AI Responsible Use
Last reviewed: May 26, 2026
1. What we build
Loom builds production AI for the Fortune 500, AI platforms, government programs, and fast-scaling companies. The work takes three shapes: reasoning architecture, production AI at the decisions a company cannot afford to get wrong, and forward-deployed engineering inside the customer's repo and CI/CD.
Every engagement is governed by a Master Services Agreement and a per-engagement Statement of Work. Customer data is handled under a Data Processing Agreement.
2. What we do not build
We decline engagements in the following categories:
- Consumer-facing chatbots that misrepresent themselves as human. Disclosure of AI involvement is non-negotiable.
- Surveillance or biometric-identification systems sold to law enforcement or other state actors without independent civil-rights oversight.
- Autonomous weapons systems and kinetic-effect systems. No lethal-effect work, no targeting systems, no battlefield decision support.
- Persuasion or manipulation systems aimed at political behaviour. No micro-targeting for political campaigns, no synthetic-media systems designed to deceive about a public figure.
- Systems whose primary function is to deceive their users. If the user does not benefit from the truthful operation of the system, we will not build it.
This list is non-exhaustive. We reserve judgment on the close cases; a Loom principal makes the call before an engagement is signed, and the rationale is recorded internally.
3. Training-data posture
We fine-tune and adapt models on customer-supplied data. We use commercial frontier models (OpenAI, Anthropic, Google, others) as production inference layers.
Customer data used for fine-tuning or evaluation is governed by the engagement DPA and the per-engagement SOW. Customer data is never combined across engagements. Customer data is never used to improve Loom's reusable IP without explicit, written, narrowly-scoped consent.
4. Production controls
Every production deployment includes, at minimum:
- An evaluation harness that runs against the deployed system continuously, not only at training time, so silent quality regressions surface (see SLOs for agents).
- Refusal policies encoded into the orchestration layer, so the system declines when inputs are ambiguous or out of scope rather than guessing.
- Audit trails recording every decision, model call, retry, and refusal as primary evidence — sufficient to reproduce any outcome (see Orchestration is where projects die).
- Replay capability, so an incident can be re-run from any point with full state.
- Human-in-the-loop checkpoints on any decision with material consequences for a person — hiring, credit, healthcare, legal, safety.
These are not optional in our engagements. If a customer wants to ship without them, we do not take the work.
5. Compliance posture
We design for the regulatory frameworks our enterprise customers operate under, including the EU AI Act, NIST AI Risk Management Framework, and sector-specific rules (HIPAA, GLBA, FCRA, GDPR, CCPA).
6. Raising a concern
If you have a concern about a specific engagement or about a Loom-built system you have encountered, please contact us at responsible-ai@loom.technology. Engagement-specific concerns are routed to the engagement lead and a Loom principal; we aim to acknowledge within two business days.
7. Internal governance
This statement is the public-facing summary of our internal AI ethics and safety policy. The internal document includes engagement decision criteria, escalation paths, and review cadences.