Generative AU Use.pdf

Full Transcript

GENERATIVE ARTIFICIAL
INTELLIGENCE USE
POLICY
EBSCO Industries Policy

Abstract
Designed to outline guidelines and principles for all users within the EBSCO Industries
Inc. on the acceptable and responsible use of Generative AI technologies.

CorpIT Information Security
 CORPORATE IT - INFORMATION SECURITY
Generative AI Use Policy

Contents
1. Objective............................................................................................................... 2
2. Scope.................................................................................................................... 2
3. Document References......................................................................................... 2
4. Definitions............................................................................................................. 2
5. Policy Provisions................................................................................................. 3
6. Enforcement......................................................................................................... 5
7. Policy Priority....................................................................................................... 5

Page 1 of 5
 CORPORATE IT - INFORMATION SECURITY
Generative AI Use Policy

1. Objective
This Generative AI Tools Usage Policy (“Policy”) outlines the guidelines and procedures
to ensure the secure and responsible use of generative artificial intelligence (“AI”) by the
employees of EBSCO Industries, Inc. (the “Company”). The purpose of this Policy is to
create the best experience for customers, safeguard company information, maintain
data privacy, prevent misuse, and promote ethical practices when using generative AI
systems.

AI tools, such as ChatGPT, Copilot, Gemini, and CodeWhisperer (“AI Tools”), serve
many purposes, including expanding learning, improving workflow, and inspiring
creativity. Use of these tools also involves risk, both in connection with the query,
prompt, or information provided to the tool, and in connection with the content the tool
generates. This Policy is designed to mitigate those risks to the extent possible.

2. Scope
This Policy applies, without exception, to all personnel, employees, subcontractors,
interns, and consultants of EBSCO Industries (“Company”). The Company may also
request that external personnel working with the Company in a partnership, strategic
investment, and/or advisory capacity abide by this Policy.

3. Document References
3.1 Data Classification and Handling Policy
3.2 Data Classification and Handling Manual

4. Definitions
4.1. Generative AI: A type of artificial intelligence system capable of generating
text, images, or other media in response to prompts. Generative AI models
learn the patterns and structure of their input training data, and then they
generate new data that has similar characteristics.
4.2. Commercial AI Tools: Software applications or tools that are developed,
marketed, and sold by commercial entities for business or professional use.
These tools are licensed with contract terms and managed by an application
owner/department within the Company.
4.3. Consumer AI Tools: Software applications or tools designed for individual or
personal use by consumers. These tools are often widely available, user-
friendly, and cater to a broad audience. While consumer-grade tools may be
suitable for personal tasks and basic needs, they may lack the advanced
features, security measures, and scalability required for organizational use.
4.4. Data Usage: This context refers to the purposes for which data input into AI
Tools can be used, the individuals or entities authorized to access it, and the
safeguards in place to protect confidentiality.
4.5. Prohibited Content: Any content which violates common decency, public
order, and applicable laws. Such content includes, but is not limited to,

Page 2 of 5
 CORPORATE IT - INFORMATION SECURITY
Generative AI Use Policy

content that is obscene, violent, harassing, intimidating, defamatory, biased,
discriminatory, or otherwise illegal.

5. Policy Provisions
5.1. Authorized Use
5.1.1 You may not use AI Tools for Company business, except as specifically
permitted by this Policy. Any such use is subject to this Policy and the
Company’s Acceptable Use Policy, Information Security Policy, and
Privacy Policy.
5.1.2 In places where this Policy directs you to seek approval from a Company
representative, or if you have any other questions about this Policy or wish
to discuss specific use cases, please contact the Corporate IT
Governance, Risk, and Compliance (GRC) department
([email protected]).

5.2. Permitted AI Tools
5.2.1 Commercial AI Tools are permitted only for Public, Internal, and
Confidential data provided legal and security approval.
5.2.2 Consumer AI Tools are permitted only for Public and Internal data
provided legal and security approval.
5.2.3 Consumer AI Tools usage must be configured to disable training of the
underlying generative AI model. Otherwise, only public data is permitted.
5.2.4 Please see the EBSCO Generative AI Tools Standard which lists
approved AI Tools. This list is subject to change and is evaluated by legal
and security for policy compliance and Data Usage.
5.2.5 Commercial AI Tools should be used over Consumer AI tools if the
desired capability exists.
5.2.6 If you wish to use any other AI Tools for Company business, you must first
obtain approval from the Corporate IT GRC department
([email protected]).

5.3. Purpose of Use
5.3.1 The purpose of use of Commercial AI Tools is defined based on the
business domain, setup, and configuration by the business owner.
5.3.2 The purpose of use of Consumer AI Tools is assistance with general
knowledge tasks.
5.3.3 AI Tools may not be used to:
i. Engage in fraudulent or illegal activities.
ii. Generate Prohibited Content.
iii. Generate content that you claim to have created yourself or to be
created without AI Tools.
iv. Engage in regulated activities, including the practice of law or
provision of financial, medical, or other professional advice.

Page 3 of 5
 CORPORATE IT - INFORMATION SECURITY
Generative AI Use Policy

v. Make decisions that would materially affect an individual (e.g.,
decisions that would have a legal or similarly significant effect, such
as decisions regarding hiring or evaluation of Company personnel).
AI Tools should be used only to support – not make – decisions.

5.4. Inputting Information
5.4.1 Assume that any information provided to Consumer AI Tools could
become Public.
5.4.2 Do not input Restricted Data into an AI Tool prompt. If there are data
classification questions, please contact the Corporate IT GRC Department
or the Legal Department.

5.5. Using Output Generated by AI Tools
The following rules and guidelines apply to the use of any AI generated material or
content (output) in Company content or a Company product:
5.5.1 All AI generated content should be TREATED AS A DRAFT that you
review and revise as needed.
5.5.2 VERIFY THE ACCURACY of any AI generated content that purports to be
factual using independent sources; do not rely on sources cited by the AI
Tool, which can be inaccurate.
5.5.3 SCAN ALL SOFTWARE CODE which is AI-generated with open-source
and commercial-license tools before including any such code in Company
software (if you determine that AI-generated code is covered by a license,
you must first discuss with the Legal Department whether such code may
be used in Company software).
5.5.4 DO NOT USE any AI-generated images in external Company materials
without approval of the Legal Department.
5.5.5 If an AI-generated output refers to or contains any third-party names, trade
names, trademarks, or logos, DO NOT USE the output unless you have
confirmed with the Legal Department that such use is allowed.
5.5.6 DO NOT USE any output that may contain Prohibited Content.

5.6. Changes to this Policy
The following rules and guidelines apply to the use of any AI-generated material or
content (output) in Company content or Company products:
5.6.1 This Policy may change at any time. If it does change, the updated
version will be posted in PolicyTech (unless another type of notice is
required by applicable laws).
5.6.2 By using AI Tools in the course of or in connection with your employment
or other relationship with the Company, you agree to follow this Policy,
along with any changes thereto.

Page 4 of 5
 CORPORATE IT - INFORMATION SECURITY
Generative AI Use Policy

5.7. Monitoring and Reporting
5.7.1. Company management will verify compliance with this Policy through
various methods, including but not limited to periodic review, business tool
reports, internal and external audits, and feedback to the policy owner.
5.7.2. Exceptions to this Policy will only be allowed if approved by the Corporate
IT GRC and verified by Corporate Information Security.

6. Enforcement
Failure to comply with this Policy may result in disciplinary actions, up to and including
termination of employment or contract.
Employees are encouraged to report any violations or concerns related to this Policy
through the Corporate IT GRC Department or the Legal Department. All reports or
inquiries will be treated confidentially.

7. Policy Priority
This corporate policy takes precedence over all policies derived from or published by
business units or other EBSCO affiliated companies. In the event of a conflict between
the terms of policies, the corporate policy will apply.

Page 5 of 5