--- id: wiki-2026-0508-ai-거버넌스-정책-ai-usage-policy title: AI Governance Policy (AI Usage Policy) category: 10_Wiki/Topics status: verified canonical_id: self aliases: [AI Usage Policy, AI 거버넌스 정책, AI policy framework, EU AI Act, NIST AI RMF, ISO 42001] duplicate_of: none source_trust_level: B confidence_score: 0.85 verification_status: conceptual tags: [ai-governance, policy, compliance, risk-management, eu-ai-act, nist-rmf, iso-42001, internal-policy] raw_sources: [] last_reinforced: 2026-05-09 github_commit: pending inferred_by: Claude Opus 4.7 (manual cleanup 2026-05-09) tech_stack: language: process / policy applicable_to: [Compliance, Engineering, HR, Legal] --- # AI Governance Policy (AI Usage Policy) ## 📌 한 줄 통찰 (The Karpathy Summary) > **"자율 = 책임"**. 조직 의 AI 도입 의 legal / ethical / security 의 framework. 규제 (EU AI Act) + 자체 policy + technical guardrail. **금지 X, sandbox + 교육 + accountability**. ## 📖 구조화된 지식 (Synthesized Content) ### 핵심 axis 1. **Acceptable Use**: 매 employee 의 AI 도구 사용 의 boundary. 2. **Data / IP Protection**: 매 prompt 의 sensitive data 의 prevention. 3. **Human-in-the-loop**: 매 critical decision 의 human review. 4. **Accountability**: 매 AI-caused harm 의 legal / financial owner. 5. **Transparency**: 매 user 의 AI 사용 의 disclosure. 6. **Bias / Fairness**: 매 group 의 differential treatment 의 audit. 7. **Compliance**: 매 regulation 의 mapping (EU AI Act, GDPR, ...). ### 주요 regulation (2024-2026) | Regulation | Region | Key | |---|---|---| | **EU AI Act** | EU | Risk-based (4 tier). High-risk = strict (2026 enforcement). | | **NIST AI RMF** | US | Voluntary framework. 4 function: Govern/Map/Measure/Manage. | | **ISO 42001** | Global | 매 org 의 AI management standard (cert 가능). | | **US EO 14110** | US | Federal AI guidance. | | **China AI Reg** | China | Generative AI 의 strict (2023+). | | **UK AI White Paper** | UK | Pro-innovation, sector-specific. | | **Korea AI Act** | KR | 2025 enforcement scheduled. | ### EU AI Act 의 risk tier 1. **Unacceptable**: social scoring, manipulation, biometric mass surveillance → ban. 2. **High-risk**: HR, education, law enforcement, critical infra → strict (audit, doc, human oversight). 3. **Limited risk**: chatbot, deepfake → transparency. 4. **Minimal**: 매 spam filter → no requirement. → "내 AI use case 의 tier" 의 매 org 의 분류. ### Internal policy 의 structure 1. **Scope & Definitions**: 매 "AI" 의 정의. 2. **Approved tools**: ChatGPT (Enterprise), Claude (Pro), GitHub Copilot, Cursor, internal LLM, ... 3. **Prohibited tools**: free ChatGPT (data leak), unverified plugin, ... 4. **Acceptable use**: brainstorm, draft, code assist OK. Customer data 의 input X. 5. **Prohibited use**: 매 sensitive data, deepfake, automated hire decision (without review). 6. **Data classification**: public, internal, confidential, restricted. 7. **Approval workflow**: 매 new tool 의 IT + legal + security review. 8. **Training requirement**: 매 employee 의 annual AI literacy. 9. **Incident response**: 매 misuse 의 reporting + escalation. 10. **Audit**: 매 quarter / year 의 review. ### Common 항목 detail #### Data classification - **Public**: marketing copy → 매 AI tool OK. - **Internal**: project plan → enterprise AI 만 (data not training). - **Confidential**: customer data, financial → strict approval만. - **Restricted**: PHI, PII, source code (proprietary) → 매 cloud AI X. #### Human-in-the-loop - **High-risk decision** (hire, fire, loan, medical): 매 AI 의 recommend, human 의 final. - **Medium-risk** (content publish): 매 review of AI output. - **Low-risk** (spam classification): automated OK. #### Audit log - 매 AI tool call 의 user, timestamp, prompt summary, output summary. - Sensitive data 의 detection. - Anomaly (가장 큰 query, off-hours). → Compliance 의 evidence. ### 매 industry 의 specific - **Healthcare** (HIPAA, FDA): 매 medical AI 의 separate. - **Finance** (SOC 2, FFIEC): bias audit, explainability. - **Legal**: privilege protection, billing (AI-assisted = client disclosure). - **Education**: student data (FERPA), academic integrity. - **Government**: classified info, FOIA implications. ### Sandbox approach **Bad**: "Ban all AI" → shadow IT + competitive disadvantage. **Good**: 매 employee 의 controlled experimentation: - 매 approved tool list. - 매 use case 의 review 후 OK. - Internal LLM (privacy 친화). - Quarterly review of new tools. ### Vendor management - 매 AI vendor 의 DPA (Data Processing Agreement). - Training data clause: "내 data 가 train X". - Sub-processor list. - Geographic data location. - Termination + data deletion. - Liability. → 매 procurement team 의 책임. ### IP / 저작권 의 분야 - **AI-generated content 의 ownership**: 매 country 가 다름 (US 가 human authorship 만). - **Training data 의 license**: copyright lawsuit 진행 중 (NYT vs OpenAI). - **Code generation**: license 의 contamination (GitHub Copilot lawsuit). - **매 AI output 의 originality**: 매 user 가 copyright? → 매 case 의 legal 전문가. ### Bias / Fairness audit - 매 sensitive attribute (gender, race, age) 의 differential outcome. - Statistical parity / equal opportunity / calibration. - Counterfactual fairness. - 매 release 전 의 audit. ```python # Simple bias check from aif360.metrics import BinaryLabelDatasetMetric metric = BinaryLabelDatasetMetric( dataset, privileged_groups=[{'gender': 1}], unprivileged_groups=[{'gender': 0}] ) print(metric.disparate_impact()) # < 0.8 = potential bias ``` ### Disclosure / labeling - AI-generated content 의 명시 (EU AI Act). - Chatbot 의 disclosure. - Deepfake watermark. - Customer-facing AI 의 "이거 AI" notice. ### Incident response 1. **Detection**: monitoring alert / user report. 2. **Containment**: tool 의 disable. 3. **Investigation**: 매 misuse 의 root cause. 4. **Remediation**: data deletion, user notification. 5. **Lesson learned**: policy update + training. ## 💻 패턴 (policy implementation) ### Policy template (markdown) ```markdown # AI Usage Policy v1.0 ## Scope This policy applies to all employees, contractors, and partners using AI tools for company work. ## Definitions - AI tool: any system using ML / LLM (ChatGPT, Claude, Copilot, ...). - Sensitive data: customer PII, financial, source code. ## Approved Tools - ChatGPT Enterprise (data not used for training). - Claude (Pro / Team). - GitHub Copilot Business. - Cursor (with privacy mode). ## Acceptable Use - Drafting, brainstorming, code assistance. - Research and summarization. - Translation. ## Prohibited Use - Inputting customer PII or financial data. - Generating fake content for deception. - Automated decisions affecting employees (hire/fire). ## Data Classification - See [data classification guide](#). ## Human Oversight - Critical decisions: human final review. - Customer-facing content: human approval. ## Reporting - Misuse: report to ai-policy@company. - Incidents: privacy@company within 24h. ## Training - Annual AI literacy training (mandatory). - New hire onboarding (within first month). ## Review - This policy reviewed quarterly by AI Council. - Last updated: 2026-05-09. ``` ### DLP (data loss prevention) check ```python import re SENSITIVE_PATTERNS = [ r'\b\d{3}-\d{2}-\d{4}\b', # SSN r'\b4\d{12,15}\b', # credit card (Visa) r'(?i)password\s*[:=]\s*\S+', r'(?i)api[_-]?key\s*[:=]\s*\S+', ] def check_prompt(prompt: str): for pattern in SENSITIVE_PATTERNS: if re.search(pattern, prompt): block_and_alert(prompt, pattern) return False return True ``` → Sensitive data 의 prompt 차단. ### Audit log ```ts async function auditAICall(user: User, tool: string, prompt: string, response: string) { await db.aiAuditLog.insert({ userId: user.id, tool, promptHash: sha256(prompt), promptLength: prompt.length, responseHash: sha256(response), timestamp: new Date(), classification: classifySensitivity(prompt), }); } ``` → 매 call 의 hashed log (prompt 의 raw 가 storage X for privacy). ### Approval workflow ```yaml # .github/CODEOWNERS or similar # 매 new AI tool integration 의 review ai_integrations/* @ai-council @security-team @legal *.policy.md @ai-council ``` ### Monitoring (anomaly) ```sql -- 매 user 의 unusual AI usage SELECT user_id, COUNT(*) AS calls, SUM(prompt_length) AS chars FROM ai_audit_log WHERE created_at > NOW() - INTERVAL '7 day' GROUP BY user_id HAVING COUNT(*) > 1000 -- threshold ORDER BY chars DESC; ``` ### Bias audit (CI) ```python # Per-release bias check def audit_bias(model, test_set): results_by_group = defaultdict(list) for x, y_true, group in test_set: y_pred = model.predict(x) results_by_group[group].append((y_true, y_pred)) for group, results in results_by_group.items(): accuracy = compute_accuracy(results) false_positive = compute_fpr(results) log({'group': group, 'accuracy': accuracy, 'fpr': false_positive}) # Fail if disparity > threshold accuracies = [compute_accuracy(r) for r in results_by_group.values()] if max(accuracies) - min(accuracies) > 0.05: raise BiasViolation() ``` ## 🤔 의사결정 기준 (Decision Criteria) | 상황 | 정책 | |---|---| | Low-risk (spam filter) | Minimal policy + audit | | Medium-risk (content moderation) | Human review + transparency | | High-risk (HR, medical, finance) | Strict approval + audit + bias check | | Public-facing AI | EU AI Act compliance + disclosure | | Internal tool | Data classification + DLP | | Vendor AI | DPA + sub-processor review | | New tool 의 introduction | AI council review 의 30 day | **기본값**: Sandbox + transparency + human-in-the-loop. "Ban all" / "allow all" 가 X. ## ⚠️ 모순 및 업데이트 (Contradictions & Updates) - **Innovation vs control**: 너무 strict = shadow IT (employee 가 personal account 사용). 너무 loose = data leak. - **EU AI Act 의 ambiguity**: 매 tier 의 boundary 가 case-by-case. - **Multi-jurisdiction**: 매 country 의 다른 regulation. 매 employee location 의 issue. - **Speed of change**: regulation 의 yearly update. Policy 의 quarterly review. - **Vendor 의 data assurance**: "data not used for training" claim 의 verification 어려움. ## 🔗 지식 연결 (Graph) - 부모: [[AI-Ethics]] · [[Risk_Management|Risk-Management]] - 응용: [[NIST-AI-RMF]] · [[ISO-42001]] - 기술: [[Model-Card]] - 응용: [[AI Literacy]] · [[AI Accountability]] ## 🤖 LLM 활용 힌트 (How to Use This Knowledge) **언제 이 지식을 쓰는가:** - 회사 의 AI policy 의 첫 draft. - 매 vendor 의 DPA review. - AI tool 의 approval workflow design. - Compliance audit 의 prep (EU AI Act, ISO 42001). - AI incident 의 response. - Employee training 의 design. **언제 쓰면 안 되는가:** - Specific legal advice (lawyer). - Country-specific regulation 의 implementation (local counsel). - Technical implementation 의 detail (engineer). - Crisis 의 immediate response (incident response team). ## ❌ 안티패턴 (Anti-Patterns) - **"All AI banned"**: shadow IT. - **"All AI allowed"**: data breach. - **No data classification**: 매 sensitive 의 leak. - **No vendor DPA**: liability vacuum. - **No audit log**: compliance fail. - **No incident response**: crisis 의 amplify. - **No regular review**: regulation 의 outdated. - **One-size-fits-all**: 매 industry / role 의 different need. ## 🧪 검증 상태 (Validation) - **정보 상태:** verified (concept-level). - **출처 신뢰도:** B (NIST AI RMF, EU AI Act 공식, ISO 42001 published). - **검토 이유:** Manual cleanup. Regulation 의 active update. 매 6 month review. ## 🧬 중복 검사 (Duplicate Check) - **기존 유사 문서:** [[AI-Ethics]] (parent), [[AI Safety]] (related), [[AI Accountability]] (subset). - **처리 방식:** KEEP (organizational governance focus). - **처리 이유:** Policy 가 distinct discipline (ethics + compliance + ops). ## 🕓 변경 이력 (Changelog) | 날짜 | 변경 내용 | 처리 방식 | 신뢰도 | |------|-----------|-----------|--------| | 2026-05-08 | P-Reinforce Phase 1 정규화 | UPDATE | A | | 2026-05-09 | Manual cleanup — code pattern + regulation map + industry specific + 안티패턴 추가 | UPDATE | B |