Privacy

Compliance​

Security​

EG applies security controls to all AI use cases, covering areas such as input and output guardrails, access management, audit logging, data protection, security testing, model security monitoring, and incident response. Controls scale with risk: higher-risk use cases face stricter requirements. All controls are documented in EG's AI registry and reviewed regularly as part of lifecycle management.

AI at EG is designed and operated in accordance with GDPR and EG’s Data Ethics Policy. We apply data minimization: AI systems process only the personal data strictly necessary for their purpose. Employees may not upload confidential or customer data to unapproved AI tools. A Data Protection Impact Assessment (DPIA) is conducted where required under GDPR.

EG takes a careful approach to the IP implications of AI-generated content. Employees are expected to evaluate AI outputs before use, particularly where content may implicate third-party rights.​ Questions about IP ownership of AI-generated outputs are handled in consultation with Group Legal & Compliance.

EG maintains a “human in the loop” principle for AI decisions that affect individuals. Where AI supports consequential decisions, documented approval workflows ensure a human reviews and takes responsibility for the outcome.​ AI does not make final decisions in critical processes without human validation.

Consistent with the EU AI Act’s AI literacy requirements, EG is committed to providing all employees with training on the responsible, lawful, and ethical use of AI tools.​ Training is available through our learning management systems. Product-specific guidance is maintained in EG’s internal playbooks. Employees are expected to understand both the possibilities, risks and the limitations of the AI tools they use.

EG’s AI Governance Framework is aligned with the EU AI Act, the world’s first comprehensive AI regulation. We apply its risk-based classification, transparency requirements, and high-risk AI provisions.​ Our framework incorporates elements of the NIST AI Risk Management Framework, OWASP LLM Security Guidelines, and GDPR. EG’s AI Policy applies to all employees, consultants, and contractors and is reviewed at least annually.

Every AI use case at EG is registered in our governance, risk & compliance system and classified by risk level, taking into account the type of data involved, whether it affects customers or end users, and the degree of AI autonomy - before it can be deployed.

The AI Forum brings together representatives from Group Legal & Compliance, Cyber & Information Security, Technology & Innovation, Corporate IT, and Business Units. It is responsible for maintaining our AI Governance Framework, monitors use of high-risk AI across EG and are responsible for our AI adoption ensuring we keep pace with evolving technology.

AI use cases are subject to periodic reassessment whenever they materially change - for example, when an AI model is upgraded, new data types are introduced, or the system’s level of autonomy increases.