Case study · research artifact
Governance was already present.Comprehension was missing.
On the left, the published Cloud Security Alliance (CSA) clause as written. On the right, the explainer’s plain-language answer for an employee’s question about the same clause, citing framework, version, and clause id, with every condition preserved. No blending across versions or frameworks. If the corpus does not carry the answer, the explainer abstains and routes to the policy owner.
Asked in English
Can I use real customer data to test our new AI feature?
Same answer, same clause: AICM DSP-15 — Limitation of Production Data Use, cited every time.
Situation
Your governance library is complete — the clauses exist for nearly every AI question an employee has.
Complication
Nobody can find or parse them at the moment of need, so people guess. Governance present, comprehension missing.
The question
“Can employees get a trustworthy answer from OUR policy, at the moment they need it, without calling us?”
The answer
Retrieval over the real corpus: answers composed only from the governing clause, cited every time, abstaining when the corpus is silent — in eight languages.
Honesty. The paraphrases on this page are Modeled — Real fixed-corpus result, not independently reviewed.They were authored to mirror the explainer’s contract (normative force preserved, conditions named, clause cited) so the page reads cold even without a large language model (LLM) call. Want to ask your own question? Try the live explainer →
Employee asks
How often do we have to update our audit policies?
Before — the published clause
Verbatim CSA clause text is owner-only at this tier.
AICM 1.1.0 · A&A-01 · Audit and Assurance Policy and Procedures
After — the explainer answer
Your AI audit and assurance policies must be reviewed and updated at least once a year, plus any time something significant changes. They have to be written down, signed off, shared, applied, and re-evaluated as a steady practice — not a one-off.
Conditions
- At least annually, even if nothing has changed.
- Any significant change to the AI program or its environment triggers an update outside the annual cycle.
The published clause is CSA copyright; owner viewers see it verbatim. The explainer’s paraphrase is constructed to preserve normative force and every condition.
Employee asks
Where does the rule about data classification live, and what do we have to do?
Before — the published clause
Verbatim CSA clause text is owner-only at this tier.
AICM 1.1.0 · DSP-01 · Security and Privacy Policy and Procedures
After — the explainer answer
You need written policies and procedures that classify, protect, prepare, and handle data across its whole lifecycle. They have to line up with applicable laws and regulations, with relevant standards, and with the risk level of the data. Review and update them at least once a year.
Conditions
- Cover the full data lifecycle, not just the active-use stage.
- Must align with applicable laws, regulations, and standards.
- Risk level of the data sets how much protection the policy demands.
- Annual review minimum.
The published clause is CSA copyright; owner viewers see it verbatim. The explainer’s paraphrase is constructed to preserve normative force and every condition.
Employee asks
When do we have to refresh our identity and access management policies?
Before — the published clause
Verbatim CSA clause text is owner-only at this tier.
AICM 1.1.0 · IAM-01 · Identity and Access Management Policy and Procedures
After — the explainer answer
IAM policies and procedures must be written down, approved, shared, and applied, and then reviewed and updated at least every year. Any significant change also triggers a refresh ahead of the annual cycle.
Conditions
- Reviewed at least annually.
- Reviewed sooner if anything significant changes (e.g. new system, vendor swap, role redesign).
The published clause is CSA copyright; owner viewers see it verbatim. The explainer’s paraphrase is constructed to preserve normative force and every condition.
Employee asks
What does CCM say about its security training requirement, and how does AICM relate?
Before — the published clause
Verbatim CSA clause text is owner-only at this tier.
CCM 4.0.13 · HRS-11 · Security Awareness Training
After — the explainer answer
CCM v4.0.13 HRS-11 sets the foundational expectation: ongoing security awareness training for all personnel. AICM v1.1.0 keeps the same control id and adds AI-specific obligations — they are sibling controls, not the same control. Treat your existing CCM HRS-11 program as the baseline; layer the AICM additions for AI literacy on top. The two MUST NOT be blended into one answer.
Conditions
- Foundational training requirement comes from CCM v4.0.13.
- AI-specific layer comes from AICM v1.1.0 (same id, different scope).
- Read each version on its own; do not paraphrase across them.
The published clause is CSA copyright; owner viewers see it verbatim. The explainer’s paraphrase is constructed to preserve normative force and every condition.
Employee asks
At AISMM Level 3 (Defined), what does the Governance category actually require?
Before — the published clause
Verbatim CSA clause text is owner-only at this tier.
AISMM v3.7 · GOV-03.2 · Governance L3 · Authoritative AI deployment and application registry
After — the explainer answer
At AISMM Level 3 (Defined), Governance requires that the AI Council maintain an authoritative registry of AI deployments and applications. Each entry must link back to its approved use case and provider. This is the Level 3 bar — earlier levels do NOT clear it, and Level 4 / Level 5 add more on top.
Conditions
- Specific to AISMM Level 3 (Defined) — do not claim it at L1 or L2.
- Registry must be authoritative, not a sample or an inventory snapshot.
- Each entry traces to an approved use case and an approved provider.
The published clause is CSA copyright; owner viewers see it verbatim. The explainer’s paraphrase is constructed to preserve normative force and every condition.
Why this matters. The published policy is the system of record. The explainer points to it; it never replaces it. The reader leaves with the rule and its source, never a basis to claim compliance.