PagerDuty Guidelines for the Safe and Secure Use of Generative AI
As part of PagerDuty’s continuing commitment to our customers and continually working to earn our customer’s trust in us as a vendor, we are sharing our some of our key current guidelines for the safe and secure use of generative AI throughout the product life cycle, from design to development to test and ultimately to providing to our customers. We want our customers to understand how we approach the use of generative Artificial Intelligence technologies and how we are working to advance the responsible use of AI, and generative AI, within PagerDuty and within PagerDuty’s products and services.
Generative AI tools provide new ways to create content, explore ideas or to synthesize information, and have the potential to support all areas of PagerDuty’s business including product functionality, research and development and customer support. PagerDuty’s guidelines for the safe and secure use of generative AI are based on our core values, including our commitments to championing the customer, and our robust Information Security Policies, Procedures and Standards and are intended to ensure the secure, safe and ethical use of AI within PagerDuty and within PagerDuty products.
I. Coding with AI Tools
The use of generative AI solutions as part of coding and development must align our with secure system development lifecycle discipline, including the following overall guidelines:
- Design Principles: When designing new features, the functional specifications must be clear, accurate and comprehensive, regardless of whether an AI tool is used to help develop any code. Alignment with the functional specifications must be validated during the overall testing phase.
- Development Principles: Using an AI tool to create code should not preempt any component of Secure System Development Lifecycle (S-SDLC) discipline for developing that code. Development timelines must continue to include time and effort to review any code created with AI assistance, including logic and function tests, as part of PagerDuty’s standard S-SDLC.
- Training Principles: Training of AI assisted functionality must be performed using artificial data sets. Artificial datasets may be generated from PagerDuty’s own datasets resulting from PagerDuty’s use of PagerDuty’s products and services following PagerDuty’s approved anonymization practices.
- Testing Principles: Testing of new features, including AI-assisted code generation, must include explicit testing for logic and functional alignment with the functional specifications identified during the design phase.
- Code Review: All code proposed by a third-party (generative AI or other) must be reviewed for correctness and completeness. Particular care must be taken with any external references or file inclusions proposed by a generative AI solution to ensure that there are no unintended consequences from linked code.
- Promotion to Production: Using an AI tool to create code should not preempt any component of S-SDLC discipline for moving that code to production. Whether code is generated with the assistance of AI tools, reused from another internal project, or written by a PagerDuty employee, it should not be promoted to production without the required code reviews and tests.
II. Use of Generative AI Capabilities in PagerDuty Products and Services
We use the following principles when offering generative AI solutions within our products must align with our secure architecture and data protection requirements, including the following principles:
- Customer Choice Over Whether to Use an Generative AI Feature (Opt-In and Opt-Out): Generative AI will not be used to provide the PagerDuty service to a customer unless that customer opts-in to the use, such as through purchasing purchasing a stand-alone service or enabling an offered feature. Likewise, a customer may choose to stop using, or “opt-out” of, an AI feature at any time.
- Clear Explanations of how we use Generative AI for PagerDuty Features: We are committed to providing clear, easy-to-understand explanations of AI involvement and AI-assisted features and how these features may enrich the customer’s experience, allowing a customer to make an informed opt-in decision.
- Training Generative AI Models: If a customer opts-in for a generative AI feature, we will use that customer’s data for their own functionality; as we as an industry learn the limits of generative AI and data protection, we will not use that customer’s data to train an AI model that may benefit other parties unless that customer gives explicit permission for that type of training.
- Human in the Loop: PagerDuty recognizes that with current generative AI technology, outputs may not contain all the pieces a human specialist would have included, and may not even be correct. We are committed to designing our AI offerings to allow for a “human in the loop” who is given the opportunity to review, modify, and decide whether and how to use AI proposed outputs, such as proposed incident response summaries.
As a reminder, adherence to these principles does not change our commitment to data protection as laid out in our Data Security Policy.
III. Generative AI and the FedRAMP Authorization Boundary
As PagerDuty continues down its FedRAMP authorization path, we are committed to ensuring that the use of generative AI solutions is in line with FedRAMP requirements and can be made available to Federal customers in a timely manner.
- Security Impact Analysis: As with all new features, any use of generative AI as part of PagerDuty products and services will complete and comply with PagerDuty’s Security Impact Analysis discipline (part of PagerDuty’s broader Secure Systems Development Life Cycle).
- FedRAMP Authorization Boundary: As with any new security impacting functionality, generative AI solutions cannot be moved into PagerDuty’s FedRAMP Authorization Boundary until a Significant Change Request has been approved by the appropriate authorizing agency(ies). Federal customers wishing to use these solutions prior to their authorization must perform their own risk assessment prior to adopting.
We are excited about the promise of generative AI and other types of AI and are committed to its safe and secure use to help PagerDuty customers to improve their operations beyond what they ever thought was possible.