AI Security Clearance

AI Security Clearance is the artefact an AI Committee or its delegate produces at the end of a structured security review. It is not approval (that is a business decision), and it is not certification (which requires an accredited third party). It is the security gate that an AI system must pass before reaching production, and it is the document that names what controls are in place, what evidence supports those controls, and what re-assessment triggers apply.

A clearance decision is one of five states: proceed (unconditional), conditional (proceed with named conditions), restricted pilot only (limited deployment with re-review), hold (more work required), or decline (do not deploy). Most production-grade AI systems receive a conditional clearance on first review.

Clearance is per-system. The clearance for a procurement agent does not transfer to a customer-facing chatbot. Re-assessment triggers — adding a tool, changing the model, expanding the scope — fire a re-clearance.

Clearance is dated and scoped. An undated clearance lasts forever in theory and rarely in practice. A clearance with no scope statement cannot be defended in an audit. A useful clearance names what was reviewed, when, by whom, and under what conditions the decision applies.

Clearance is not compliance. It supports compliance evidence — for ISO 42001 clause 8.5 (operational records), for EU AI Act Article 9 (risk management evidence), for GDPR Article 35 (DPIA where applicable). It does not certify any of those.