CyberPrism Platform

CyberPrism AI Policy

A deliberate, governed approach to artificial intelligence — built to support professional judgement, not replace it.

A clear position on AI

Artificial intelligence attracts hype, misunderstanding and, at times, unwarranted fear. CyberPrism takes a deliberate, governed approach. Our technology is built to support the judgement of experienced professionals — not to replace it — and we are transparent about how it works and how it is governed.

We describe our approach as Intelligence Augmentation: AI applied to make complex regulatory and cyber-resilience challenges easier to navigate, while keeping people firmly in control. This is a design philosophy, not a regulatory exemption. The EU AI Act’s definition of an AI system is functional and technology-neutral; CyberPrism falls within it, and we govern the platform as an AI system accordingly.

How CyberPrism works

CyberPrism is built on Retrieval-Augmented Generation (RAG). Rather than generating answers in isolation, it retrieves relevant material from a curated corpus of authoritative sources — including DORA, NIS2 and the UK Operational Resilience Framework — and generates responses grounded in that material. The result is guidance that is explainable and traceable to its sources. Grounding substantially reduces the risk of unsupported or fabricated content; it does not eliminate it, which is why every output is presented as decision-support requiring human validation.

Our role under the EU AI Act

The AI Act assigns obligations primarily by role, and we are explicit about ours:

  • Provider. Cyber Risk International develops CyberPrism and places it on the market under its own name. We are therefore the provider of the AI system and accept the provider obligations that attach to the platform’s risk classification.
  • Deployer. Where we use CyberPrism in delivering our own advisory services, we also act as a deployer.
  • Clients as deployers. Organisations that license and operate CyberPrism are deployers in their own right, carrying the corresponding deployer obligations.
  • Model supply chain. CyberPrism integrates a third-party general-purpose AI model via API. As a downstream provider, we maintain awareness of the upstream provider’s obligations and documentation, control the data passed to the model, and keep our own technical documentation describing how the model is integrated and constrained.

We state this plainly because provider obligations are the most substantial under the Act, and because our clients are entitled to know exactly where responsibility sits.

Risk classification and compliance

We have assessed CyberPrism against the AI Act’s risk-based framework. CyberPrism performs none of the prohibited practices set out in the Act. It functions as regulatory and resilience decision-support and is not, by design, the determining factor in the high-risk decisions listed in Annex III. Its principal regulatory duties are therefore the transparency obligations applicable to systems that generate content for human users — duties we meet by clearly identifying AI-generated guidance and referencing the sources on which it is grounded.

Because CyberPrism serves DORA-regulated financial entities and NIS2 essential and important entities, this is not a one-time judgement. Each new or materially changed feature is reviewed against Annex III, and the reasoning recorded. Should any feature fall within the high-risk category, the corresponding obligations — technical documentation, conformity assessment, logging, human oversight and post-market monitoring — are implemented before that feature is released.

We track our position against the Act’s phased application: the prohibited-practice and AI-literacy provisions in force since February 2025, the general-purpose AI provisions from August 2025, and the principal high-risk obligations from August 2026. Our use of AI is governed in alignment with the EU AI Act, DORA, NIS2 and the GDPR.

Governance principles

  • Human oversight. Every AI-enabled feature operates under human control. CyberPrism does not make binding compliance or regulatory decisions.
  • Transparency. AI-generated guidance is clearly identified as such, and references the sources it is grounded in.
  • Accountability. A named owner is responsible for AI governance, under a defined review cycle and record-keeping.
  • Security and privacy. AI features operate within CyberPrism’s security and privacy framework. Data is not processed or shared outside it, and any processing of personal data is governed by our GDPR obligations.
  • Fairness and ethics. We do not use AI for manipulative, discriminatory or harmful purposes, and we monitor outputs for accuracy and fairness.
  • AI literacy. We provide AI-literacy measures to relevant personnel, proportionate to their role, in line with the Act’s requirements.

What CyberPrism will not do

  • Make binding compliance or regulatory decisions without human validation.
  • Replace governance, risk-management or professional advisory processes.
  • Process or share data outside its security and privacy safeguards.
  • Be used for manipulative, discriminatory or otherwise harmful purposes.

Our commitment

CyberPrism continuously monitors and evaluates its AI capabilities for accuracy, fairness and compliance. Governance of the platform is owned, reviewed and version-controlled, and as regulation and technology evolve, our approach evolves with them — always keeping clients in control.

At CyberPrism, Intelligence Augmentation means clarity, compliance and confidence — governed as an AI system, with people firmly in control.

A detailed AI governance statement aligned to the EU AI Act is available to clients and partners on request.