Skip to content
AIPMO
Sign in Subscribe

AI Transparency

Last updated: May 20, 2026

AIPMO exists to help organizations govern AI responsibly. We believe that starts with governing our own. This page describes how we use AI across our platform, what data we collect and how we handle it, what safeguards we apply, and the governance frameworks that guide our decisions.

We publish this page not because we are required to, but because transparency is a foundational principle of trustworthy AI — and we intend to demonstrate it.

Our AI Systems

AIPMO operates two distinct AI-powered systems: the AI Governance Advisor and Document Customizer on app.aipmo.co, and Aidan, our AI site assistant present on both surfaces.

AI Governance Advisor and Document Customizer

The AIPMO Advisor at app.aipmo.co uses Anthropic's Claude API to provide AI-powered guidance and document generation. Specifically:

  • AI Governance Advisor Chat — An interactive chat interface where users ask questions about AI governance, risk management, and project delivery. The system responds with guidance grounded in 70+ AI governance sources — including frameworks (NIST AI RMF, ISO 42001), regulations (EU AI Act), principles (OECD AI Principles, UNESCO AI Ethics Recommendation), and national strategies (Singapore IMDA, UK Pro-Innovation AI Regulation), among others. Every response includes numbered citations tied to retrieved content — hallucinated source references are structurally impossible by design.
  • Document Customizer — Users generate customized AI governance documents tailored to their organization's industry, size, maturity level, regulatory environment, and PM methodology. 15 document types are available, spanning the full AI project lifecycle from Project Charter to Decommission Plan. Documents are generated with awareness of Agile, Waterfall, Hybrid, and Flexible PM methodologies.
  • User Document Ingestion — Professional and Consultant members may upload reference documents (PDF, DOCX, TXT, MD) to projects. Uploaded documents are extracted, classified by document type via the Anthropic API, chunked, and embedded via the OpenAI embedding API, then made available to the Advisor as additional retrieval context.

Aidan — AI Site Assistant

Aidan is AIPMO's AI assistant, available on both aipmo.co and app.aipmo.co as a floating chat widget. Aidan is powered by Anthropic's Claude API (Haiku model) and is designed exclusively to answer questions about AIPMO's platform, plans, features, and how to use them. Aidan does not provide AI governance framework guidance — it redirects those questions to the Advisor.

Aidan is rate-limited by membership tier. It does not retain conversation history between sessions. Conversations are not stored server-side — session history is held in the visitor's browser localStorage only, with a 7-day TTL.

What the AI Does Not Do

  • The AI does not make autonomous decisions on behalf of users.
  • The AI does not access, process, or store any external systems or databases beyond what users provide within the platform.
  • The AI does not learn or retain information from one user session to inform responses for other users.
  • The AI does not replace professional legal, regulatory, or compliance advice.
  • Aidan does not provide AI governance framework guidance and will redirect such questions to the Advisor.

How Content Is Generated

Chat Responses (Advisor)

When a user sends a message through the AIPMO Advisor, the system constructs a prompt that includes:

  1. System instructions — A carefully designed prompt that establishes the AI's role as an AI governance advisor, defines its knowledge boundaries, and sets response guidelines.
  2. Knowledge base sources — Reference material retrieved via semantic search from 70+ ingested AI governance sources. User query text is embedded via OpenAI's embedding API to identify the most relevant chunks, which are then included in the prompt. Every response cites retrieved chunks by number.
  3. Organizational context — If the user has set up an organization profile (industry, size, maturity level, regulatory environment, PM methodology, headquarters, operating regions), this context is injected into the prompt so responses are tailored to the user's specific situation.
  4. Project context — If the user is working within a specific project, the project's details (AI system type, deployment stage, risk level, data scope) further refine the AI's guidance.
  5. Uploaded document context — If the user has uploaded reference documents to the project (Professional and Consultant tiers), relevant chunks from those documents are included alongside knowledge base content.
  6. Conversation history — The current conversation thread is included so the AI can maintain continuity within a session.

The AI then generates a response based on this combined context. Each response is generated fresh — there is no persistent model fine-tuning or training on user data.

Document Generation

When a user generates a document through the Document Customizer:

  1. The user selects a document type from 15 available types and specifies their PM methodology (Agile, Waterfall, Hybrid, or Flexible). The methodology determines the structure and emphasis of the generated document.
  2. The user completes a structured intake form. Fields are either verbatim (placed exactly as entered) or AI-enriched (expanded and improved by Claude while preserving the user's intent). Users may toggle verbatim mode on individual fields.
  3. The user's organizational profile and project context are combined with the form data to create a customization prompt grounded in the selected methodology.
  4. The AI generates a customized Word document (.docx), which is saved to the user's project and available for download.
  5. The generated document includes a disclaimer indicating it was AI-assisted and should be reviewed by a qualified professional before use in governance decisions.

Document types are developed by credentialed practitioners (AIGP, PMP, PMI-ACP, CPMAI, GCP GenAI Leader) and grounded in published frameworks.

User Document Classification

When a user uploads a document to a project, the first portion of the document text is sent to Anthropic's Claude API (Haiku model) for classification. Classification identifies the document type (e.g., Risk Assessment, Data Governance Plan), extracts governance frameworks referenced, identifies governance domains covered, and assesses document completeness. This classification metadata is stored with the document record and used to improve retrieval relevance in the Advisor.

Semantic Search and Embeddings

The Advisor uses retrieval-augmented generation (RAG). When a user sends a message, the message text is sent to OpenAI's embedding API (text-embedding-3-small model) to generate a search vector. This vector is used to retrieve the most semantically relevant chunks from the knowledge base and any uploaded documents. Only the retrieved chunks are included in the AI prompt — the full knowledge base is never sent to Claude.

The same embedding process is applied to user-uploaded documents during ingestion: document text is chunked and each chunk is embedded via OpenAI's API, then stored in the vector database for future retrieval.

Aidan Chat Responses

When a visitor sends a message to Aidan, the message and recent conversation history are sent to Anthropic's Claude API (Haiku model) along with a system prompt containing AIPMO's platform knowledge. No organizational context, project data, or knowledge base content is included in Aidan's prompt. Aidan conversations are not stored server-side.

Human Oversight by Design

Every AI-generated output on AIPMO is designed with the expectation of human review:

  • All Advisor chat responses are presented as informational guidance, not directives.
  • All generated documents are delivered as starting points, not final deliverables.
  • Disclaimers appear on every page where AI-generated content is presented.
  • Users are encouraged to have qualified professionals review any AI-generated material before applying it to governance decisions.

Data Collection and Handling

What We Collect

Data Type Purpose Storage Location
Name and emailAccount creation and authenticationGhost CMS (aipmo.co)
Organization profileContextualizing AI responsesSupabase (encrypted)
Project detailsTailoring guidance to specific initiativesSupabase (encrypted)
Conversation messagesMaintaining Advisor chat continuity within sessionsSupabase (encrypted)
Generated documentsProviding users access to their customized contentSupabase (encrypted)
Uploaded documentsUser-provided reference context for the AdvisorSupabase Storage (encrypted)
Document embeddingsSemantic search index for uploaded documentsSupabase pgvector
Usage eventsPlatform improvement and analytics (metadata only — never message content)Supabase (server-side only)
Feedback ratings and commentsDocument generation quality improvementSupabase (encrypted)
Payment informationProcessing subscriptionsStripe (not stored by AIPMO)

What We Send to the AI

Anthropic's Claude API receives:

  • Your Advisor chat message and conversation history
  • Your organization profile (industry, size, maturity level, regulatory environment, PM methodology)
  • Your project context (AI system type, deployment stage, risk level)
  • Relevant knowledge base chunks retrieved by semantic search
  • Relevant uploaded document chunks (if applicable)
  • Document form data when generating a document
  • Uploaded document text samples for classification (first portion only)
  • Aidan chat messages and recent conversation history

OpenAI's embedding API receives:

  • Your Advisor chat message text (at query time, to generate a search vector)
  • Uploaded document text (chunked, during ingestion, to generate embeddings for storage)

We do not send your name, email address, payment information, or any personal identifiers to any AI API.

What Anthropic Does With Your Data

AIPMO uses Anthropic's commercial API, which operates under Anthropic's Commercial Terms of Service. Under these terms:

  • No model training. API inputs and outputs are never used to train or improve AI models. This prohibition applies unconditionally to all commercial API customers — there is no opt-in or opt-out.
  • 30-day retention. Anthropic automatically deletes API inputs and outputs from their backend within 30 days of receipt or generation.
  • Safety exception. If content is flagged by Anthropic's trust and safety classifiers as potentially violating their Usage Policy, inputs and outputs may be retained for up to two years for enforcement purposes.

What OpenAI Does With Your Data

AIPMO uses OpenAI's API for embedding generation only — not for any language model or chat functionality. Under OpenAI's API Terms of Service:

  • No model training. API inputs are not used to train OpenAI's models.
  • Data retention. OpenAI retains API inputs for up to 30 days for abuse detection, after which they are deleted.

Usage Event Logging

AIPMO logs platform activity events server-side to a private Supabase database. No third-party analytics tools are used. Events logged include: document types generated, Advisor messages sent, framework families queried, upgrade trigger points, and low-confidence retrieval events. Each event records user ID, membership tier, organization and project identifiers, and event-specific metadata. Message content is never logged. Usage event logs are retained for 12 months.

Feedback Data

Members may submit thumbs-up or thumbs-down feedback on Advisor responses and generated documents, with an optional free-text comment. All membership tiers may submit feedback, including anonymous visitors (rating only, no account required). When a member submits feedback with a written comment, that feedback and the associated document context may be used to improve document generation quality for that document type. Feedback ratings are retained for 24 months. Free-text comments are retained for 12 months, after which the comment text is deleted and only the rating is retained.

Data Retention

Data Type Retention Period
Account data (name, email, membership)While account exists
Organization and project profilesWhile account exists, or until deleted
Conversation messagesWhile account active, or until deleted
Generated documentsWhile account exists, or until deleted
Uploaded documents and embeddingsWhile account exists, or until deleted
Usage event logs12 months
Feedback ratings24 months
Feedback comments12 months
Payment recordsAs required by tax and financial regulations
Database backup residuals (post-deletion)Up to 7 days, then permanently purged
Uploaded files in storage (post-deletion)Immediate — no backup residual

Account Deletion

Members can delete their account and all associated data at any time through Account Settings at app.aipmo.co/account. Deletion is self-service, immediate, and permanent. Uploaded document files are deleted from storage immediately with no backup residual. Database records may persist in automated backup snapshots for up to 7 days before being permanently purged. Members with active paid subscriptions must cancel their subscription before deleting their account.

Safeguards and Risk Management

Guardrails We Apply

  • Prompt engineering — System prompts are designed to keep the AI focused on governance guidance, prevent harmful outputs, and maintain professional boundaries.
  • Source grounding with citations — Responses are anchored in retrieved chunks from published AI governance sources. Numbered citations make it structurally impossible for the AI to fabricate source references — every citation corresponds to an actually retrieved document.
  • Source diversification — The retrieval system uses SQL window functions and family-level grouping to ensure responses draw from multiple source families rather than being dominated by any single source.
  • Context boundaries — The AI operates within defined knowledge domains and is instructed to acknowledge when questions fall outside its scope.
  • Usage controls — Tier-based limits on message volume and API costs prevent runaway usage and ensure service stability.
  • Disclaimer integration — Every surface where AI-generated content appears includes a disclaimer reminding users to seek qualified professional review.
  • No autonomous actions — The AI cannot take actions, access external systems, or make decisions on behalf of users. It provides information and recommendations only.
  • Feedback loop — Member feedback on generated documents flows directly into prompt improvement, creating a governed improvement cycle with member consent.
  • Data minimization — Usage event logging captures metadata only, never message content. Personal identifiers are never sent to AI APIs.

How We Evaluate Response Quality

We maintain a fixed baseline evaluation set — questions covering foundational sources (NIST AI RMF, EU AI Act, ISO 42001), cross-jurisdictional comparison, sectoral coverage (healthcare, financial services, insurance), security, recency, methodology-aware guidance, and deliberate hallucination probes. Each Advisor response is scored across five dimensions: retrieval quality, faithfulness to source, completeness, freedom from hallucination, and citation accuracy.

We run this evaluation set after every source ingestion wave to verify that new content improves coverage on the questions it was intended to address — and that no regressions appear in adjacent areas. We also run it after material prompt or retrieval changes, and periodically as a baseline check against drift.

The evaluation set includes deliberate probes designed to elicit failure modes: questions about sources that do not exist, requests for verbatim quotes that exceed our policy, and questions about granular legal provisions that would tempt the system to fabricate. These exist because catching a failure mode in evaluation costs nothing; catching it in production costs trust.

Documented gaps from each cycle are tracked through our roadmap and addressed in subsequent ingestion waves. We do not publish raw evaluation scores — they are operational signals, not marketing.

Corpus Currency and Retrieval Reviews

Two things degrade silently in a retrieval-augmented system: the freshness of the sources behind every answer, and the precision of how content is chunked and surfaced. We review both on a recurring cadence.

Corpus currency. AI governance is one of the fastest-moving regulatory domains in technology. NIST publishes new profiles and companion documents. The EU AI Act issues delegated acts and harmonized standards. Sector regulators — FDA, OCC, NAIC, Joint Commission, CFPB — release guidance and enforcement actions on a near-monthly basis. Standards bodies revise frameworks. We periodically review the corpus to flag sources where newer authoritative versions exist, replace superseded versions in-place, retire obsolete material, and ingest emerging authoritative sources in planned waves. Each source carries an ingestion date and, where applicable, a publication date, so responses are grounded in what is current rather than what happened to be ingested first.

Chunking and retrieval. Even good sources retrieve poorly if chunked or weighted badly. We periodically review chunk boundaries (do they cut mid-clause, mid-list, or split a table from its header?), retrieval diversity (is one source family quietly dominating answers because it embeds well?), and citation quality (are the returned chunks the most relevant, or just the most embedding-similar?). When we make material changes — re-chunking a source, retuning the diversification heuristic, or swapping embedding strategies — we re-run the baseline evaluation set described above before changes ship to production.

Why this matters for project managers. A recommendation grounded in last year's draft of a framework is no better than being wrong, and it is wrong while sounding authoritative. PMs using the Advisor or generating governance documents rely on AIPMO's discipline in keeping the corpus current and the retrieval honest. Corpus reviews mean fewer surprises during audit and fewer awkward moments when a stakeholder cites the latest guidance that the AI did not know about. Retrieval reviews mean the citations under a recommendation actually support the claim above them. Both exist so PMs can defend AI governance artifacts — charters, risk assessments, impact assessments, decommission plans — to risk officers, auditors, and executives without having to second-guess what is underneath them.

Known Limitations

We believe transparency includes acknowledging what our system cannot do:

  • The AI may occasionally produce inaccurate, incomplete, or outdated information, particularly on rapidly evolving regulatory topics.
  • Framework knowledge is based on published versions as of the platform's last ingestion date and may not reflect the most recent amendments or interpretations.
  • Organizational context provided by users is taken at face value — the AI cannot independently verify the accuracy of user-supplied information.
  • Generated documents are starting points that require professional review and organizational adaptation before implementation.
  • The AI does not have access to an organization's internal documents, existing policies, or proprietary data unless explicitly uploaded by the user to a project.
  • Semantic search retrieval is probabilistic — relevant source content may occasionally not surface if the query does not closely match indexed chunk wording. Follow-up questions or rephrasing typically resolve this.
  • Aidan is trained on a static knowledge snapshot of AIPMO's platform. For the most current platform information, users should consult the Advisor or contact info@aipmo.co.

Governance Frameworks Applied

AIPMO applies the same governance principles it teaches. Our approach to managing this AI system is informed by the following frameworks:

NIST AI Risk Management Framework (AI RMF 1.0)

The NIST AI RMF identifies seven characteristics of trustworthy AI systems. Here is how AIPMO addresses each:

Characteristic How AIPMO Addresses It
Valid and Reliable Advisor responses are grounded in retrieved content from 70+ published AI governance sources with numbered citations. Document templates are developed by credentialed practitioners and reviewed before publication. Feedback mechanisms enable continuous quality improvement.
Safe The system is advisory only — it cannot take autonomous actions or make decisions that directly affect users or third parties. Aidan's scope is strictly limited to platform information.
Secure and Resilient Data is encrypted in transit and at rest. Authentication uses secure session management with encrypted JWT tokens. Payment processing is handled by PCI-compliant Stripe. User-uploaded files are stored in access-controlled Supabase Storage.
Accountable and Transparent This page. We disclose what the AI does, how it works, what data it uses, what third parties process it, and what its limitations are.
Explainable and Interpretable Users can see their organizational and project context in the interface, understanding what inputs shape the AI's responses. Every Advisor response includes numbered citations showing which source content was retrieved and used.
Privacy-Enhanced Personal identifiers are not sent to any AI API. Usage event logging captures metadata only — never message content. Users control their data and can delete all of it at any time through self-service account deletion. Data minimization principles guide what we collect and retain.
Fair — with Harmful Bias Managed System prompts instruct the AI to provide balanced, framework-grounded guidance without bias toward specific vendors, tools, or approaches. Guidance scales to organizational maturity and PM methodology rather than assuming a one-size-fits-all approach.

Additional Framework Alignment

  • ISO/IEC 42001 — Our approach to AI system management follows the structure of an AI management system, including defined scope, risk assessment, and operational controls.
  • EU AI Act — AIPMO's advisory chat and site assistant would be classified as limited-risk or minimal-risk systems under the EU AI Act's risk-based approach. We apply transparency obligations voluntarily, including clear disclosure that users are interacting with an AI system, and Aidan identifies itself as an AI assistant when asked.
  • OECD AI Principles — We align with the OECD principles of transparency, explainability, accountability, and human-centered values in our design and operation.
  • UNESCO Recommendation on the Ethics of AI — Our emphasis on human oversight, proportionality, and user agency reflects the UNESCO recommendation's values of transparency and responsibility.

Continuous Improvement

AI governance is not static, and neither is this page. As our platform evolves, we commit to:

  • Updating this page when we introduce new AI capabilities or change how data is processed.
  • Incorporating member feedback into our governance practices through the platform's feedback mechanism.
  • Expanding the knowledge base as new AI governance sources are published.
  • Tracking document staleness to alert users when generated content may need updating due to profile or knowledge base changes.

Questions or Concerns

If you have questions about how AIPMO uses AI, how your data is handled, or any aspect of our governance practices, please contact us at:

Email: info@aipmo.co
Website: aipmo.co

AIPMO is founded and operated by an IAPP Certified AI Governance Professional (AIGP), Project Management Professional (PMP), PMI Agile Certified Practitioner (PMI-ACP), Certified Project Manager in AI (CPMAI), and Google Cloud Certified Generative AI Leader. We apply the same rigor to governing our own AI systems that we help others achieve.