Sift AI Responsible AI
Source: Sift AI Responsible AI.pdf
Pages: 11

--- Page 1 ---
Sift AI
W H I T E P A P E R
Responsible AI at Sift AI
We believe the best teams will be people and AI working side by
side: the agent carries the volume, the person brings the judgment.
This is the trust that makes that partnership work, and how we build
it into every agent we ship.
NIST AI RMF aligned  ·  OECD AI Principles  ·  EU AI Act  · 
Human-in-the-loop by default
APRIL 2026
CONFIDENTIAL
NIFTORY INC. DBA SIFT AI (“SIFT AI”)  ·  COMPANION TO THE SECURITY &
ARCHITECTURE OVERVIEW AND THE AGENT SECURITY WHITEPAPER

--- Page 2 ---
What this document covers
01
How we think about responsible AI
02
Transparency: you can always see what it did
03
Fairness: the line we will not cross
04
Accountability: someone always owns it
05
Privacy: your data stays yours
06
Safety: when in doubt, ask a human
07
How we keep ourselves honest
08
How this lines up with the frameworks
09
Where this goes

--- Page 3 ---
0 1  ·  H O W  W E  T H I N K  A B O U T  R E S P O N S I B L E  A I
Humans and AI, on the same team
We are building toward a simple, hopeful idea: that a customer's team and an
AI can do their best work together. The agent takes the endless volume,
reads every message, drafts the reply, and never tires. The person brings
what people are for: judgment, empathy, the relationship, the final call. Done
well, this is not a more automated way to work. It is a more human one,
because it hands people back the time the busywork was taking.
None of that happens without trust. People do not lean on a partner they cannot rely on, and they should not, least of all one
that reads messages from strangers on the open internet and, when a customer allows it, replies on their behalf. So we made
a decision early, and it runs through everything here: our AI is a capable partner, never an authority. The people on a
customer's team make the calls that matter. The agent does the fast, tireless, explainable work in between, and only as far as
the customer lets it. The safe choice is the default choice, and when the agent is unsure, it asks a person instead of
guessing.
That belief also tells us what not to build. We keep our agents out of decisions that change people's lives. We never train our
models on a customer's data. And given the choice between a smaller agent a customer trusts and a flashier one they
cannot answer for, we will pick the one they trust every time. We would rather earn the next bit of autonomy than assume it.
1
Transparency
you can see
what it did
2
Fairness
and who it
serves well
3
Accountability
someone
owns it
4
Privacy
your data
stays yours
5
Safety
it fails to
a human
TRUST · what people can understand, hold to account, and rely on
Five promises, and the trust they add up to. Each one has a section below: what we believe, how we make it
real, and where we draw a hard line.
These five line up with the frameworks our customers and regulators already use: the NIST AI Risk
Management Framework, the OECD AI Principles, the EU AI Act, and the responsible-AI principles published
across the industry. We did not invent our own rulebook.

--- Page 4 ---
0 2  ·  T R A N S P A R E N C Y
You can always see what it did
For a person and an agent to work as a team, the person has to be able to see
what the agent saw and why it did what it did. "The model decided" is not an
answer we will ever give.
So every decision an agent makes leaves a record we cannot quietly change: what it read, what it concluded, how sure it
was, the exact quotes it leaned on, and the version of the model and prompt behind it. Open any reply, score, or tag, and you
can trace it straight back to the source content that produced it. We tell people in the product when AI is doing the work, we
label AI-written drafts as drafts, and we publish which model providers we use and how we handle data. When the agent is
unsure, it says so, and that doubt is handed to the person reviewing it.
H O W  I T  W O R K S
Audit trail
Every run records what the agent read, what it concluded, a confidence
label, the quotes it cited, and the model and prompt version behind it, in an
append-only log.
Source grounding
Open any reply, tag, or score and it traces back to the exact source records
that produced it.
Disclosure
AI-authored drafts are labeled as drafts; the model providers we use and
how we handle data are published.
Tracing
Each step is captured as an OpenTelemetry  span, so a run can be replayed
and inspected end to end.
Where we draw the line. We will never dress up AI output as a human, and we will never hide
that a decision was automated. If your team cannot explain what the agent did, we are not
finished building it.

--- Page 5 ---
0 3  ·  F A I R N E S S
The line we will not cross
This is the principle we feel most strongly about, because it is the one most
often waved away. AI learns from human language, and human language
carries human bias. Pretending it does not is how the harm gets in.
So we are deliberate about two things, and the first is a hard line. Our agents triage, organize, and draft. They do not pass
judgment on people. Sift AI is built to help a team understand and respond to conversations, not to score, rank, or gate the
people in them. Keeping the agent out of decisions like that is the most honest fairness control we know: a model that never
makes the call cannot skew it.
The second is about the work the agent does do, triage, classification, and drafting replies: we measure it, and we do not
look away from what we find. We test for precision, recall, and accuracy against curated truth sets, and we test across
languages and channels, because an agent that is fluent in English and clumsy in Spanish is not being fair to the people
writing in Spanish. We read our own prompts for loaded framing. And we put a person in front of anything the model is not
confident about, so an uncertain call is a reviewed call, not a shipped one.
H O W  I T  W O R K S
Scope by design
Agents act only through a typed allowlist of actions ( allowedActions ),
authorized server-side; consequential decisions about people are not in it.
Evaluation
Precision, recall, and accuracy graded against curated truth sets, measured
separately across languages and channels rather than in aggregate.
Confidence gate
Outputs below a confidence threshold route to a person for review instead of
shipping.
Prompt review
Prompts are read for loaded or leading framing before they reach
production, and re-checked when they change.
Where we draw the line. Fairness is not a dashboard you check after the fact. It is a set of
choices we make before the agent ever runs: what it is allowed to decide, whose language it
serves well, and when it has to step aside.

--- Page 6 ---
0 4  ·  A C C O U N T A B I L I T Y
Someone always owns it
The agent is here to amplify the people on a team, never to replace the
person who answers for the work. So autonomy is never an excuse: when an AI
acts, a person and a company are still accountable for it, and we build so that
stays true no matter how capable the agent gets.
One named leader owns this program: our CISO, working with Legal and our Data Protection Officer. Bigger changes get
reviewed before they ship, not after something goes wrong. Autonomy is something a customer turns on deliberately, one
goal at a time, and can turn off in a single click; until they do, a human approves every reply. And every action an agent takes
is signed and sitting in the record, traceable to the exact run, goal, and settings that produced it. Customers own that
configuration and can change it whenever they like.
H O W  I T  W O R K S
Named owner
One accountable owner (our CISO, with Legal and the Data Protection
Officer); higher-impact changes get a pre-launch review.
Graduated autonomy
Each goal has an autonomy level, shadow , suggest , or auto , defaulting to
human-in-the-loop and opt-in per goal.
Kill switch
An org-level switch disables automated sending in one click, read fresh on
every run so it takes effect immediately.
Governance snapshot
Every action is signed and tied to the run, goal, allowed actions, and settings
that produced it.
Where we draw the line. The customer is always in command. There is no version of Sift AI
where an agent did something and nobody can say who is responsible.

--- Page 7 ---
0 5  ·  P R I V A C Y
Your data stays yours
A customer's data belongs to the customer. We use it to do the job they hired
us for, and nothing else. We never use it to train a model, ours or anyone's.
Personal information is found and hidden the moment it arrives, so even the models we call see as little of it as we can
manage. Each customer's data is walled off from every other customer's, encrypted on the way in and at rest, kept only as
long as the contract says, and deleted on request. The model providers we use run on terms that forbid training on our data,
which means a customer's conversations never become part of anyone's model. There is no per-customer fine-tuning, so
there is no quiet path for one customer's words to end up in another's results. The deeper cryptography and retention detail
lives in the Security and Architecture Overview and the Agent Security Whitepaper.
H O W  I T  W O R K S
PII handling
Personal data is detected and redacted on ingest, so the models we call see
as little of it as possible.
Isolation
Each customer's data is walled off from every other's, and there is no per-
customer fine-tuning that could carry one customer's words into another's
results.
Encryption
Encrypted in transit (TLS 1.2+) and at rest (AES-256 via AWS KMS).
No training
Provider terms forbid training on our data; inference runs with no provider-
side retention.
Retention
Data is kept only as long as the contract requires and deleted on request.
Where we draw the line. No customer should ever have to wonder whether their content trained
a model or leaked to a competitor. The answer is no, and it is no by design, not by promise.

--- Page 8 ---
0 6  ·  S A F E T Y  A N D  S E C U R I T Y
When in doubt, ask a human
Our agents read content written by anyone on the internet, including people
trying to trick them. So we assume every message might be hostile and build
as if it is.
Untrusted content is fenced off from the agent's own instructions, so a cleverly worded message cannot hijack it into doing
something it should not. The agent runs with the least power it needs, its code is sandboxed away from secrets and from
other customers, and it forgets each case when it is done, so nothing carries over to poison the next one. We test all of this
the way an attacker would, against the live system rather than a diagram: in our most recent assessment we ran a battery of
real injection attacks at the running model, and every one was turned away.
H O W  I T  W O R K S
Injection defense
Untrusted content is delimited and fenced from the agent's own instructions,
so a crafted message cannot hijack it.
Least privilege
Server-side authorization on every action ( allowedActions ); code runs
sandboxed, away from secrets and from other tenants.
Stateless runs
Each case starts clean, so nothing carries between threads to poison the
next one.
Adversarial testing
Injection, jailbreak, and data-extraction batteries run against the live system,
covering the OWASP Top 10 for LLM Applications; anything ambiguous fails
closed to a person.
Where we draw the line. When confidence is low, the content is ambiguous, or anything looks
manipulated, our agents do the boring, safe thing and hand it to a person. We would rather be
occasionally over-cautious than once unsafe.

--- Page 9 ---
0 7  ·  H O W  W E  K E E P  O U R S E L V E S  H O N E S T
A loop, not a launch
Good intentions are easy to write down. We keep ours honest with a repeatable loop, the one the US standards body (NIST)
lays out in its AI Risk Management Framework: govern, map, measure, manage. It runs continuously, so the risks we find
after launch get handled the same way as the ones we anticipated before it.
Map
Find the risks.
Threat-model and red-team each agent.
Measure
Test for them.
Accuracy evals and live attack runs.
Manage
Shut them down.
Isolation, human review, kill switch.
what we learn in production comes back around
GOVERN · who owns it, the policies, the pre-launch review, the training
Govern wraps the whole thing. Map, measure, and manage run on a loop, because the job is never finished.
STEP
WHAT IT MEANS AT SIFT AI
Govern
One named owner is accountable for the AI program. Our responsible-AI and security policies
live inside the same ISO 27001 management system as the rest of the company, higher-impact
changes get a pre-launch review, and the people building agents are trained for the job.
Map
For every agent, we ask what could go wrong: we threat-model the tools, the prompts, and the
actions it can take, line them up against the OWASP Top 10 for LLM Applications, and red-team
the surface with real adversarial inputs, including prompt injection hidden in the content it
reads.
Measure
We grade the model against curated truth sets, run injection and data-extraction tests, attack
the live system to confirm the defenses hold, and check that the "ask a human" fallback fires
when the agent is genuinely unsure.
Manage
The runtime controls carry the risk down: untrusted content fenced off, actions checked
against an allow-list, code sandboxed, customers walled apart, replies defaulting to human
review, and a kill switch over all of it. When something does go wrong, we fix it and feed the
lesson back into the next release.

--- Page 10 ---
0 8  ·  F R A M E W O R K  A L I G N M E N T
How this lines up with the standards
None of this is a private rulebook. Each promise maps cleanly onto the frameworks our customers and their regulators
already trust, which is the whole point: it should be easy to check our work.
OUR PROMISE
NIST AI RMF
THE SAME IDEA ELSEWHERE
Transparency
Govern, Map
OECD "transparency and explainability"; the industry principle
of transparency.
Fairness
Measure, Manage
OECD "human-centred values and fairness"; the industry
principles of fairness and inclusiveness.
Accountability
Govern
OECD "accountability"; the EU AI Act splitting responsibility
across the AI supply chain.
Privacy
Map, Manage
GDPR and US state privacy law; the industry principle of privacy
and security.
Safety and
security
Map, Measure, Manage
OECD "robustness, security and safety"; the OWASP LLM Top
10; the industry principle of reliability and safety.
On regulation specifically: we design our agents to stay well clear of the EU AI Act's banned and high-risk uses (no social
scoring, no biometric identification, no life-altering decisions about people), and the platform's encryption, access, retention,
and deletion controls are built to support GDPR and US state privacy obligations. The program is reviewed alongside our
security management system and updated as both our agents and the rules around them change.

--- Page 11 ---
SIFT AI · RESPONSIBLE AI · CONFIDENTIAL
APRIL 2026
0 9  ·  W H E R E  T H I S  G O E S
A partnership that keeps getting better
As our agents grow more capable, the partnership grows with them: the AI takes on more of the toil, and people are freed for
more of the judgment, creativity, and care that only they can bring. Our job is to make sure that, every step of the way, it
stays a partnership people trust. We would rather tell you what is still ahead than pretend the work is done, so here is some
of what we are building next:
The bottom line. We would rather ship a narrower agent a customer trusts than a more
autonomous one they cannot answer for. As our agents grow more capable, this document and
the work behind it will grow with them.
A deterministic check on the content of any reply before it is ever sent automatically, on top of the
human-review default, so an auto-send is screened for links, secrets, and unsafe content first.
An adversarial test suite (prompt injection and data extraction) wired into our release pipeline as a
gate, so a prompt or policy change cannot quietly weaken these protections.
Rate limits and a circuit breaker on automated actions, so unusual volume trips back to human
review.
Regular re-testing of the whole agent surface as it grows, and we keep sharing what we learn.
