AI governance

What AI does inside Koji

• Interview moderation: A text or voice model conducts the interview against the question guide the customer configured, with follow-up logic the customer can tune.
• Quality scoring: A model rates each completed conversation on relevance, depth, coverage, and completion, on a 1-to-5 scale.
• Theme extraction and synthesis: A model reads completed transcripts and produces structured themes, recommendations, and an executive summary.
• Operational AI: A model assists with the conversational research-brief setup and similar customer-configured tasks.

Classification under the EU AI Act

The EU AI Act (Regulation (EU) 2024/1689) classifies AI systems by risk. Koji's general customer-research use case is limited-risk: the AI interacts with natural persons (interview participants), which triggers the Article 50 transparency obligation but does not trigger high-risk vendor obligations.

Koji's deployment posture for that obligation:

• Participants are informed they are interacting with an AI interviewer before the conversation begins. The intake screen and the agent's opening turn both make this explicit.
• Customers are responsible for ensuring their own use of Koji does not slide into a higher-risk category (for example, by using AI-generated outputs to make decisions producing legal or similarly significant effects on individuals, which would implicate Annex III).

Where a customer's specific deployment may fall into the high-risk category, Koji works with the customer's legal team to implement additional safeguards: documented risk-management process, expanded human oversight, expanded technical documentation, and the post-market monitoring required by the Act.

Alignment with ISO/IEC 42001

ISO/IEC 42001:2023 is the first international standard for AI management systems. Koji's AI governance program is structured around the standard's clauses and Annex A controls, including:

• A documented AI policy committing to responsible AI development and deployment.
• Defined roles and accountability for AI-related decisions.
• Risk assessment and impact assessment processes for AI features.
• Data-quality, data-governance, and data-management controls aligned with the customer's privacy obligations.
• Logging and monitoring of AI behavior to support post-market observation.
• Customer-facing transparency about how AI features work and their limitations.

Formal ISO 42001 certification is on the medium-term roadmap. Current alignment is documented and available to enterprise customers as part of due diligence.

The no-training commitment

Koji does not use customer interview data to train, fine-tune, or improve any AI model, including our own. This commitment applies to:

• The models Koji recommends and operates by default
• The models a customer connects under their own enterprise LLM contracts (contractually protected by the customer's own enterprise agreement with that provider)
• Models that Koji provisions and manages on the customer's behalf (under an enterprise tier agreement with the model provider)

This commitment is reflected in the DPA and is part of the contractual relationship with each customer.

Model selection and flexibility

Customers choose how AI is provisioned in their deployment:

• Koji-recommended models selected for quality, latency, residency, and cost; provisioned and managed under Koji's enterprise agreements with the providers.
• Your own enterprise LLM contracts (for example, OpenAI Enterprise, Anthropic, Azure OpenAI, Google Cloud Vertex). Koji integrates with the customer's existing contracts; data flows under the protection of the customer's own agreement with their provider.

When models change (because a better model becomes available, or because the customer asks us to switch), the customer is notified.

Transparency and traceability

• Every insight links back to the source: Every theme, recommendation, sentiment label, and chart in a Koji report is traceable to the specific transcript turns that support it. Reviewers can audit the chain of reasoning.
• Quality scoring logic is documented: The 1-to-5 rubric is published and reviewable.
• Prompt transparency: Enterprise customers can inspect and modify the prompts that drive interview moderation, quality scoring, and report generation.

Human oversight

• The AI moderator follows a customer-defined question guide. The human researcher retains control of what is asked and how deeply each topic is probed.
• Quality scoring is presented to researchers as a signal, not as a gate; researchers can override and re-rate conversations manually.
• Generated reports are intended as starting points for human-led synthesis, not as final deliverables. Every chart and theme can be reviewed, edited, or rejected.

Safety controls

• Real-time termination of off-track or abusive conversations.
• Content guardrails aligned with the model providers' safety policies, with customer-configurable compliance vocabulary where the deployment requires it.
• Quality gating: Only conversations that meet a minimum quality threshold (3 or higher on the 5-point rubric) are counted toward usage.

Fairness, bias, and inclusivity

Bias in AI-moderated interviews can show up in two places: the model's behavior during the conversation, and the model's synthesis of the resulting transcripts. Koji's mitigations:

• Multilingual support (30 plus languages) so participants can respond in the language they think in.
• Configurable prompts so customers can tune for the cultural and demographic context of their audience.
• Sentiment and theme extraction is presented for human review, not as a final ground truth.
• Periodic internal evaluation of model behavior on standard fairness benchmarks for the models in our managed offering.

Documentation available to enterprise customers

• Model cards for the models in the managed offering
• System architecture overview
• AI risk assessment for the customer's intended deployment
• Sample model output evaluations
• Internal testing summaries

Request these from [email protected] with your company name; turnaround is typically two business days.