Volver a plantillas de gobernanza de IA
Data and Security AI Policies

AI Sensitive Data Handling Policy

Dictates encryption, masking, and access for sensitive AI data.

Responsable: Security Architect

Objetivo

Protect sensitive data (PII, PHI, PCI, trade secrets) used in AI systems by establishing technical and procedural safeguards that align with security and privacy regulations.

Alcance

Covers data ingestion, storage, processing, model training, inference, logging, and sharing of any sensitive data handled by AI solutions or supporting infrastructure.

  • Training datasets containing personal or regulated information
  • Inference payloads with user content or confidential business data
  • Derived embeddings or feature vectors storing sensitive attributes
  • Logs, prompts, and model outputs likely to expose confidential data

Definiciones

  • Sensitive Data: Information classified as Confidential or higher under the organization’s data classification policy (PII, PHI, PCI, financial, legal, trade secrets).
  • Masking: Technique to obfuscate sensitive fields while preserving format or utility.
  • Break-Glass Access: Emergency access workflow requiring post-hoc approval and logging.

Política

Sensitive data must remain encrypted in transit and at rest, and must be masked or tokenized before entering lower environments or third-party tools. AI engineers may only access sensitive datasets through approved secure workspaces. Any export or sharing must be logged and approved by Security and Privacy.

Roles y responsabilidades

Security Architect defines encryption/masking standards. Data Governance classifies datasets and maintains access reviews. Engineering implements secure enclaves and secrets management. Privacy monitors compliance with consent and purpose limitations.

Procedimientos

Handling sensitive AI data requires:

  • Data classification tagging before ingestion into AI pipelines.
  • Encryption using approved algorithms and key management systems.
  • Masking or tokenization prior to use in dev/test environments.
  • Just-in-time access provisioning with MFA and session logging.
  • Break-glass workflows for emergency access with post-review.
  • Automated scanning of logs/prompts to prevent sensitive output leakage.

Excepciones

Exceptions (e.g., unmasked access for debugging) must be approved jointly by Security and Privacy. Each exception must specify time-bound access, compensating controls, and follow-up validation.

Frecuencia de revisión

Security reviews control effectiveness quarterly, including penetration tests and data loss prevention (DLP) scans. Access reviews occur at least every 90 days.

Referencias

  • ISO/IEC 27001 Annex A (Access control, cryptography)
  • NIST SP 800-53 (Access Control, Audit, Identification & Authentication)
  • Internal documents: Data Classification Policy, Secrets Management SOP, Secure Workspace Runbook

¿Listo para implementar esta política?

Use VerifyWise para personalizar esta plantilla de política, desplegarla y hacer seguimiento del cumplimiento.

Comenzar gratisExplorar todas las plantillas
AI Sensitive Data Handling Policy | Plantillas de gobernanza de IA de VerifyWise