AI policy · Governance and standards

AI we ship,clearly governed.

How we use, build, and govern AI both inside the consultancy and inside the systems we ship for clients. Effective 28 May 2026.

Standards we align with

The frameworks that shape our practice.

Alignment means our practice is built to satisfy these standards. Certification, where stated, means an external body has audited us against them. We are explicit about which is which.

  • ISO/IEC 42001:2023

    Management-system standard for the responsible development and use of AI. We align our internal AI governance with its lifecycle, risk, and continual-improvement requirements.

  • ISO/IEC 27001

    Information security management. The control baseline for how we hold client data, including data that flows through AI workflows.

  • NIST AI Risk Management Framework (AI RMF 1.0)

    Govern, Map, Measure, Manage. We use the framework as the structure for risk assessment on every AI workflow we ship.

  • EU AI Act

    We treat the EU AI Act's risk-tiering as a baseline for any client deployment that touches EU users or operators, regardless of where the client is headquartered.

  • UK AI Safety Institute and DSIT guidance

    We track UK government guidance on AI safety, evaluation, and deployment and apply the relevant guidance to high-stakes workflows.

  • OWASP Top 10 for Large Language Model Applications

    Prompt injection, sensitive information disclosure, supply chain, model denial of service, and the rest. Every LLM workflow we ship is reviewed against the current list.

  • UK GDPR and Data Protection Act 2018

    Personal data inside AI pipelines is governed by the same lawful-basis, minimisation, and rights regime as any other personal data we process.

Eight principles inside every AI workflow we ship

What you can hold us to.

    Principle 01

    Human review on decisions that matter

    Any decision that touches money, people, regulatory compliance, or clinical context requires human review before action. No exceptions. The human review step is built into the workflow, not bolted on afterwards.

    Principle 02

    Data minimisation and consent

    Client data is sent to third-party models only when necessary, only with written consent, and only with the smallest scope that delivers the outcome. Where a self-hosted or smaller model can do the work, we use it.

    Principle 03

    Grounded over generative

    Where facts matter, we prefer retrieval over open generation. Sources are cited so the user can verify in one click.

    Principle 04

    Observability and audit trail

    Every AI workflow logs inputs, outputs, model versions, costs, and human review decisions. Audit-grade retention configurable per engagement.

    Principle 05

    Bias and harm review

    Workflows that produce decisions affecting people receive a documented bias and harm review before launch and on every material change.

    Principle 06

    Reversibility

    Every workflow has a documented kill-switch and a rollback path. No AI system we ship is load-bearing in a way that cannot be undone.

    Principle 07

    Cost transparency

    Token, inference, and orchestration costs are tracked per workflow and reported back. Clients always know what each workflow costs to run.

    Principle 08

    Vendor diligence

    Model providers and third-party AI vendors are reviewed for data-handling practices, training-data position, security posture, and incident history before we route any client data to them.

Inside the consultancy

How we use AI in our own work.

  • We use AI assistants in our own work. Any output that leaves IMS is reviewed by a human.
  • We do not paste client confidential data into consumer-grade AI tools.
  • We use enterprise or self-hosted endpoints for any work involving client data.
  • We document, on request, which AI tools we used in producing a deliverable.

Your rights as a client

Levers you can pull at any time.

  • You can request the list of AI tools and models used in delivering your engagement at any time.
  • You can require human-only delivery for specific deliverables. We will tell you the cost difference plainly.
  • You can require self-hosted models for any AI workflow we ship for you, where the work allows it.
  • You can require data residency in a specific jurisdiction for the AI workflows in your engagement.

A specific question on AI governance?

We have answered most variants of it before. Send the question and you will have a plain-English answer in writing.

Ask the question