AI Governance

What we do

OpenScouter runs four AI agents across the testing pipeline. Every agent is classified into a three-tier governance system that determines what data it can access and what human approval it requires before running.

• Tier 1 (Regulated) — Analyst, Report Writer, Synthesizer. These agents process special-category data (ND profiles, emotion scores) and produce compliance-relevant outputs. They are hard-blocked without a time-bounded admin approval record per study. Any blocked attempt is logged to the audit trail.
• Tier 2 (Client-Facing) — Chat Guide (Scouty). Operates within defined guardrails during active tester sessions. No per-session admin gate, but never receives raw biometric data or tester identity.
• Tier 3 (Internal) — Scoring pipeline, content engine. Internal-only operations. No client data exposure. No compliance-relevant outputs.

Human-in-the-loop controls

• The notes_confirmed gate — No report is generated until the tester reviews and confirms their own session observations. This gate applies to both individual reports (Agent 3) and cross-tester synthesis (Agent 4). No automated bypass exists in the codebase.
• Emotion abstraction — Raw facial emotion scores (for example, anger: 0.72) are converted to four abstract tone profiles (standard, supportive, moderate, restorative) before reaching any AI agent. The live chat AI never sees raw emotional states.
• Identity stripping — AI agents receive anonymous labels such as “Tester 1” and “Tester 2”. Tester names, emails, and database IDs are never sent to AI providers.

How it works

• Data-minimising cascade — Each AI agent receives the previous agent's output summary, not raw session data. Agent 3 receives Agent 2's analysis notes. Agent 4 receives Agent 3's reports. AI providers never receive webcam frames, full voice recordings, or tester names.
• Bayesian framing mandated — All reports use probability language, not p-values. Simpson's paradox detection is built into the scoring pipeline.
• Positive framing rule — Findings describe accessibility barriers as design problems, never user deficits. “Dyslexic testers identified X” not “struggled with X”. This rule is enforced in AI system prompts.

Audit trail and accountability

• Every AI call logged — Each AI invocation records: which agent, which model, whether a fallback was used, prompt hash (SHA-256), anonymised input and output summaries, token counts, and latency. Audit logs never contain raw biometric data or tester identities.
• Retained for 2 years — Aligned with FCA SM&CR record-keeping expectations for AI governance documentation.
• Per-study governance reports — Exportable as branded PDF or structured JSON. Each report includes: AI processing timeline, per-agent summary, model version log, data lineage, and FCA Consumer Duty mapping. PDF and JSON are generated from a single stored artifact, guaranteeing data identity between formats.
• Model version tracking — Model changes are detectable across the agent run history. Governance reports surface a model version change log per study.

Standards alignment

• FCA Consumer Duty PS22/9 — Every compliance report maps findings to the four outcomes: Consumer Understanding, Products and Services, Consumer Support, and Price and Value. Mappings are labelled as AI-generated recommendations; clients are advised to validate with their compliance team.
• EU AI Act Article 50 — OpenScouter is classified as limited risk under the EU AI Act. Transparency obligations apply from August 2026; we are documenting AI use in outputs in advance of that date.
• ICO AI Auditing Framework — Explainability, fairness, and data minimisation are addressed across the four-agent pipeline.

What we are working on

• Formal DPA review with AI providers — For GDPR Article 9 coverage of special-category data processing. This is a pre-enterprise pilot priority.
• Automated bias regression testing — Implemented. Automated regression tests run on every deploy. Weekly drift detection cron runs every Monday at 09:00 UTC.

For more detail on our governance practices, talk to our team.