AI proposes. A named person decides. Every step is logged.
Last updated: 17 July 2026 · Version 2.0
1. Scope
This Statement discloses TruSecure's use of artificial-intelligence features in Resilience Fabric and on trusecure.co. It is published in fulfilment of the transparency duties applicable under Regulation (EU) 2024/1689 (the "EU AI Act") and to ensure that TruSecure's customers and their end users understand how AI is and is not used in respect of their data.
2. The single rule
AI proposes. A named person decides.
TruSecure's AI reads, classifies, maps, summarises, compares, drafts and proposes. The AI does not autonomously approve a risk acceptance, mark a control compliant or submit a regulatory report. Every action that produces a legal or similar significant effect on the customer, on the customer's data subjects, or on a third party routes to a named, authenticated human, who must approve, reject or amend it before it becomes the record of truth.
3. Where AI acts inside Resilience Fabric
| Function | AI role | Human approval required? |
|---|---|---|
| Framework mapping (NIS2, DORA, ISO, NIST, EU AI Act) | Proposes classification | Yes — by the named control owner |
| Evidence summarisation | Drafts | Yes — by the named approver |
| Gap detection | Proposes | Yes — by the named approver |
| Risk scoring | Proposes | Yes — by the named risk owner |
| Policy drafting | Drafts | Yes — by the named owner |
| Incident-report drafting | Drafts | Yes — by the named accountable person |
4. Where AI does not act
- The AI does not transmit notifications to regulators on a customer's behalf.
- The AI does not sign, attest, or accept liability on behalf of any party.
- The AI does not ingest customer data into model training by default.
- The AI does not execute transactions or instructions outside Resilience Fabric.
5. Models and infrastructure
- Models used by Resilience Fabric are operated on private inference infrastructure controlled by TruSecure within the EEA by default. The Customer does not need to take any action to enable this.
- Where private inference is unavailable for a specific task, fallback is permitted only on infrastructure the customer has explicitly approved in writing; the fallback path is recorded in the customer's tenant settings.
- Customer Content is not used to train foundation models.
- Foundation-model parameters are not modified on the basis of Customer Content.
6. Limitations and known risks
- AI-generated mappings and summaries may contain errors and must be reviewed.
- AI outputs are reproducible for a given input and model version; customers may request a logged copy of the relevant inputs and outputs in respect of a specific decision.
- AI is not used for the purposes of detecting minors or other special-category data subjects unless the customer explicitly enables such a feature and assumes the relevant GDPR Art. 9 obligations.
7. Automated decisions under GDPR Art. 22
TruSecure does not make automated decisions producing legal effects on natural persons on the basis of Resilience Fabric data. Where a customer uses Resilience Fabric outputs in a context that itself produces a legal or similarly significant effect on a data subject, the customer is the controller and remains responsible for GDPR Art. 22 compliance.
8. EU AI Act — interaction
Where TruSecure places an AI system on the market or puts it into service as a provider within the meaning of Regulation (EU) 2024/1689, TruSecure will publish the additional disclosures required by Art. 50 on the relevant product page. Where a customer deploys the system as a deployer, the customer assumes the corresponding deployer obligations.
9. Logging and audit
Every AI action — proposal, draft, summary, comparison — is logged with timestamp, model identifier, model version, request identifier and the human who approved or rejected the resulting decision. Logs are retained per the schedule in the Security Statement and are exportable by the customer.
10. Updates
Material changes to model usage or to the human-approval boundary are notified per the change-notice period on the Trust Center index page.
Ask an AI about TruSecure
TruSecure's AI reads, classifies, maps, summarizes, compares, drafts, and proposes — it never autonomously approves risk acceptances, marks controls compliant, or submits regulatory reports. Every AI action is logged; every decision carries the name of the person who reviewed and approved it.
