Skip to main content

Responsible AI FAQ: Applaud HR Service Platform

šŸ‘‰ Drag me

What does Responsible AI mean in the context of Applaud?

For Applaud, Responsible AI means using AI in a way that is bounded, governed, observable, secure, and
appropriate for HR service delivery.

Applaud is not a general-purpose chatbot with broad access to HR systems. It is a governed HR service platform
made up of scoped agents, approved knowledge, configured workflows, controlled integrations, and auditable
activity.

A user can only interact with agents they are eligible to use, and each agent only has access to the knowledge,
tools, actions, and workflows configured for its purpose.

Our approach is built around six principles:

  1. Authenticate the user
  2. Route them only to eligible agents
  3. Ground answers in approved knowledge and user context
  4. Execute actions only through governed, schema-bound tools
  5. Apply controls proportionate to the risk of the action and channel
  6. Maintain observability and auditability across AI activity

Does Applaud make employment decisions?

No.

Applaud supports HR service delivery. It can answer questions, guide employees through HR processes, create or
route cases, and initiate configured transactions in systems such as Workday, ServiceNow, or other customer systems.

It does not make decisions about hiring, firing, promotion, compensation, disciplinary action, performance evaluation, or other employment matters.

Those decisions remain governed by the customerā€™s HR policies, systems of record, approval workflows, and
human HR teams.

How do users authenticate?

Users authenticate through the customerā€™s enterprise identity provider, such as Microsoft Entra, Okta, Google
Workspace, SAML 2.0, JWT, or another supported SSO mechanism, depending on the customer environment.

Authentication establishes who the user is. Applaud then uses user identity, role, country, organization, language,
and other employee context to determine which agents and experiences are available to them.

How is access controlled?

Access is controlled primarily through agent eligibility.

A user can only interact with agents they are authorized to use. Agent eligibility can be configured using attributes such as role, country, organization, employment type, manager status, language, location, or other customer-defined rules.

This means Applaud does not expose one universal AI agent with blanket access to HR systems. Instead, it
exposes scoped HR agents with bounded knowledge, tools, workflows, and permissions.

Can an employee trick the AI into accessing a manager-only or HR-only agent?

No. 

Prompting the AI does not grant access to agents the user is not eligible to use.

Agent eligibility is resolved from authenticated user context and platform configuration. If a user is not eligible for a manager-only, HR-only, or country-specific agent, that agent is not available to them.

How does Applaud prevent the AI from taking unsafe actions?

Actions are executed through governed tools, not through free-form model behavior.

Each tool has a defined purpose, schema, and execution path. Agents do not directly browse or manipulate HR
systems. They call configured tools that connect to systems such as Workday, ServiceNow, or other third-party
APIs.

Tools and actions can also be graded by risk. Low-risk actions may be allowed with minimal friction, while higher-
risk actions can require additional controls such as confirmation, escalation, channel restrictions, or step-up
authentication.

Are confirmation steps always required before an action is submitted?

No. 

Confirmation is configurable and should be proportionate to the risk of the action.

For some low-risk transactions, such as submitting feedback or creating a simple request, an additional
confirmation step may create unnecessary friction. For more sensitive or higher-impact transactions, the customer can configure the journey to request confirmation before submission, route for review, or require step-up authentication.

Responsible AI does not mean applying the same control to every flow. It means applying the right level of control for the risk of the action.

How does Applaud handle Workday actions?

Applaud can use governed Workday tools to retrieve information or initiate/update configured transactions.

Examples may include looking up employee profile information, time off balances, leave status, personal
information, or initiating approved transactions such as personal information updates, depending on customer
configuration and Workday setup.

Workday actions are executed through controlled integrations, not by giving the model direct system access. The specific read/write actions enabled for a customer are confirmed during implementation.

How does Applaud handle ServiceNow?

Applaud can integrate with ServiceNow for HR case creation, request forms, queue mapping, routing logic, and
passing conversation context into the case record.

For a customer using ServiceNow as the HR case system of record, Applaud acts as the HR service front door and
creates or routes cases into ServiceNow where escalation is required.

The exact ServiceNow forms, queues, fields, and payloads are configured during implementation.

How does Applaud reduce hallucination risk?

Applaud reduces hallucination risk through grounding, scoped agents, guardrails, and escalation.

Responses can be grounded in approved knowledge sources and retrieved content. Agents are scoped to specific
HR service domains, and the system is instructed not to invent policies, numbers, dates, URLs, or process
guidance where approved knowledge is insufficient.

Where information is missing, ambiguous, sensitive, or not appropriate for AI resolution, the safer path is to clarify, escalate, or create a case.

No responsible vendor should claim that generative AI has zero risk of incorrect output. Applaudā€™s approach is to
reduce that risk and make AI behavior observable, auditable, and governable.

Are answers grounded only in approved knowledge?

For controlled HR policy and process answers, Applaud is designed to ground responses in customer-approved
knowledge and configured data sources.

There may be scenarios where the system provides general guidance or explains that available knowledge is
insufficient. In those cases, the appropriate behavior is to clarify uncertainty and offer escalation rather than
inventing an answer.

The responsible control is not simply ā€œAI always knows.ā€ It is: ā€œAI answers from governed sources where possible
and escalates when it should not answer.ā€

Does Applaud provide citations or source traceability?

Yes. Applaud is designed to provide source traceability for knowledge-grounded responses, including references to retrieved knowledge where available.

This helps HR teams understand which content was used and supports continuous improvement of knowledge
quality.

How does Applaud protect against prompt injection?

Applaud treats user input and retrieved content as untrusted.

Prompt injection attempts are checked by guardrails, and prompt injection is blocked. The system also uses
instruction hierarchy and agent/tool boundaries so that user text or retrieved knowledge cannot grant permissions, override agent eligibility, or authorize tools that are not configured for the agent.

What data is sent to the AI model?

The model receives the minimum context needed to complete the task. This may include:

  • The userā€™s message
  • Relevant conversation context
  • Retrieved knowledge snippets
  • Necessary employee context, such as role, country, language, or manager status.
  • Tool results required to answer or complete the request

Applaud does not need to send broad HR datasets to the model to answer a single employee question. Actions are performed through governed tools and integrations.

Does Applaud redact all PII before sending data to the model?

No, and that is intentional.

In HR service, personal data is often necessary to complete the request. For example, an employee may need to
update personal details, check leave status, ask about pay, submit a case, or request an employment letter.
Blocking or redacting all PII would break many legitimate HR service flows.

Instead, Applaud uses a governance-based approach. Messages are checked by guardrails, prompt injection is
blocked, sensitive data is detected and governed, and only the context required for the task is sent to the model.

Is customer data used to train AI models?

No. Applaud does not use customer data to train foundation models, fine-tune models, or improve shared AI
models.

Customer data is used only to provide the contracted service to that customer. This includes processing the userā€™s request, retrieving relevant knowledge, applying user and employee context, executing configured workflows, and producing a response.

Customer prompts, completions, documents, conversations, tool outputs, HR data, and knowledge content are not used to train AI models.

Short version: categorically no - customer data is not used for model training.

Which AI models does Applaud use?

Applaud uses AWS Bedrock for AI inference.

Current model usage includes Anthropic Claude for conversational AI, Amazon Nova for supporting tasks such as
titles, summaries, and translation, and Amazon Titan for embeddings.

Model selection may vary by deployment, region, and use case. For regulated customers, model usage and region are confirmed during implementation and security review.

Where does AI inference run?

AI inference is pinned to the customerā€™s selected data residency region.

For each customer deployment, Applaud configures AI processing based on the agreed data residency
requirement. Customer prompts, retrieved knowledge, tool outputs, model responses, and AI processing remain
within the selected region.

We do not dynamically route customer AI traffic across regions for convenience or optimization.

The selected region, model profiles, subprocessors, and data flow are confirmed as part of implementation and
security review.

How does Applaud support data privacy and regulatory requirements?

Applaud supports customer compliance through data residency controls, tenant isolation, access control,
encryption, auditability, security governance, and documentation that can support customer risk assessments and
privacy reviews.

Customer data is stored and processed in the region selected by the customer. Applaud also supports enterprise
authentication, role-based access, encrypted data at rest and in transit, controlled integrations, and audit logging
across AI and platform activity.

For regulated deployments, Applaud can support the customerā€™s privacy, security, legal, employee-relations, and AI governance review processes by providing information on architecture, data flows, subprocessors, security
controls, AI processing, audit logging, and operational governance.

Applaud supports the customerā€™s compliance process, but legal and regulatory classification decisions remain with the customer and their advisors.

What are risk-graded tools?

Risk-graded tools allow Applaud and the customer to apply different controls based on the nature of the action.
For example:

  • Low-risk tools may retrieve general information or submit low-impact requests
  • Medium-risk tools may access personal or case-related data
  • High-risk tools may initiate transactions, update sensitive data, or perform actions that require stronger
    assurance

Controls can include eligibility checks, confirmation, escalation, step-up authentication, channel restrictions, or
additional review.

What audit trail does Applaud maintain?

Applaud maintains a detailed audit trail of AI activity.

The audit record can include the user message, prompt context, retrieved knowledge, tool calls, tool outputs, model response, guardrail decisions, and usage metadata.

AI interactions are captured in an immutable WORM audit store, giving the customer a tamper-resistant record of what happened and why. This supports compliance, investigation, operational monitoring, and continuous
improvement.

Are logs immutable?

The audit store is immutable using WORM controls.

Operational records may exist in application databases for product functionality, but the tamper-resistant audit trail is maintained separately in the immutable audit store.

How are secrets and credentials protected?

Secrets and credentials are protected using KMS-backed encryption and controlled access.

Integrations use governed credentials, such as OAuth, API keys, or integration users, depending on the target
system and customer architecture.

How does Applaud monitor AI performance after go-live?

Applaud provides analytics and observability across the HR service experience, knowledge layer, agents,
channels, and tools.

This allows HR and platform teams to monitor not just whether the AI is being used, but whether it is helping
employees resolve issues safely and effectively.

Applaud analytics can include:

  • Active users and adoption
  • Tier zero deflection
  • Helpfulness
  • Conversation and message volumes
  • Demand drivers by topic or category
  • Knowledge searches
  • AI citations
  • Knowledge deflections
  • Most searched terms
  • Poor results and knowledge gaps
  • Engagement funnel performance
  • Agent performance by deflection, helpfulness, health, runs, and feedback
  • Most used tools
  • Channel usage
  • Trends over time

This supports a continuous improvement loop. HR teams can see where employees are getting good answers,
where content is missing or underperforming, which agents are working well, which tools are being used, and
where processes should be improved.

Responsible AI is not only a pre-go-live control. It is an ongoing operating model: monitor, review, improve, and
govern.

How does Applaud handle bias and fairness?

For this use case, Applaud is not making employment decisions or ranking people. The main fairness risk is
inconsistent HR service quality across employee groups, countries, languages, roles, or channels.

Applaud addresses this through consistent agent behavior, role- and country-aware routing, approved knowledge, multilingual support, analytics, and auditability.

The objective is that employees receive consistent, appropriate HR service regardless of where they start the
interaction.

How is the platform tested and quality-assured?

Applaud applies quality controls at both product-development level and customer-implementation level.

At the product level, Applaud follows a defined secure software development lifecycle. Security and quality controls include design review, threat modeling, code reviews, static and dynamic code analysis, unit testing, end-to-end testing, linting, automated quality checks, vulnerability scanning, coordinated regression testing, separate development/staging/testing/production environments, and controlled release management.

At the implementation level, customer-specific configuration is validated against representative HR service
scenarios before go-live. This includes testing expected journeys, ambiguous questions, missing knowledge, role
and country variations, language coverage, escalation paths, prompt-injection attempts, sensitive requests, and
configured system actions.

UAT should include appropriate customer stakeholders such as HR process owners, knowledge owners, IT,
security, data/privacy teams, and local market reviewers where relevant.

What happens when the AI is not confident?

When the AI lacks sufficient information, when the request is ambiguous, or when the request falls outside the configured agent's scope, the appropriate behavior is to clarify, guide, or escalate.

For HR service, escalation is not a failure. It is part of responsible design. The AI should resolve what it safely can
and route the rest to the right human or system process with context.

Can HR administrators control what the AI knows and does?

Yes.

Applaud is designed so HR and platform administrators can manage knowledge, content governance, routing rules, workflows, and agent configuration. This supports business ownership and reduces dependency on technical teams or vendor services for day-to-day operation.

The customer controls which agents exist, who is eligible to use them, what knowledge they can access, and which actions are enabled.

What is the key difference between Applaud and a generic chatbot?

A generic chatbot is usually focused on answering questions.

Applaud is an HR service platform. It combines:

  • Employee-facing channels
  • Governed HR agents
  • Knowledge management
  • Role and country awareness
  • HR workflows
  • Workday and ServiceNow integrations
  • Case creation and escalation
  • Auditability and observability
  • Admin tooling for continuous improvement

Responsible AI in HR requires more than a chat interface. It requires a governed service layer.

What should customers control during implementation?

Customers should confirm:

  • Which channels are in scope
  • Which agents are enabled
  • Which employee populations are eligible for each agent
  • Which Workday, ServiceNow, and third-party actions are enabled
  • Which actions require confirmation or escalation
  • Which channels require step-up authentication
  • Which knowledge sources are approved
  • Which HR teams own content governance
  • What audit and retention requirements apply
  • What metrics define success

How should Applaudā€™s Responsible AI posture be summarized?

Applaudā€™s Responsible AI posture can be summarized as:

Applaud is a governed HR service platform, not an unrestricted AI assistant. Users authenticate through enterprise identity; access is controlled by agent eligibility; answers are grounded in approved knowledge; actions are executed through configured tools; sensitive actions can be risk-graded; and every AI interaction is auditable. The goal is not to claim AI has zero risk, but to make the risk bounded, configurable, observable, and accountable.

How does Applaud approach the EU AI Act?

Applaudā€™s approach is to assess AI risk based on intended use, customer configuration, and the specific HR
process being supported.

Applaud is designed as an HR service delivery platform. Its role is to answer questions, guide employees through
processes, create or route cases, and initiate configured workflows. It is not designed to make autonomous
employment decisions such as hiring, firing, promotion, compensation, disciplinary action, task allocation, or
performance evaluation decisions.

Some AI systems used in employment and worker management may fall within high-risk categories under the EU
AI Act depending on their intended use. Because of that, Applaudā€™s responsible AI approach focuses on controls
that support appropriate governance: authenticated access, agent eligibility, scoped tools, approved knowledge,
risk-graded actions, human escalation, auditability, data residency, monitoring, and customer configuration.

Where a customer wants to use Applaud for a workflow that may raise higher regulatory risk, the appropriate
approach is to assess that use case specifically, document the intended use, configure proportionate controls, and involve the customerā€™s legal, privacy, security, HR, and employee-relations stakeholders as needed.

Applaud can support the customerā€™s AI governance and risk assessment process with architecture, data flow,
security, audit, and control documentation. Legal classification under the EU AI Act remains a customer/legal
assessment based on the configured use case and deployment context.

What role do analytics play in Responsible AI?

Analytics are a core Responsible AI control because they make AI performance visible after deployment.

Without analytics, HR teams may know that employees are using AI, but not whether the service is accurate,
helpful, equitable, or improving over time. Applaud analytics help customers understand what employees are
asking, which answers are working, where knowledge gaps exist, which agents are effective, which channels are
being used, and which tools or processes are driving demand.

This allows HR and platform teams to move from passive monitoring to active governance. They can update
knowledge, adjust routing, refine agents, improve workflows, retire poor content, and identify process issues that
create repeat demand.

In short, analytics help ensure the AI service remains governed, measurable, and continuously improved.

What certifications and security controls support Applaudā€™s AI governance?

Applaudā€™s AI governance is supported by its broader security and privacy control environment.

Relevant controls include:

  • ISO 27001, 27017, 27018, and 27701 certifications
  • Data encryption in transit using TLS
  • Data encryption at rest using 256-bit AES and AWS KMS
  • Enterprise SSO support
  • Role-based access control
  • Tenant isolation
  • AWS Bedrock for generative AI
  • MongoDB Atlas Vector Search for embeddings and retrieval
  • Vulnerability scanning and patch management
  • Secure SDLC controls
  • Static and dynamic code analysis
  • Unit, end-to-end, regression, and manual testing
  • Monitoring through AWS CloudWatch and application logging
  • Incident response and disaster recovery processes

These controls help ensure AI capabilities are deployed within an enterprise-grade security and privacy framework.

Related to

Was this article helpful?

Help us improve our documentation

0 out of 0 found this helpful