AI Guidelines¶
These guidelines are live and are updated as new opportunities arise and are evaluated.
There are at the moment a few outstanding items with the guidelines - The use of allowed AI tool as sketched out in this guidelines is possibly too binary and the reality looks different. We are currently investigating how we can make the AI Guidelines be more pragmatic while the same time protecting DHIs interests. - The location of these guidelines will likely move to a more visible place within the organisation
1. Purpose and Scope¶
This guideline defines how all staff within DHI Group may safely and effectively use AI tools and services. Its purpose is to increase productivity and quality while ensuring that DHI Group's code, intellectual property, and client data remain protected at all times.
"AI" refers to tools and services that are trained on large sets of data and infer outputs based on the underlying distributions in the training data.
This includes but is not limited to:
- Text and Reasoning systems, such as: Copilot 365, Claude AI, ChatGPT, Gemini etc
- Visual & Media Generation, such as: Midjourney, Sora, Adobe Firefly
- Specialized and Multi-Agent systems, such as: Github Copilot, Claude Code, ChatGPT Codex, Gemini CLI, ElevenLabs etc
These tools and systems differentiate from traditional machine learning (ML) systems, based on the following:
- Generalisation - AI systems train on very large datasets, allowing them to answer questions for a wide range of topics (e.g. a LLM learning how to code), while traditional ML systems are scoped to perform a specific task, (e.g. timeseries prediction).
- Synthetic Output - Traditional ML systems perform deterministic optimization problems, and can be "frozen" to always output exactly the same result when entering one input. AI systems generate novel, synthetic content that may vary each time, even for the same input (e.g. if you ask ChatGPT to bake a cake 5 times it will give you 5 different recipes).
- Evaluation and Alignment - Traditional ML systems are evaluated against objective ground-truth labels using metrics like Accuracy or F1-Score (e.g. did the model correctly classify the seagrass in the image?). In contrast, AI systems are "aligned" using Reinforcement Learning from Human Feedback (RLHF) to ensure outputs are helpful and harmless. There is no single "correct" answer to a generative prompt.
Because these systems are generative and probabilistic rather than deterministic, they require specific usage guidelines to mitigate the unique risks of unpredictable outputs, data leakage, and intellectual property infringement.
Important: AI-generated content is never final. You must always review, verify, and take ownership of any output produced by an AI tool before using it in your work.
The guidelines cover three categories of AI usage:
- General Purpose AI tools - for everyday productivity tasks
- AI in Software Development - for software engineering work
- AI as a Value Add in Technology or Product - for integration into DHI products and solutions
See also:
- Getting Started & Best Practices - onboarding, guardrails, prompt engineering
- Accessing AI Tools - how to get access, onboarding, and which tool to choose
For DHI's corporate AI policy and data protection requirements, see the Using AI tools at DHI - What you need to know.
2. Roles to Apply¶
This guideline applies to the following roles within DHI Group:
- Architects
- Backend developers
- Frontend developers
- UX/UI designers
- Infrastructure/DevOps engineers
- Testers
- Data scientists / analysts
- Domain specialists
- Project engineers
- Product Owners/Project Managers
- Support engineers
- Consultants working on DHI intellectual property
- Any other DHI staff using AI tools in their work
These roles must ensure compliance with DHI's corporate AI guidance regarding secure sign-in, appropriate data handling, transparency in AI use, review of AI-generated content, and prompt incident reporting Report a Security Incident.
3. Why Enterprise AI Products?¶
When working with DHI internal or client data (Yellow or Red tier — see Usage Tiers), DHI Group requires the use of enterprise-grade AI products and not consumer or free-tier alternatives. For Green-tier tasks that involve no DHI or client data, well-known public AI tools may also be used (see Usage Tiers). Enterprise agreements provide critical safeguards that protect DHI's intellectual property, client data, and regulatory compliance:
| Capability | Why It Matters |
|---|---|
| Data training opt-out | Enterprise agreements contractually prevent AI providers from using DHI code, prompts, and data to train their models. Consumer versions typically use your inputs to improve their services. |
| Security controls | Enterprise products integrate with DHI's identity management (SSO/MFA), enforce access policies, and meet SOC 2/ISO 27001 compliance standards. |
| Audit logging | Enterprise tiers provide comprehensive audit trails showing who accessed what, when, and what data was processed - essential for compliance, incident investigation, and demonstrating due diligence. |
| Data residency | Enterprise agreements allow DHI to specify where data is processed and stored, ensuring GDPR compliance and meeting client contractual requirements. |
| Support and SLAs | Enterprise products include dedicated support, uptime guarantees, and incident response commitments that consumer products lack. |
4. Governance¶
The AI CoE (Centre of Excellence) facilitates this guideline on behalf of DHI Group. The AI CoE can be reached at aicoe@dhigroup.com. The AI CoE:
- Facilitates the maintenance and update of the list of approved engineering AI tools and services
- Defines usage rules, safe-use guardrails, and access requirements
- Ensures alignment with Legal and IT Security requirements
- Oversees safe integration of AI capabilities across engineering teams
DHI Core IT manages the enterprise agreements for AI tools and services, handles licence procurement, and tracks usage across the organisation.
Important: No engineering team may introduce or pilot new AI development tools or AI-powered external services for use with DHI internal or client data (Yellow or Red tier — see Usage Tiers) without explicit approval from the AI CoE. Well-known public AI assistants may be used without approval for Green-tier tasks (no DHI/client data involved), as defined in the usage tiers below. The AI CoE's approval process includes coordination with DHI Core IT (for enterprise agreements and licence procurement) and Group Legal (for contractual and data protection review) as needed. For tool-specific approval status, see the approval tables in General-Purpose Tools, Development Tools, and External Services.
Review Cadence¶
The AI landscape is evolving rapidly, and these guidelines must keep pace. The AI CoE will review this document at least quarterly, or sooner when triggered by significant events such as new tool availability, regulatory changes or security incidents.
Training and Onboarding¶
These guidelines are only effective if staff understand and follow them. All engineering staff should be introduced to this guideline as part of onboarding, and existing staff should be made aware of updates when they occur. This will be published on Viva Engage. See the Getting Started & Best Practices page for practical onboarding guidance.
Non-Compliance and Enforcement¶
Violations of these guidelines - such as using unapproved tools, submitting confidential data to public AI services, or committing unreviewed AI-generated code - can expose DHI to data breaches, licence violations, and client trust issues. In particular, using consumer or free-tier AI tools with DHI source code risks that code being ingested into model training data, permanently compromising DHI's intellectual property with no ability to retract it. Staff who become aware of a violation should report it through the existing security incident process Report a Security Incident. Repeated or deliberate non-compliance will be escalated to the individual's line manager and, where appropriate, to DHI's IT Security and Legal teams for further action in accordance with DHI's HR policies.
Cost Management and Licensing¶
AI tools represent a recurring cost through seat-based and consumption-based pricing that scales with headcount and usage. As with other IT costs, DHI Core IT procures AI tool licences centrally under enterprise agreements and allocates costs back to each department based on usage.
DHI Core IT will track usage and report on a monthly basis and periodically review whether seats are being actively used, as unused seats represent wasted spend. The AI CoE and Core IT will provide visibility into overall AI tool adoption and cost across the organisation to support budgeting and procurement decisions.
5. Quality Control and Accountability¶
AI tools can dramatically accelerate work, but they do not reduce the standard of quality expected from DHI staff. Whether you are writing code, drafting a document, or producing a client deliverable, you are fully accountable for any output you use, commit, or deliver - regardless of whether it was generated by an AI tool or written by hand.
Human in the Loop¶
A human must remain in control at every stage of AI-assisted work. AI tools are assistants, not decision-makers:
- Before - Scope what the AI can access and assess whether the task is appropriate for AI assistance
- During - Monitor what the AI is doing; intervene if it drifts, hallucinates, or accesses something it shouldn't
- After - Review, test, and validate the output before using it. Never accept AI output without verification
Removing the human from the loop - for example by auto-committing AI-generated code, blindly copying AI-drafted documents, or letting an agent run without oversight - is a violation of these guidelines.
Applies to All AI Usage¶
While the points above emphasise software development, the same principle of accountability applies to all categories of AI usage covered by these guidelines. Staff using general-purpose AI assistants for documents, presentations, or analysis are equally responsible for verifying accuracy, protecting sensitive information, and ensuring the output meets DHI's professional standards before sharing or delivering it.
For practical guidance on guardrails and reviewing AI output, see Getting Started & Best Practices.
Developer Responsibility¶
For software development specifically, the developer who commits AI-assisted code bears the same responsibility as if they had written every line themselves:
- You must understand the code - if you cannot explain what it does and why, do not commit it
- You must test the code - AI-generated code is subject to the same build, lint, unit test, and integration test requirements as any other code
- You must review the code - use the standard pull request and peer review process; AI involvement does not exempt code from review
- You must own the code - if a bug, vulnerability, or licence issue is found later, accountability rests with the committer, not the AI tool
6. Data Protection - Applies to All AI Usage¶
Regardless of the AI tool or service category, the following rules always apply:
Correct classification is the primary safeguard. DHI's data classification labels are technically enforced: content labelled Confidential or Strictly Confidential – No Microsoft Copilot is automatically blocked from Microsoft 365 Copilot across SharePoint, Outlook, and OneDrive. Copilot cannot read, surface, or summarise this content, even during a broad search or when an agent acts on your behalf. The Green/Yellow/Red usage tiers below apply to any data that has not yet been correctly classified — the technical control cannot protect what is unlabelled or mislabelled, so classify your data correctly first.
Data Sensitivity Tiers¶
Not all internal data carries the same risk. The DHI ISO 27001 already carries classification of data How to classify data?. If data has not been classified according to this classification scheme, then use the following tiers to help assess what is appropriate to share with AI tools:
Figure 1: DHI's data classification labels.
| Data Tier | Examples | AI Usage |
|---|---|---|
| Public | Open-source code, published documentation | Freely usable with any approved or Green-tier tool (see Usage Tiers) |
| Internal | Coding standards, architecture patterns, internal wikis, non-sensitive project documentation, advisory / software projects, product source code, proprietary algorithms, production schemas, infrastructure diagrams, security configurations, internal API designs | Allowed with DHI-approved tools only (Yellow tier) |
| Confidential / PII | Client data, credentials, personal data, secure tokens, production configurations | Requires written client consent and anonymisation where possible. Credentials and secrets must never be shared with AI tools (Red tier) |
Usage Tiers¶
The data sensitivity tiers above determine which AI tools you may use. This applies universally — whether you are drafting an email, writing code, or evaluating an AI service for a product.
| Tier | Data Involved | Allowed Tools | Examples |
|---|---|---|---|
| Green | No DHI internal or client data | DHI-approved tools + well-known public AI tools (ChatGPT, Gemini, Claude AI, Perplexity, etc.) | Researching a technology, learning a new concept, asking how to write a retry policy in C#, generating stock images, brainstorming generic ideas |
| Yellow | Non-confidential DHI or client information (Internal sensitivity) | DHI-approved tools only (MS 365 Copilot, GitHub Copilot, Claude Code). Other tools require Legal and IT approval before use | Drafting internal emails, summarising non-sensitive project documents, writing code against DHI repositories, creating status reports |
| Red | Confidential client data or PII | DHI-approved tools only, and only after written client consent has been obtained (see standard contract clauses) | Processing client deliverables, analysing data containing personal information |
How to assess your tier: Before using any AI tool, ask yourself: "Does my prompt contain DHI internal information or client data?" If the answer is no, you are in the Green tier. If it contains non-confidential internal or client information, you are in Yellow. If it contains confidential data or PII, you are in Red. When in doubt, treat your use case as the higher tier. For detailed classification guidance, see How to classify data?
Each category page lists which specific tools are approved for that context:
- General-Purpose AI Tools — productivity tools like MS 365 Copilot
- AI in Software Development — coding tools like GitHub Copilot and Claude Code
- AI as a Value Add in Technology or Product — AI services integrated into DHI products
Rules That Always Apply¶
Use the data sensitivity tiers and usage tiers above to classify your data and select appropriate tools before sharing anything with an AI tool. In addition:
| Requirement | Details |
|---|---|
| Anonymise where possible | When working with data that could identify individuals, clients, projects, or internal systems, anonymise before including in prompts (e.g., customer.name → CUSTOMER_A, email → user@redacted, keys → \<secret>, project names → PROJECT_X). Anonymised or synthetic data may be used with explicit approval. |
| Written consent is required | Sharing confidential client data with any AI service requires written client consent as per DHI's corporate AI guidance. The client must be informed how their data will be used and for what specific purpose. |
| Incident reporting | If sensitive information is accidentally entered into an AI system, report it immediately to DHI IT Report a Security Incident |
Ensure that data provided to AI tools is appropriately classified - see How to classify data?. For full data protection policies, refer to the Using AI tools at DHI - What you need to know.
7. Intellectual Property, Copyright, and Transparency¶
Intellectual Property and Copyright¶
AI-generated content exists in a legal grey area. Most jurisdictions do not grant copyright protection to purely AI-generated works, which means code or text produced by AI may not be protectable as DHI intellectual property. Additionally, AI models trained on open-source or third-party code may reproduce fragments that carry licence obligations (e.g., GPL, AGPL), potentially creating compliance risks if included in DHI products. Teams should treat AI-generated output as a starting point that must be reviewed as if it was written by staff, modified, and integrated by a human author to ensure both legal defensibility and licence compliance.
AI-Generated Images, Video, and Audio¶
AI-generated media (images, video, audio) is not copyrightable in most jurisdictions and DHI cannot claim IP protection over it. AI image generators may also reproduce copyrighted training data, creating infringement risk. EU AI Act (Article 50) requires AI-generated media to be labelled as such.
- Client-facing and external use - Must be clearly marked as AI-generated. Review output for recognisable third-party content
- Internal use - May be used freely but should be labelled as AI-generated when shared
Transparency and Disclosure¶
Some client contracts, industry regulations, or procurement frameworks require disclosure when AI has been used in producing deliverables, reports, or software. Teams should assess whether client agreements contain clauses around AI usage and proactively communicate with project managers and clients when AI has materially contributed to a deliverable. Where no explicit requirement exists, DHI should still default to transparency as a matter of professional integrity and trust.
8. Prohibited AI Tool Categories¶
Certain categories of AI tools are prohibited at DHI regardless of the data tier involved, because they are fundamentally incompatible with DHI's requirements for human oversight, data protection, and accountability.
AI Browser Agents¶
AI browser agents — tools that autonomously navigate the web on behalf of the user (e.g. OpenAI Atlas, Browser Use, Anthropic Computer Use, Google Project Mariner, MultiOn) — are not approved for use at DHI.
Why: AI browser agents inherit the user's full browser session and credentials, send browsing content to cloud AI for processing, and bypass corporate security controls (proxies, DLP) by appearing as normal traffic. Critically, they are vulnerable to prompt injection — malicious instructions hidden in web pages that hijack the agent into exfiltrating data or downloading malicious files.
Fully Autonomous AI Agents¶
Fully autonomous AI agents — tools that independently perform tasks with shell access, browser control, email, messaging, and other system integrations, operating in a loop without requiring human approval per action (e.g. OpenClaw, AutoGPT, OpenHands/OpenDevin, Devin) — are not approved for use at DHI.
Note: This does not apply to DHI-approved agentic tools such as GitHub Copilot (agent mode) and Claude Code, which require the user to review and approve at each step.
Why: These agents operate autonomously with broad system access — executing shell commands, sending emails, accessing calendars, browsing the web, and interacting on messaging platforms on behalf of the user, all without per-action human approval. Misconfigured or exposed instances create serious security and privacy risks, as the agent may transmit credentials, proprietary data, or client information to external AI providers or third-party services without oversight.