Artificial and Autonomous Technology Standard
Organization: FrontRunnerHC, Inc. (FRHC)
Parent Policy Reference: Summit Technology Holdings – Artificial & Autonomous Technologies Policy
Framework Reference: Secure Controls Framework – Artificial & Autonomous Technologies (AAT)
1. Purpose
Section titled “1. Purpose”This standard defines how FrontRunnerHC (FRHC) implements the enterprise-wide Artificial & Autonomous Technologies requirements established by Summit Technology Holdings, LLC (STH). It documents the governance practices and situational awareness controls applied to AI, machine learning, robotic process automation, and other autonomous technologies used across FRHC’s operations.
2. Applicability
Section titled “2. Applicability”This standard applies to all artificial intelligence and autonomous technology systems developed, acquired, or deployed by FRHC, including internally built systems, third-party SaaS features, embedded AI capabilities within platforms, and any AI services integrated into applications used by the FRHC workforce. It applies regardless of whether the AI/AT system directly processes ePHI, as emergent behaviors and indirect exposures may affect systems that do.
3. Standard
Section titled “3. Standard”3.1 AI & Autonomous Technologies Governance
Section titled “3.1 AI & Autonomous Technologies Governance”FRHC incorporates AI and autonomous technology risk into its enterprise risk assessment and cybersecurity governance framework. All proposed and in-use AI/AT use cases are identified, assigned an accountable owner, and evaluated through a risk assessment process prior to production use and upon any material change. Governance oversight is led by senior leadership, and risk outcomes are reviewed regularly. FRHC ensures that AI/AT systems comply with applicable legal, security, privacy, and ethical requirements.
- Parent Policy Mapping: STH Artificial & Autonomous Technologies Policy, Section 3.1
- SCF Mapping: AAT-01 (Artificial Intelligence (AI) & Autonomous Technologies Governance)
3.2 Situational Awareness of AI & Autonomous Technologies
Section titled “3.2 Situational Awareness of AI & Autonomous Technologies”FRHC maintains situational awareness of all AI and autonomous technologies used within its environment. This includes internally developed capabilities as well as AI functionality provided through third-party platforms and services.
An inventory of AI and autonomous technologies is maintained in coordination with STH and includes, as applicable:
- System or service name
- Business purpose and use case
- Data types processed (e.g., PII, ePHI)
- Responsible owner
- Hosting or deployment model
- Risk tier and lifecycle status
The inventory is reviewed and updated periodically to ensure accuracy and to support ongoing risk management, monitoring, and decommissioning activities.
- Parent Policy Mapping: STH Artificial & Autonomous Technologies Policy, Section 3.2
- SCF Mapping: AAT-02 (Situational Awareness of AI & Autonomous Technologies)
4. Compliance & Governance
Section titled “4. Compliance & Governance”FRHC maintains evidence supporting AI and autonomous technology governance, including risk assessments, use-case approvals, and inventory records. Evidence is retained and made available to Summit Technology Holdings, LLC (STH) to support enterprise governance, audit, and compliance activities.
5. Enforcement
Section titled “5. Enforcement”All users (employees, contractors, part-time and temporary workers) and those employed by others to perform work for the organization, or who have been granted access to IT assets or facilities, are covered by this standard and must comply with its associated policies, procedures, standards and guidelines.
Failure to comply with this standard and associated guidelines may result in suspension of use privileges or other disciplinary actions up to and including termination and/or legal action.
6. References
Section titled “6. References”Parent Policy:
- Summit Technology Holdings – Artificial & Autonomous Technologies Policy
Regulatory Requirements:
- HIPAA Security Rule:
- 45 CFR §164.308(a)(1)(ii)(A) – Risk Analysis
- 45 CFR §164.308(a)(1)(ii)(B) – Risk Management
- AICPA SOC 2 Trust Services Criteria:
- Security (CC7.2, CC7.3)
- Privacy (P8.1, P8.2)
Framework Alignment:
- AAT-01 – Artificial Intelligence (AI) & Autonomous Technologies Governance
- AAT-02 – Situational Awareness of AI & Autonomous Technologies
7. Revision Tracking
Section titled “7. Revision Tracking”| Rev | Description | Date | Approved |
|---|---|---|---|
| - | Policy created | March 2025 | M Machin |
| 1.0 | Converted to Standard | April 2026 | M Machin |
| 2.0 | Reviewed and approved for 2026 | July 2026 | M Machin |
