Infosys Limited: G7 Hiroshima AI Process (HAIP) Transparency Report

At Infosys, AI systems can be classified into four risk levels—Prohibited, High, Limited, and Minimal. 

Prohibited AI Use Cases: AI systems that pose an unacceptable risk to fundamental rights and safety are prohibited.

High-Risk AI Use Cases: AI systems that significantly impact fundamental rights and safety but are not outright prohibited are considered high-risk. They require stringent obligations before they can be deployed.

Limited Risk AI Use Cases: AI systems in the limited risk category must comply with basic transparency requirements, such as informing users that they are interacting with an AI system.

Minimal Risk AI Use Cases: Minimal risk AI systems pose little to no risk to users' rights or safety and are therefore subject to the least stringent regulatory requirements. 

Infosys Responsible AI Office continuously does a market scan for AI risks, vulnerabilities, incidents and risks emerging due to misuse of technology. These vulnerabilities are then assessed for exposure in various projects and also identifies fixes to mitigate the vulnerabilities. These are then cascaded to all the project teams that are exposed for such vulnerabilities. Also, all AI Use cases must mandatorily undergo Impact and risk assessment, and the identified risks must be mitigated throughout the AI lifecycle.

Infosys evaluates AI systems through structured adversarial testing, including automated and manual red-teaming, to identify vulnerabilities and ensure ethical, secure, and resilient performance. Findings inform remediation and compliance checks under Responsible AI governance before production deployment, aligning with ISO 42001 and global safety standards.

Yes

Yes. Infosys applies both quantitative and qualitative risk metrics during AI evaluations, with caveats wherever applicable. These caveats depend on the type of the project, the applicable jurisdiction and regulations, the AI Use case and the project context. These are documented in governance reviews. Vulnerability and incident reporting channels are accessible to all project stakeholders. Additionally, Infosys encourages responsible disclosure through defined communication channels, ensuring transparency and continuous improvement under its Responsible AI framework subject to client and project confidentiality clauses.

Yes. Infosys engages external independent experts for risk identification, assessment, and evaluation through audits and advisory reviews. The periodic external audits for ISO 42001 and the constant assessment of our best practices with industry leading research analysts help us to identify, evaluate and mitigate the risks. Our strong partner and vendor ecosystem also helps us to proactively identify risks, incidents and vulnerabilities by 3^rd parties.

Yes, Infosys both adopts and contributes to international standards for AI risk management.

We are ISO/IEC 42001 certified, with processes aligned to global frameworks like the NIST AI Risk Management Framework, EU AI Act, and other sector-specific guidelines.

We also actively participate in shaping standards through consultations and working groups, including ISO, NIST, OWASP, World Economic Forum (WEF) and Coalition for Content Provenance and Authenticity (C2PA) etc. ensuring our AI practices reflect global best practices in governance, transparency, and accountability.

Infosys collaborates with clients, industry bodies, and regulatory forums to assess systemic AI risks and implement mitigation measures. Our clients operate across sectors. We participate in global industry bodies like ISO, OWASP and Coalition for Content Provenance and Authenticity (C2PA) to identify the risks. Our regular assessment of AI Use cases through our internal risk management process, helps in identifying the specific systemic risk for a Use case implementation. Our AI risk management process, aligned to global frameworks like NIST AI Risk Management Framework and EU AI Act, helps us to address the identified systemic risks for a Use case implementation. 

Infosys addresses risks across the AI lifecycle through Responsible by Design principles, impact assessments, risk registers, and governance reviews. Measures include bias detection, adversarial testing, privacy safeguards, and continuous monitoring. Findings inform remediation and compliance under ISO 42001 and Responsible AI frameworks, ensuring ethical and secure deployment.

Testing measures, including adversarial and stress testing, feed directly into Infosys’ AI Life cycle. Identified risks are logged in the risk register, prioritized, and addressed through design adjustments, governance reviews, and compliance checks under Responsible AI process guidelines, ensuring continuous improvement and alignment with ISO 42001 standards

Testing occurs in secure, controlled environments during development and pre-deployment phases as per the client and project requirements. The timelines are as per the project schedule and would include isolated infrastructure with strict access controls, encryption, adversarial and stress testing as per the project requirements.

Infosys ensures data quality through rigorous validation, provenance checks, and ethical sourcing. Bias mitigation includes diverse dataset curation, fairness audits, and algorithmic reviews during training and collection stages. These measures align with Responsible AI principles and ISO 42001 standards, promoting transparency and reducing harmful bias risks.

Infosys safeguards intellectual property through strict compliance with copyright laws, secure data handling, and contractual controls. AI systems are trained on ethically sourced, licensed datasets, and outputs are monitored to prevent infringement. Every AI Use case goes through an internal risk assessment and IP legal check, and copyright violation are integral part of the internal risk assessment process.

Our organization protects privacy by restricting the use of personal, sensitive or confidential data and enforcing strict Responsible AI checks with required approvals before any data is used. We document and validate data sources, rights, and security controls to prevent unauthorized disclosure and ensure compliance with privacy requirements throughout the AI lifecycle. Further, every AI Use case goes through an internal risk assessment and Data Privacy check for safeguarding confidential or sensitive data is an integral part of the internal risk assessment process.

i. Infosys assesses cybersecurity risks through continuous vulnerability scans, penetration testing, and threat modeling for AI systems. Policies enforce encryption, secure coding, and access controls. Governance aligns with ISO 42001 and Responsible AI principles, ensuring resilience against evolving threats and safeguarding advanced AI systems throughout their lifecycle.

ii. Infosys protects critical IP and trade secrets through secure environments with strict access controls, encryption, and role-based permissions. These are managed within client environments for client projects and through licenses for Infosys IP. Proprietary model weights, algorithms, and datasets are stored in isolated infrastructure within client environment with monitoring and compliance checks under Responsible AI governance and ISO 42001 standards, ensuring confidentiality and integrity.

iii. Infosys follows a structured vulnerability management process involving continuous monitoring, risk register updates, and remediation cycles. Identified risks are addressed by first assessing the exposure, finding remediation steps and cascading the impact and remedial measures to the impacted Use case teams.

iv. Infosys reviews security measures regularly through scheduled audits, governance reviews, and compliance checks. Assessments occur at least annually and during major system updates, or on demand depending on the severity of the risk, ensuring alignment with Responsible AI principles, ISO 42001 standards, and evolving cybersecurity best practices for AI systems.

v. Yes. Infosys has an insider threat detection program integrated into its information security framework. It includes continuous monitoring, and strict access controls for sensitive AI assets. These measures align with Responsible AI governance and ISO 42001 standards to prevent unauthorized access and safeguard critical information.

To Infosys addresses vulnerabilities, incidents, emerging risks, and misuse across the AI lifecycle through continuous monitoring, risk register updates, and governance reviews. Post-deployment, measures include audits, bias checks, adversarial testing, and tests for identifying model and data drifts.

1. These are updated as per client project requirements for the client Use cases. For internal Use cases, these are updated annually or whenever there is a significant change in the functionality, data or model upgrade.

2. Significant releases are reflected by change in version changes of the technical and / or process documentation and communicated through relevant channels to the appropriate audience.

3. The documentation are available in internal portals and websites and accessible to developers based on their roles and access controls. For client projects, these are subject to client project requirements.

The outcome of evaluations of risks and impacts to the client Use case are shared with the relevant stakeholders as per the client contractual agreements.

These are subject to client contractual agreements and shared with the relevant stakeholders as per the project requirements.

Yes, subject to client contractual agreements and project requirements.

Yes, subject to client contractual agreements and project requirements.

Our organization has a comprehensive ISO 42001 certified AI Governance Program. The program provides end-to-end oversight across the AI lifecycle, covering risk management, accountability, transparency, human oversight, data governance, and regulatory compliance. These are updated annually or when triggered by regulatory changes, emerging risks, audits, or technological advancements, ensuring alignment with ISO 42001 standards and global best practices.

Yes. Infosys trains relevant staff through structured programs, including Responsible AI literacy workshops, e-learning modules, and governance briefings. Training covers risk management practices, ethical AI principles, and compliance requirements, ensuring employees understand and apply policies effectively across the AI lifecycle

Yes. Infosys communicates its risk management policies to users through Responsible AI documentation, and to public through various public events. These includes publishing ethical guidelines, participating in industry forums, events, awards and sharing governance practices via consortiums and regulatory platforms, ensuring transparency and alignment with ISO 42001 standards

Yes, all reported incidents and their corresponding mitigation steps are documented and maintained centrally under the Responsible AI Office. Each incident is recorded in a structured manner, followed by root cause analysis and closure tracking to support audit and compliance requirements.

Infosys shares information on vulnerabilities to all the relevant teams over email and incidents, AI risks through internal governance forum, the AI War Room, OFFERING reports and cross-functional reviews involving Legal, Risk, and Security teams to ensure timely awareness and coordinated action.

Yes, Infosys shares relevant AI incident information with stakeholders such as internal governance bodies, clients, and regulatory partners as appropriate. Public reporting is done only when required under compliance or contractual obligations, ensuring confidentiality and responsible disclosure.

We generate market scan reports every month which gives a snapshot of the AI market (especially enterprise AI), including trends, regulatory shifts, risks, opportunities, and how organizations can adopt AI responsibly.

Yes. Infosys aligns its Responsible AI framework with global standards, including ISO/IEC 42001, NIST AI Risk Management Framework, EU AI Act, and UNESCO ethical principles, ensuring robust governance, risk mitigation, and compliance across AI lifecycle

Infosys advocates transparency by implementing clear AI interaction disclosures. Users are informed when engaging with AI systems through explicit notifications and labeling mechanisms, aligned with Responsible by Design principles for ethical and accountable AI deployment. These include visible disclosures, onboarding messages, and accessible documentation. For sensitive use cases, consent options and ability to engage a human are provided. The implementation of these are per the client and project requirements.

Yes. Infosys advocates content provenance measures like labeling and watermarking for AI-generated outputs, ensuring transparency. These mechanisms follow global best practices and align with standards such as ISO/IEC 42001 and NIST AI RMF for ethical and accountable AI governance. The implementation of these are per the client and project requirements.

Infosys advances research and investment through its Responsible AI Office, focusing on security, fairness, transparency, explainability, and robustness. Initiatives include bias detection, adversarial resilience, and open-source Responsible AI Toolkit, aligned with global standards like ISO 42001 and NIST RMF for trustworthy AI systems. This is accelerated by regular market scan which feeds to the research team.

Infosys collaborates with global forums and invests in research to strengthen content authentication and provenance. Initiatives include partnerships, open-source tools, and adherence to guidance provided by Coalition for Content Provenance and Authenticity (C2PA) and ISO/IEC.

Yes. Infosys actively participates in global collaborations and research projects to advance AI safety, security, and trustworthiness. Investments include participation in and contributions to working groups of EU AI Office, NIST, WEF, ISO and UNESCO.

Infosys invests in Responsible AI research to reduce socio-economic and environmental risks by promoting fairness, inclusivity, and sustainability. Initiatives include bias mitigation, energy-efficient AI practices, and alignment with global standards like UNESCO recommendations for Ethical AI and sustainable AI development. Infosys invests in sustainable AI research by promoting ethical, efficient, and responsible AI development, including autonomous systems, that are designed to optimize resources and reduce the overall carbon footprint.

Infosys invests in AI research to maximize socio-economic and environmental benefits through initiatives like energy-efficient AI, inclusive solutions, and sustainability-focused projects. Examples include AI for renewable energy optimization, open sourcing the Infosys Responsible AI Toolkit and social impact programs through collaborations with industry forums, academia and startups.

Yes. Infosys supports digital literacy and AI education through initiatives like Infosys Springboard and AI training programs, helping users understand AI’s capabilities, limitations, and impacts. These programs promote responsible AI awareness and ethical use globally.

Yes. Infosys prioritizes AI projects aligned with UN Sustainable Development Goals through its Responsible AI framework, focusing on human-centric solutions. Examples include AI for renewable energy optimization and social impact initiatives promoting inclusivity and sustainability. We embed responsible AI principles such as fairness, transparency, privacy, and human oversight across the full AI lifecycle through our governance framework and Responsible AI Toolkit.

Yes — Infosys collaborates with civil society, academia, and community organizations to develop AI solutions that support the UN SDGs. For example, we co-developed the AI-powered Sustainability Atlas with Economist Impact (Economist Impact and Infosys Launch The Sustainability Atlas to Help Businesses Navigate a Sustainable Future) to advance climate and social decision-making, and through the Infosys Foundation’s Aarohan Social Innovation Awards, we support NGOs and social innovators building technology for education, healthcare, and environmental sustainability. These partnerships ensure our AI initiatives address real community needs and contribute to inclusive and sustainable development.