AI Shared responsibility model

Introduction

At NTT DATA, we recognize that the use of Artificial Intelligence in our Global Assets must be followed by a strong sense of responsibility. As a trusted partner, we are upholding the highest standards of compliance, governance, and ethical AI practices, guided by our NTT Group AI chapter.

We align with a broad range of global frameworks and standards, including ISO/IEC 27001, GDPR, and the EU AI Act, as well as recent legislative proposals from South Korea (AI Basic Act, 2025) and California, USA (Bill SB420 & 243). These regulations embed rigorous controls into every stage of our AI lifecycle. We also invest in training and ethical responsibility programs to empower our teams to design, deploy, and operate AI systems responsibly.

In addition, NTT DATA Spain, where many of our AI-based Global Assets are allocated, is currently in the process of obtaining ISO/IEC 42001 certification, the first international standard for AI Management Systems, which provides a structured approach to managing AI risks and ensuring responsible innovation.

This Shared Responsibility Model defines how responsibilities are distributed across all actors involved in the lifecycle of AI-based components within our Global Assets, from model builders to end-users. This model ensures that AI systems are used in a legal, safe, ethical, and compliant manner.

By clearly delineating roles and obligations, this Model helps mitigate risks related to bias, misinformation, data privacy, intellectual property, regulatory compliance, and misuse. It promotes transparency, accountability, and trust across the AI lifecycle.

The Shared Responsibility Model — key roles

AI System Providers

Entities that develop an AI system and make it available on the market or put it into service under their own name or trademark (e.g. OpenAI or Google).

Responsibilities

• Ensure foundational integrity of the AI model (legality, safety, transparency).

• Ensure compliance with intellectual property and data protection laws.

• Address bias and publish documentation to support downstream actors’ risk management.

Platform Providers

Cloud or infrastructure providers that enable the hosting, deployment, and operation of AI systems (e.g., Azure OpenAI Service, Vertex AI).

Responsibilities

• Provide secure and compliant infrastructure for AI deployment.

• Implement data protection measures and maintain audit trails.

• Support multi-tenant environments and regulatory reporting.

Deployers

Entities that embed AI systems into their business applications or integrate them in a product/service under their control.

Responsibilities

• Implement safeguards to prevent misuse and monitor model quality.

• Put in place input/output filtering and human-in-the-loop oversight.

• Ensure safe configuration, continuous monitoring and incident response.

Customers

Organizations that adopt and use AI-enabled solutions.

Responsibilities

• Define intended uses and integrate AI into their environments.

• Provide accurate input data, manage integrations, and ensure ethical/legal use.

• Enforce internal AI policies and monitor deployments.

End-Users

Users that interact directly with AI systems.

Responsibilities

• Understand system limitations and follow usage guidelines.

• Avoid misuse and report harmful outputs through governance channels.

NTT DATA role when licensing Global Assets embedding AI

NTT DATA acts primarily as a Deployer, focused on developing and integrating AI-driven components into our Global Assets. We design and deliver end-to-end solutions that integrate trusted AI Systems (e.g., OpenAI, Azure OpenAI, Google Gemini, Amazon Bedrock).

Core AI integration activities:

• LLM integration (selection, configuration, API orchestration).

• Prompt execution and optimization (prompt engineering).

• Retrieval-Augmented Generation (RAG) and embedding generation to improve context accuracy.

• AI Agent orchestration for complex multi-agent workflows.

• Guardrails management to ensure safe, ethical, human-centric interaction.

• Users and Agents management.

Customers using these AI systems must comply with the AI System Provider’s terms, obligations and acceptable-use policies. NTT DATA acts as an intermediary and facilitator of such terms (“pass-through model”), ensuring the contractual framework reflects the respective roles and responsibilities.

Roles according to the EU AI Act

NTT DATA’s Shared Responsibility Model aligns with the EU Artificial Intelligence Act (Regulation 2024/1689) and internal governance practices. The EU AI Act defines roles such as Provider, Deployer, Importer, Distributor, and User with specific regulatory obligations depending on control and position in the AI value chain.

• Providers (EU AI Act): legally responsible for ensuring the AI system complies with regulatory requirements before placing it on the market. NTT DATA would become a Provider only in exceptional circumstances (e.g., when substantially modifying an LLM or AI System used in a Global Asset such that its performance, purpose, or risk profile changes). In such cases NTT DATA would assume Provider-level obligations.

• Deployers (EU AI Act): entities that use AI systems under their authority for professional purposes. This is the primary role of NTT DATA in most cases, integrating third‑party LLMs or AI Systems into our Global Assets.

  As a Deployer, NTT DATA’s practices include:

  • Input and output filtering to prevent harmful prompts/outputs.

  • Human-in-the-loop oversight for ethical review and intervention.

  • Monitoring and evaluation of performance, fairness, and safety.

  • Legal and regulatory compliance (GDPR, IP, EU AI Act).

  • Reviewing third-party model documentation (training data awareness).

  • Conducting risk assessments (bias, discrimination, privacy, security).

  • Ensuring transparency toward clients and users (disclosure of limitations and safe‑use guidance).

  • Training and awareness for employees involved in AI integration and governance.

• Users (EU AI Act): individuals who interact with AI systems but do not operate or modify them. Their responsibilities are to use systems ethically, follow guidance, and report harmful or unsafe behaviour. Normally, NTT DATA does not act as a User when licensing Global Assets with AI capabilities.

NTT DATA maintains internal procedures and governance bodies to supervise AI legislation compliance. However, Customers must assess the risk level of specific use-cases and inform NTT DATA so that corresponding obligations can be determined.

Reference Links

Microsoft Azure

• https://learn.microsoft.com/en-us/azure/ai-services/content-safety/

• https://learn.microsoft.com/en-us/azure/ai-services/openai/concepts/abuse-monitoring

• https://learn.microsoft.com/en-us/azure/ai-foundry/responsible-ai/openai/overview?context=%2Fazure%2Fai-services%2Fopenai%2Fcontext%2Fcontext

• https://learn.microsoft.com/en-us/legal/ai-code-of-conduct

Google Cloud

• https://cloud.google.com/vertex-ai/generative-ai/docs/learn/responsible-ai?hl=en

• https://cloud.google.com/blog/products/identity-security/navigating-the-eu-ai-act-google-clouds-proactive-approach

• https://cloud.google.com/vertex-ai/generative-ai/docs/vertex-ai-zero-data-retention?hl=en

AWS

• https://aws.amazon.com/ai/responsible-ai/policy/