Answer yes if guardrails are in place to restrict the automatic implementation of outputs from any automated decision-making technologies (ML, AI agents, etc.), that might have an adverse impact on critical systems or services.
Organisations are increasingly relying on automated decision-making technologies (e.g. machine learning , AI agents, etc.) for use cases where automated decisions may be used without human review. For example, this might be part of a security solution to identify potentially malicious behaviour and automatically implement certain countermeasures. This control seeks to understand whether you have safeguards in place to ensure these technologies are prevented from potentially making changes that could have a negative impact on your security posture.
Automated decision-making technologies have significant potential to increase the efficiency and effectiveness of many things. However, organisations should ensure that there are appropriate controls in place to govern their use, limit unintended consequences, and enable oversight and intervention where required.
Your AI Policy should include a framework that defines how risk assessments are formed against the use of any automated decision-making capabilities. As with any technology deployment, an organisation should consider the benefits and risks of using such capabilities, and this assessment should be conducted in line with your AI policies to ensure you are aligned with any regulatory or industry best practices regarding the adoption of automated decision-making technologies and that automated decision-making capabilities are constrained to prevent actions that could adversely impact the confidentiality, integrity, or availability of a critical systems or services.