approach reinforces our commitment to responsible AI and to alignment with the principles promoted at both European and national levels.
Relationship with other policies and management systems
This policy does not exist in isolation. It is integrated with other corporate policies at Qualifyze, particularly those related to information security, privacy, risk management, supplier management, and acceptable use of technology.
Where necessary, these policies are updated or cross-referenced to ensure coherent governance and to avoid inconsistencies.
Deviations, exceptions, and control
Any deviation from this policy must be properly documented, assessed from a risk perspective and approved in accordance with
internal processes. Exceptions should not become standard practice without a formal review and a conscious decision.
Roles, review, and continuous improvement
Qualifyze’s management designates the roles responsible for maintaining this policy, overseeing AI governance, and coordinating the teams involved. This policy is reviewed on a periodic basis and whenever significant changes occur in business strategy, the regulatory environment, technology, or AI use cases.
Communication and Compliance
This policy is communicated internally, and compliance with it is mandatory. Inappropriate use of AI systems may result in corrective actions in accordance with the organization’s internal procedures.