AI Risk Management Policy
Version 1.0 — Effective June 30, 2026 — Last reviewed June 2026
Owner: Sufyan, Founder — support@resublue.com
Colorado AI Act Notice (SB 24-205)
This policy fulfills the written AI risk management documentation requirement under the Colorado Artificial Intelligence Act (SB 24-205, effective June 30, 2026). ResuBlue deploys AI that assists with employment-related content (resumes, cover letters, ATS analysis) and is therefore a deployer of a high-risk AI system under the Act.
Colorado residents may exercise their rights under SB 24-205 (opt-out, correction, human review) by contacting support@resublue.com. We respond within 30 calendar days.
1. High-Risk AI Systems
The following ResuBlue features involve AI used in employment-related contexts, qualifying them as high-risk under SB 24-205 §3(4)(a)(I):
| Feature | AI Role |
|---|---|
| Resume Bullet Generator | Drafts resume bullets from user input |
| Resai Chat Agent | Career coaching and resume feedback |
| ATS Score Simulator | Estimates ATS filter pass likelihood |
| Cover Letter Generator | Drafts cover letter text |
| Proofreader Engine | Flags inflation signals and keyword issues |
| ResuBlue Score | Composite resume quality estimate |
Important: ResuBlue AI does not make hiring decisions. All outputs are drafts for the user to review and edit. No employer has access to AI outputs generated for a user.
2. AI Providers
ResuBlue does not train or fine-tune AI models. We deploy third-party foundation models as a deployer:
| Provider | Model | Role |
|---|---|---|
| Groq (GroqCloud) | Meta Llama 4 Scout | Primary |
| Groq (GroqCloud) | Meta Llama 3.1 8B Instant | Failover |
Model training data, foundation model bias disclosures, and model-level evaluations are the responsibility of Meta AI and Groq. ResuBlue's risk management obligations apply to the system prompts, routing logic, and custom tooling built on top of these models.
3. Risk Identification
| Risk | Likelihood | Severity | Mitigation |
|---|---|---|---|
| Factual inaccuracies in AI output | Medium | Medium | All output labeled AI-generated; users instructed to review before use |
| Training data bias reflected in suggestions | Medium | High | Disclosures provided; bias testing in progress (§7) |
| ATS score overreliance | High | Medium | UI labels scores as estimates; disclaimer displayed |
| Credential hallucination | Low | High | PII detection layer strips identifiers before prompting |
| Provider data breach | Low | High | Groq zero-retention mode on production account |
4. Testing and Validation
Before each production release, ResuBlue runs:
- Regression suite: 16 deterministic checks covering tier enforcement, quota logic, and output sanitization.
- Prompt injection probes: Static red-team evaluation using OWASP LLM Top 10 test cases.
- Garak adversarial probes: Systematic jailbreak testing. Results committed to
qa_reports/GARAK_*.jsonl. - Behavioral E2E suite: 35-phase synthetic human QA covering all AI-facing user flows.
Every AI route enforces input sanitization, output cleaning, authentication, CSRF protection, and daily usage quota.
5. Consumer Rights (SB 24-205)
- Right to know: Users are informed that AI generates resume content at sign-up and on this page.
- Right to opt out: AI features can be disabled in Account Settings. Disabling prevents content from being sent to Groq.
- Right to correct: All AI outputs are shown in editable fields. Nothing is submitted without user review.
- Right to human review: Contact support@resublue.com to request human review of any AI output.
- Right to explanation: On request, ResuBlue will explain what inputs were used to generate a specific AI output.
6. Incident Response
If a material AI failure is identified (systematic bias, prompt injection exploit, data sent to wrong provider):
- Affected AI feature disabled within 4 hours of confirmed discovery.
- Affected users notified by email within 72 hours.
- Post-mortem completed within 14 days.
7. Bias Testing
Formal bias testing has not yet been completed. ResuBlue is committed to completing a bias assessment before exceeding 500 active Colorado users. The assessment will test resume bullet generation and ATS scoring across diverse role titles and experience levels to detect differential quality by apparent demographic signals.
Results will be documented in qa_reports/BIAS_ASSESSMENT_*.md and this policy will be updated with findings.
8. Annual Impact Assessment
The first impact assessment under SB 24-205 is due by June 30, 2027. It will cover: purpose and benefits, categories of affected consumers, potential harms and likelihood/severity, existing mitigations, discrimination and bias evaluation, and post-market monitoring plan.
Assessments will be retained for at least 3 years and made available to the Colorado Attorney General on request.
9. Policy Governance
This policy is reviewed annually, or within 60 days of any material change to AI features, providers, or applicable law. Legal counsel consultation is required before expanding AI use to new consequential decision categories.
Questions about this policy: support@resublue.com