Skip to main content

ConnectGRC · Legal

AI Governance

Last updated: · Version 1.0.0

ConnectGRC builds and operates AI systems that grade voice answers, generate career pathways, and summarise candidate strengths. This section explains how the systems work, how we keep them honest, and how a human can override them.

01Scope and classification

ConnectGRC's voice-based GRC competency assessment is an AI system within the meaning of the EU AI Act (Regulation (EU) 2024/1689). We classify the assessment as a limited-risk system in its current form: it produces advisory tier and score outputs that candidates may share at their discretion. The system is not, today, used to make employment decisions that produce legal or similarly significant effects on the candidate.

Should the same engine be reused inside an employer-driven hiring flow, that deployment would shift to the EU AI Act's high-risk tier (Annex III, point 4) — the obligations described in our companion documents would expand accordingly.

02The documents

Our EU AI Act compliance posture is described in two living documents that sit alongside the Privacy Policy:

  • AI System Technical Documentation — describes the assessment pipeline architecture, training-data posture, performance benchmarks, and known limitations. Maintained per EU AI Act Article 11 and equivalent provisions in NIST AI RMF and ISO/IEC 42001.
  • Human Oversight Protocol — describes how a human reviewer can challenge, override, or re-issue any automated tier decision, and the escalation paths for candidates and employers who dispute an output.

03Trustworthy-AI principles we follow

Our internal AI policy is anchored on the seven characteristics from the NIST AI Risk Management Framework:

  • Valid and reliable — measured on a held-out evaluation set; production drift monitored via the admin RAG dashboard.
  • Safe — guarded by content filters and refusal patterns; emergency override available via the rescore endpoint.
  • Secure and resilient — prompt-injection testing in the development cycle; rate limits + service-role gates on every write path.
  • Accountable and transparent — every scoring run is logged with input, output, and model version; this page is part of that transparency.
  • Explainable and interpretable — per-question score + judge feedback are surfaced to the candidate alongside the tier.
  • Privacy-enhanced — see our Privacy Policy.
  • Fair, with bias managed — bias-audit baseline is established within 90 days of public launch and re-run quarterly against accumulated production data.

04Contact

Questions about our AI governance posture? Reach us via the contact page and mark your message "AI governance."