As part of PagerDuty’s ongoing commitment to earning and maintaining our customer’s trust, we are sharing some of our current key guidelines for the safe and secure use of generative AI throughout the product life cycle – from design and development to testing and delivery. We want our customers to understand our approach to generative AI technologies and how we are advancing the responsible use of AI both internally and within PagerDuty’s products and services.

Generative AI tools provide new ways to create content, explore ideas and synthesize information. They have the potential to support all areas of PagerDuty’s business, including product functionality, research and development, and customer support. PagerDuty’s guidelines for the safe and secure use of generative AI are based on our core values, including our commitments to championing the customer, and our robust Information Security Policies, Procedures and Standards, and are intended to ensure the secure, safe and ethical use of AI within PagerDuty and within PagerDuty products.

I. Coding with AI Tools

The use of generative AI solutions as part of coding and development must align with our secure system development lifecycle discipline, including the following overall guidelines:

  • Design Principles: When designing new features, the functional specifications must be clear, accurate and comprehensive, regardless of whether an AI tool is used to help develop any code. Alignment with the functional specifications must be validated during the overall testing phase.
  • Development Principles: Using an AI tool to create code should not preempt any component of Secure System Development Lifecycle (S-SDLC) discipline for developing that code. Development timelines must continue to include time and effort to review any code created with AI assistance, including logic and function tests, as part of PagerDuty’s standard S-SDLC.
  • Training Principles: Training of AI assisted functionality must be performed using artificial data sets. Artificial datasets may be generated from PagerDuty’s own datasets resulting from PagerDuty’s use of PagerDuty’s products and services following PagerDuty’s approved anonymization practices.
  • Testing Principles: Testing of new features, including AI-assisted code generation, must include explicit testing for logic and functional alignment with the functional specifications identified during the design phase.
  • Code Review: All code proposed by a third-party (generative AI or other) must be reviewed for correctness and completeness. Particular care must be taken with any external references or file inclusions proposed by a generative AI solution to ensure that there are no unintended consequences from linked code.
  • Promotion to Production: Using an AI tool to create code should not preempt any component of S-SDLC discipline for moving that code to production. Whether code is generated with the assistance of AI tools, reused from another internal project, or written by a PagerDuty employee, it should not be promoted to production without the required code reviews and tests.

II. Use of Generative AI Capabilities in PagerDuty Products and Services

We use the following principles when offering generative AI solutions within our products. Our generative AI offerings must align with our secure architecture and data protection requirements, including the following principles:

  • Customer Choice Over Whether to Use an Generative AI Feature (Opt-In and Opt-Out): Generative AI will not be used to provide the PagerDuty service to a customer unless that customer opts-in to the use. A customer may choose to disable, or “opt-out” of, an AI feature at any time.
  • Clear Explanations of how we use Generative AI for PagerDuty Features: We are committed to providing clear, easy-to-understand explanations of AI involvement and AI-assisted features and how these features may enrich the customer’s experience, allowing a customer to make an informed decision.
  • Training Generative AI Models: If a customer opts-in for a generative AI feature, we will use that customer’s data for their own functionality; as we as an industry learn the limits of generative AI and data protection, we will not use that customer’s data to train an AI model that may benefit other parties unless that customer gives explicit permission for that type of training.
  • Human Oversight: PagerDuty recognizes that with current generative AI technology, outputs may not contain all the pieces a human specialist would have included, and may not even be correct. We are committed to designing our AI offerings to allow for a human to manage the AI and its outputs, and to have a way to rapidly roll-back changes.

As a reminder, adherence to these principles does not change our commitment to data protection as laid out in our Information Security Practices.

III. Generative AI and the FedRAMP Authorization Boundary

As PagerDuty continues down its FedRAMP authorization path, we are committed to ensuring that the use of generative AI solutions is in line with FedRAMP requirements and can be made available to Federal customers in a timely manner.

  • Security Impact Analysis: As with all new features, any use of generative AI as part of PagerDuty products and services will complete and comply with PagerDuty’s Security Impact Analysis discipline (part of PagerDuty’s broader Secure Systems Development Life Cycle).
  • FedRAMP Authorization Boundary: As with any new security-impacting functionality, generative AI solutions cannot be moved into PagerDuty’s FedRAMP Authorization Boundary until a Significant Change Request has been approved by the appropriate authorizing agency(ies). Federal customers wishing to use these solutions prior to their authorization must perform their own risk assessment prior to adopting.

We are excited about the promise of generative AI and other types of AI and are committed to their safe and secure use to help PagerDuty customers to improve their operations beyond what they ever thought was possible.