Responsible AI · Mitochondria
Responsible AI

How Mitochondria governs the systems it builds.

Mitochondria builds agentic systems that act within a defined mandate, record their reasoning, and leave consequential judgement with people. This page sets out how that is governed, and where Mitochondria sits under the EU AI Act.

Last reviewed June 2026
01

Where we sit under the EU AI Act

The Act sorts AI systems by the risk they carry. Mitochondria has classified its own against it, and they fall within the limited and minimal tiers. No Mitochondria system is high-risk as defined in Annex III, and none engages a practice prohibited under Article 5. Where a system speaks with a person, it makes clear that it is an AI. The people who build and run these systems are trained to understand their limits, which the Act requires and Mitochondria records.

Mitochondria is a deployer of third-party foundation models rather than their developer. The obligations that attach to the models themselves rest with the providers. Mitochondria's responsibility is the systems it builds on top of them, and the way those systems are deployed.

Prohibited Banned outright High-risk Annex III. Heavy obligations Limited Transparency duties Minimal No specific obligations OPERATES HERE
The EU AI Act's four risk tiers. Mitochondria operates within the limited and minimal tiers.
02

How we govern it

Several of these commitments are set out in full elsewhere on the site. Rather than restate them, this page names each and points to where it is detailed, so the governance reads as one system.

Human oversight
Systems act within a mandate and hand uncertain or consequential cases to a person, on thresholds the client sets.Our Approach; Data Governance Policy, section 11
Decision traceability
Every decision the system makes is logged, attributed and explainable, so an audit trail forms as the work runs.Data Governance Policy, section 10
Privacy by design
Data is processed transiently, stays the client's property, and is not used to train models.Data Governance Policy, sections 3 to 5
Security
Mitochondria is ISO 27001:2022 certified, with independent vulnerability and penetration testing. Fuller security detail is available to clients on request.
Fairness
Systems are reviewed for skewed or unequal outputs, consequential outputs stay under human review, and individuals are not profiled to infer sensitive traits.
AI literacy
The people who build and operate the systems are trained to understand what they can and cannot do, and the training is recorded.
03

What we align to

Mitochondria measures its practice against recognised external standards.

EU AI Act
Regulation (EU) 2024/1689, the European risk-based regime for AI. Mitochondria classifies every system against it and operates within the limited and minimal tiers.
NIST AI Risk Management Framework
The voluntary framework for managing AI risk, organised around four functions: govern, map, measure and manage. Mitochondria takes it as its operating model and records the alignment against its own controls.
ISO/IEC 42001
The international standard for AI management systems. Mitochondria is preparing towards it, as it already holds ISO 27001 for information security.
04

What we do not build

Mitochondria's boundaries are set by design. It does not build into the high-risk or prohibited areas of the Act, and it will not take on work that would require it to.

No system that decides a person's credit, lending, insurance or underwriting outcome.
No system that scores, ranks or profiles employees, or decides hiring, promotion, termination or the allocation of work.
No emotion recognition from voice or face, and none at all in a workplace or a classroom.
No biometric identification, and no categorisation of people by sensitive traits.
No social scoring of individuals from their behaviour.
05

Where the detail lives

This page states the position. The mechanisms sit in the documents that govern the work: an AI governance policy that sets out the roles, the oversight gates a system passes before it runs, and how its outputs are tested, shared with clients on request; the Data Governance Policy for data handling, oversight and traceability; Our Approach for how co-intelligence works in practice; and the Terms of Service for the limits of automated output and the client's part in reviewing it. Mitochondria is ISO 27001:2022 certified, with its controls aligned to the GDPR, UK GDPR and India's DPDP Act.

Questions

Worth asking.

Is any Mitochondria product high-risk under the EU AI Act?
No. Annex III high-risk uses, such as deciding creditworthiness or making hiring decisions, are areas Mitochondria does not build into. Its systems carry the work around such decisions and leave the decisions to people.
Does Mitochondria make automated decisions about people?
No decision with a legal or similarly significant effect is made by the system alone. A person stays in the loop on consequential calls, on thresholds the client sets. Where personalisation uses a profile, it is disclosed.
Which AI models does Mitochondria use?
Third-party foundation models, and the systems are model-agnostic. Mitochondria is a deployer rather than a developer of these models, so the model-level obligations rest with the providers. Client data is never used to train or fine-tune them.
Is Mitochondria certified under the EU AI Act?
Mitochondria classifies its systems, meets the transparency and literacy duties that apply, and keeps the assessment on record. The verifiable certification Mitochondria holds is ISO/IEC 27001:2022.
Does Mitochondria align to the NIST AI Risk Management Framework?
Yes. It is Mitochondria's operating model for AI risk. Practice is mapped to the four functions, govern, map, measure and manage, in a register held against the firm's own controls, with an AI governance policy behind it. The framework is voluntary and has no certificate, so this is stated as alignment, not compliance.
How does Mitochondria keep its systems fair?
Fairness is shared between Mitochondria and the client. On Mitochondria's side, outputs are checked for skew and consequential ones stay under human review, and no individual is profiled to infer sensitive traits. On the client's side sit the data the system is given to work from and the decisions taken at the review points, which is where much of a fair outcome is determined. Where personal data is involved, the split follows the controller and processor roles set out in the Data Governance Policy.

Speak to us about how we govern what we build.

Start a conversation →