AI Governance
Governed AI. Human oversight at every step.
Qualixir aligns with NIST AI RMF, ISO/IEC 42001, and the EU AI Act. Every AI action has a human checkpoint before any consequence. This page is your single reference for procurement, compliance, and enterprise architecture reviews.
How the AI Works
Seven AI use cases. Seven human checkpoints.
Qualixir uses AI at seven specific, well-defined points across the test automation lifecycle. All AI activity is bounded, auditable, and requires human approval.
Document Parsing
AI reads uploaded test specification documents — Word, Excel, and CSV files — and automatically extracts structured test cases, steps, expected results, and preconditions. Handles a wide range of document formats and writing styles without requiring templates.
Human checkpoint: All parsed test cases require explicit human approval before any test run is initiated.
Test Suite Categorisation
After parsing, AI automatically categorises and organises test cases into logical test suites — grouping by feature area, user journey, risk level, or workflow. Removes the manual effort of structuring large test libraries.
Human checkpoint: Categorisation suggestions are reviewed and adjusted by the QA team before the suite is finalised.
Test Case Generation
In Generate Mode, AI drafts new test cases from uploaded specifications, user stories, or acceptance criteria. It navigates the live application, observes the UI, and generates structured test cases with steps, expected results, and suggested personas.
Human checkpoint: All AI-generated test cases are reviewed and approved by a human before execution. No generated test case runs without explicit approval.
Browser Execution & Validation
During Execute Mode, Qualixir navigates a real browser through each test step, interprets on-screen state via screenshots, and validates outcomes against the DOM. The DOM serves as the authoritative ground truth.
Human checkpoint: Test results are reviewed and signed off by a human tester before the final report is generated.
AI Self-Healing
When a UI change causes a previously passing test to fail — a button is renamed, an element moves, or a selector changes — AI detects the change, identifies the most likely updated element, and adapts the test step automatically.
Human checkpoint: All self-healing adaptations are flagged for human review before being permanently applied to the test suite.
Training Document Generation
Qualixir generates structured training documents from test specifications and completed test runs — step-by-step user guides, process documentation, and onboarding materials derived directly from test cases.
Human checkpoint: Generated training documents are reviewed and approved by the team before distribution.
Summary Document Generation
After each test run, Qualixir generates summary documents in multiple formats: executive summary with high-level metrics, detailed execution report with embedded screenshots, and a sign-off PDF with signature block.
Human checkpoint: All summary documents are reviewed and signed off by a human tester before stakeholder distribution.
AI Boundaries
What Qualixir's AI does not do
Explicit boundaries matter. Here is what Qualixir's AI will never do — by design, not by accident.
Does not make autonomous decisions — all material outputs require human review and approval
Does not access data outside the test scope defined by the user
Does not store AI-generated content beyond the configurable retention period
Does not train on customer test data, test cases, or execution results
Does not apply self-healing changes permanently without human confirmation
Does not process personal data for profiling, scoring, or categorisation
Does not make decisions affecting individuals' legal, financial, or safety outcomes
NIST AI RMF
NIST AI Risk Management Framework alignment
Recommended as the primary framework for enterprise Qualixir deployments. Freely available, widely adopted across US enterprise and government, and immediately actionable without requiring formal certification.
Establish policies, roles, and culture for responsible AI use
Admin and Viewer roles with audit log of all runs. Organisation-level data isolation via row-level security. Platform Owner designation per deployment. Acceptable use documentation provided.
Categorise and contextualise AI risks in your organisation's context
Narrow, task-specific AI (QA automation only). Human-in-the-loop at every decision point. No autonomous actions — all outputs require human approval before consequences.
Analyse and assess AI risks using quantitative and qualitative methods
Dashboard shows tokens consumed, pass/fail rates, and run history. All AI decisions logged with screenshots. Token usage and AI cost reports available for monthly review. Audit log export for compliance.
Prioritise and address AI risks with response plans and monitoring
Pre-run cost estimate displayed before execution. Human cancellation available at any point during a run. AI output always paired with DOM verification. Escalation process recommended for AI-related issues.
Known AI risks and mitigations
| Risk Category | Potential Impact | Qualixir Mitigation |
|---|---|---|
| AI errors in test interpretation | False pass/fail results mislead stakeholders | Human sign-off required before any report is finalised. AI verdicts are advisory — a human reviewer confirms pass/fail before the report is generated. |
| Data leakage | Test data exposed outside organisation | SaaS: data encrypted at rest, logically isolated per organisation using row-level security. On-premise: all data remains within the customer's own infrastructure. |
| AI cost overrun | Unexpected spend on AI tokens | Pre-run token estimates displayed before execution begins. Users can cancel at any point during a run. |
| Bias in test generation | AI-generated test cases with incomplete or skewed coverage | All AI-generated test cases are presented for human review and approval before execution. No test case runs without explicit human confirmation. |
| Vendor dependency | Continuity risk if Qualixir is unavailable | Data layer built on PostgreSQL — an open standard. Test data and audit logs exportable at any time. BYOK AI keys allow customers to connect their own AI provider. |
ISO/IEC 42001:2023
AI Management System — clause-by-clause mapping
Recommended for organisations with existing ISO 27001 certification or those operating internationally and seeking a certifiable AI governance posture.
| Clause | Requirement | Qualixir Alignment |
|---|---|---|
| 4.1–4.2 | Context & stakeholder needs | Qualixir's scope limited to test automation; stakeholder needs documented in this guide. |
| 5.2 | AI Policy | Customers define acceptable use policy; Qualixir provides template guidance for enterprise deployments. |
| 6.1 | Risk assessment | Risk table provided above; customers complete organisation-specific risk assessment using Qualixir's documentation. |
| 8.4 | AI System Impact Assessment | Limited Risk classification under EU AI Act. No mandatory impact assessment required for Qualixir deployments. |
| 9.1 | Monitoring & measurement | Audit logs, token reports, and trend tracking available in the dashboard. Exportable for compliance reviews. |
| 10.1 | Continual improvement | Qualixir roadmap driven by customer feedback. Governance controls reviewed annually. Run history enables teams to identify recurring failures. |
For organisations pursuing ISO/IEC 42001 certification, Qualixir supports evidence collection by exporting audit logs, test run records, and AI usage reports on request.
EU AI Act
Classification: Limited Risk
The EU AI Act (Regulation EU 2024/1689) establishes a risk-based framework across four categories. Qualixir is classified as Limited Risk.
Key factors supporting Limited Risk classification
Operates on software test data — not personal data
All outputs reviewed and approved by human testers before action
No biometric identification, emotion recognition, or social scoring
No autonomous decisions affecting individuals' legal, financial, or safety outcomes
Transparency obligations
| EU AI Act Obligation | Status | Detail |
|---|---|---|
| Prohibited AI practices ban | Not applicable | Qualixir performs none of the prohibited practices. |
| High-risk system requirements | Not applicable | Qualixir is classified as Limited Risk. |
| Transparency disclosure | Fulfilled | This page, in-product labelling, and documentation. |
| GPAI model obligations | Not applicable | Applicable to AI model providers only, not Qualixir as deployer. |
| User's right to explanation | Supported | Audit logs and AI reasoning available on request. |
Implementation
Deployment checklist for your team
Use this checklist when deploying Qualixir in your organisation. Items are organised by category for your IT, QA, and compliance teams.
Designate a Qualixir Platform Owner accountable for AI use within the organisation
Define an acceptable use policy covering what can and cannot be automated with Qualixir
Assign Admin and Viewer roles to appropriate team members
Document Qualixir in your organisation's AI register (if applicable)
Review AI-generated test cases with your QA lead before first production use
Establish an escalation process for AI-related issues or unexpected test results
Roadmap
Your AI governance journey with Qualixir
A recommended timeline for establishing governed AI deployment — from pilot to certification readiness.
Pilot
- Define platform owner accountable for AI use
- Draft acceptable use policy
- Run first 3 test suites with human sign-off workflow
Establish
- Enable SSO and MFA for all users
- Configure data retention policies per project
- Document AI use in your organisation's AI register
Optimise
- Review run metrics and pass/fail trends
- Adjust AI parameters based on team feedback
- Produce first quarterly AI performance report
Certify
- Map controls to ISO/IEC 42001 or NIST AI RMF
- Prepare evidence pack for third-party audit if required
- Conduct annual governance review cycle
Start your governed AI deployment today
Request our AI Governance Pack — including NIST AI RMF mapping, data processing documentation, and security questionnaire responses. Or book an architecture review with our team.
qualixir.ai · info@qualixir.ai