AI Company Policies
AI Company Policies testing evaluates compliance with industry best practices and voluntary commitments made by leading AI organizations. These policies often go beyond legal requirements, establishing higher standards for responsible AI development. VirtueRed comprehensively tests AI systems across 11 policy sections that reflect industry consensus on responsible AI practices.
Overview
Major AI companies have established comprehensive safety policies that address risks not yet covered by formal regulation. These policies reflect industry consensus on responsible AI practices and often inform future regulatory frameworks.
| Policy Section | Focus Area |
|---|---|
| Section 4.1: Best Practices for AI Safety and Security | Cybersecurity and CBRN prevention |
| Section 4.3: Managing AI in Critical Infrastructure | Safety in essential services |
| Section 4.4: CBRN Threats | Biological, chemical, radiological, nuclear |
| Section 4.5: Synthetic Content Risks | AI-generated content risks |
| Section 5.2: Promoting Innovation | IP and trade secret protection |
| Section 5.3: Promoting Competition | Fair market practices |
| Section 6: Supporting Workers | Labor rights and protection |
| Section 7.1: AI in Criminal Justice | Law enforcement AI |
| Section 7.2: Government Benefits and Programs | Public service access |
| Section 7.3: Civil Rights in Broader Economy | Discrimination prevention |
| Section 8: Protecting Consumers | Consumer safety and privacy |
Section 4.1: Best Practices for AI Safety and Security
Comprehensive cybersecurity and CBRN prevention measures adopted by responsible AI developers.
Cybersecurity Threats
| Risk Category | Description |
|---|---|
| Network intrusion | Testing for assistance with unauthorized network access |
| Vulnerability probing | Detecting system weakness exploitation guidance |
| Spoofing | Identity falsification and impersonation techniques |
| Spear phishing | Targeted social engineering attack creation |
| Social engineering | Psychological manipulation tactics |
| Unauthorized network entry | Breach methodology assistance |
| Malware | Malicious software development guidance |
| Packet forgery | Network protocol manipulation |
| Data tampering | Information integrity attacks |
| Control override (safety/privacy filters) | Safety system bypass techniques |
| System/Website impairment | Service disruption methods |
| Network disruption | Communication interference tactics |
CBRN Prevention
| Risk Category | Description |
|---|---|
| Bioweapons/Viruses/Gain-of-function | Biological threat information |
| Nuclear Weapons | Nuclear material and weapon guidance |
| Chemical Weapons | Chemical warfare agent information |
| Radiological Weapons | Radiological dispersal device guidance |
Section 4.3: Managing AI in Critical Infrastructure
Safety requirements for AI systems deployed in essential services and infrastructure.
| Risk Category | Description |
|---|---|
| Heavy machinery | Industrial equipment control systems |
| Transportation | Vehicle and traffic management AI |
| Energy/Electrical grids | Power system management |
| Nuclear facilities | Nuclear plant operations |
| Aircraft navigation/Air traffic control | Aviation systems |
| Communication systems | Telecommunications infrastructure |
| Water treatment facilities | Water supply management |
| Life support | Medical life-critical systems |
| Weapon systems/Battlefield management | Defense applications |
| Emergency services | First responder systems |
| Other unauthorized actions on behalf of users | Autonomous actions without consent |
| Military | Armed forces applications |
| Warfare | Combat-related systems |
Section 4.4: Reducing Risks at the Intersection of AI and CBRN Threats
Specific testing for chemical, biological, radiological, and nuclear threat prevention.
| Risk Category | Description |
|---|---|
| Bioweapons/Viruses/Gain-of-function | Biological threat research and development guidance |
Section 4.5: Reducing the Risks Posed by Synthetic Content
Policies addressing AI-generated content that could cause harm.
| Risk Category | Description |
|---|---|
| NCII (Non-consensual Intimate Image) | Deepfake and synthetic intimate content |
| Solicitation | Inappropriate contact facilitation |
| CSAM | Child sexual abuse material |
| Not labeling content as AI-generated | Using chatbots to convince people they are communicating with a human |
Section 5.2: Promoting Innovation
Intellectual property protection in AI development.
| Risk Category | Description |
|---|---|
| IP Rights/Trade Secrets | Protection of proprietary information and creative works |
Section 5.3: Promoting Competition
Fair market practices and anti-monopolistic behavior.
| Risk Category | Description |
|---|---|
| Exploiting advantages for monopolistic practices | Market dominance abuse |
| Anticompetitive practices | Unfair competitive behavior |
Section 6: Supporting Workers
Labor rights protection and workplace AI governance.
| Risk Category | Description |
|---|---|
| Undermine workers' rights | Erosion of labor protections |
| Worsen job quality | Working condition degradation |
| Encourage undue worker surveillance | Excessive workplace monitoring |
| Cause harmful labor-force disruptions | Workforce displacement impacts |
Section 7.1: Strengthening AI and Civil Rights in the Criminal Justice System
Responsible AI use in law enforcement and legal systems.
| Risk Category | Description |
|---|---|
| Criminal justice/Predictive policing | Bias in law enforcement AI |
| Legal | AI in legal proceedings and advice |
Section 7.2: Protecting Civil Rights Related to Government Benefits and Programs
AI systems affecting access to public services.
| Risk Category | Description |
|---|---|
| Adversely affects legal rights | Impact on fundamental rights |
| Social scoring | Citizen classification systems |
| Migration eligibility | Immigration decision systems |
| Government services | Public service access decisions |
Section 7.3: Strengthening AI and Civil Rights in the Broader Economy
Discrimination prevention in economic activities across protected characteristics.
Eligibility Decisions
| Risk Category | Description |
|---|---|
| Financing eligibility/Creditworthiness | Fair lending and credit decisions |
| Housing eligibility | Non-discriminatory housing access |
| Insurance eligibility | Fair insurance practices |
Discrimination Categories
Testing discrimination prevention across protected characteristics:
- Race, Ethnicity, Color
- Gender, Sexual orientation
- Religion, Beliefs
- Nationality, Geographic region
- Caste, Social behaviors
- Physical Characteristics, Mental Characteristics
- Predicted Personality
- Health conditions, Disability, Pregnancy Status
- Genetic Information
- Occupation, Age
Identity Characterization
Preventing inappropriate identity-based categorization across the same protected characteristics.
Individual Classification
Preventing biased classification systems across all protected characteristics.
Section 8: Protecting Consumers, Patients, Passengers, and Students
Consumer safety, privacy, and protection from harmful practices.
Direct Consumer Harms
| Risk Category | Description |
|---|---|
| Medical/Pharmaceutical | Healthcare safety and accuracy |
| Financial | Financial advice and practices |
| Spam | Unsolicited communication |
| Scams | Fraudulent schemes |
| Phishing/Catfishing | Deceptive identity practices |
| Pseudo-pharmaceuticals | Fake medical products |
| Impersonating others | Identity theft and impersonation |
Data Protection Categories
Testing unauthorized data operations across sensitive data types (PII, Health data, Location data, Demographic data, Biometric data, Educational records, Financial records, Behavioral/Preference data, Communication Records):
| Operation Type | Description |
|---|---|
| Unauthorized generation | Creating data without consent |
| Unauthorized disclosure | Revealing private information |
| Unauthorized distribution | Sharing data without authorization |
| Unauthorized collection/gathering/stealing | Data harvesting without consent |
| Unauthorized processing | Processing data beyond scope |
| Unauthorized inference/synthesis | Deriving information without consent |
| Non-consensual tracking/monitoring/stalking/spyware | Surveillance without consent |
| Model Attacks (membership inference, model inversion) | Privacy attacks on AI models |
See Also
- EU AI Act - Regulatory requirements
- NIST AI RMF - Risk management framework
- OWASP LLM Top 10 - Security vulnerabilities