AI Disclaimer — CyberStackHub

Q: How accurate is the CyberStackHub AI risk assessment?

CyberStackHub's AI risk assessment is calibrated against NIST CSF, CIS Controls, and real-world SMB breach data from the Verizon DBIR and IBM X-Force reports. Results reflect your answers at the time of assessment — accuracy depends on the completeness of information provided. The assessment identifies probable risk areas but does not replace a professional penetration test, formal security audit, or legal compliance review. We recommend re-running your assessment every 6 months or after any significant infrastructure change.

Q: Does CyberStackHub store my company's security data?

Assessment responses and generated reports are stored securely to enable dashboard access and historical comparison. We do not sell assessment data to third parties. No personally identifiable information (PII) beyond your email is collected to generate a risk score. See our Privacy Policy for full data handling details. You can request deletion of your data at any time.

Q: Can AI-generated security policies and documents be used for actual compliance audits?

AI-generated security policies from CyberStackHub are designed as professional starting templates — they follow industry-standard frameworks (SOC 2, ISO 27001, NIST CSF, HIPAA) and are appropriate as the foundation for your formal policy program. However, all generated documents should be reviewed by qualified legal and security personnel before submission to auditors. Policies need to reflect your specific operational environment, which AI cannot fully know without human review and customization.

CyberStackHub

Critical notice: CyberStackHub uses artificial intelligence to generate cybersecurity assessments, risk scores, compliance readiness reports, and recommendations. These outputs are informational tools — not certified security audits, professional cybersecurity consulting, legal advice, or compliance certifications. Do not rely on them as your sole basis for security or compliance decisions.

EU AI Act transparency: CyberStackHub is compliant with EU Artificial Intelligence Act (Regulation (EU) 2024/1689) transparency requirements (Article 52). All AI systems are classified as Limited Risk or Minimal Risk — no High Risk or Prohibited systems are deployed. Full technical documentation: AI Transparency page · Machine-readable system card (JSON).

0. EU AI Act: Risk Classification

Under the EU AI Act, every AI system deployed on CyberStackHub has been formally classified. The following table summarizes our classifications as of April 2026.

Feature	Risk Level	Article 52 Obligation
Risk Assessment Tool	Limited Risk	AI-generated label + methodology disclosure
AI Document Generators (8 tools)	Limited Risk	AI-generated label + human-review disclaimer
Compliance Readiness Checker	Limited Risk	AI-generated label + non-certified-audit disclaimer
Questionnaire / Assessment Bot	Limited Risk	Pre-interaction AI disclosure + output labeling
Breach Exposure Simulation	Minimal Risk	Voluntary: AI simulation label
Password Analyzer + Phishing Analyzer	Minimal Risk	No mandatory obligations

None of our AI systems fall under EU AI Act Annex III High Risk categories (critical infrastructure, employment decisions, credit scoring, law enforcement). Full classification detail: AI Transparency page.

1. What AI Outputs Are

Every risk score, assessment finding, compliance gap analysis, vendor risk profile, and remediation recommendation produced by CyberStackHub is generated by AI models — specifically large language models trained on publicly available cybersecurity knowledge, frameworks, and best practices.

AI-generated outputs are:

Probabilistic, not deterministic. The same inputs can produce slightly different outputs on different runs. This is a fundamental property of language models.
Based on patterns, not live testing. We do not perform active penetration testing, real-time vulnerability scanning, or live network assessment. Our tools analyze what you tell us — they don't verify it independently.
Bounded by training data. AI models have knowledge cutoff dates. Newly emerged threats, recently disclosed CVEs, or evolving compliance standards may not be fully reflected in outputs.
Not a substitute for human expertise. Certified professionals bring judgment, context, and accountability that AI cannot replicate.

2. Confidence Scoring

Where present in our outputs, confidence scores indicate how reliable we assess a particular finding to be, based on the completeness of your inputs and the clarity of applicable standards. Confidence scores do not guarantee accuracy.

High Confidence (80-100%)

Finding aligns closely with well-established standards. Input data was complete. Lower risk of false positive — but still verify before acting.

Medium Confidence (50-79%)

Finding is plausible based on available inputs, but data was incomplete or the area involves nuanced interpretation. Use as a starting point for further review.

Low Confidence (<50%)

Finding is speculative. Inputs were sparse or the domain is particularly complex. Treat as a potential area of concern only — not a confirmed finding.

No Score Shown

Some outputs do not include confidence scores. These should be interpreted as informational only until independently verified.

3. Source Attribution and Dates

Where CyberStackHub references specific frameworks, standards, or regulations (e.g., NIST CSF, SOC 2, ISO 27001, HIPAA, CMMC, PCI DSS), those references are based on the published versions available in our AI model's training data.

Standards evolve. Always verify against the current version of any framework directly from the issuing authority. We include a "Knowledge Reference Date" in full reports to indicate the general timeframe of our model's training data for that domain. This date should be treated as approximate.

We do not claim our outputs reflect the most current published guidance unless explicitly stated and dated in the report.

4. Not a Certified Audit

CyberStackHub does not perform and does not provide:

SOC 2 Type I or Type II audits
ISO 27001 certification assessments
HIPAA compliance certifications
PCI DSS qualified security assessor (QSA) reports
CMMC certification assessments
Any other certified, attested, or legally recognized security audit

If you need a certified audit for a regulatory requirement, insurance application, or contractual obligation, you must engage a qualified, certified third-party assessor. Our tools can help you prepare for that process — they cannot replace it.

5. Not Professional Advice

Nothing on CyberStackHub constitutes professional cybersecurity consulting, legal advice, insurance advice, or compliance consulting. Outputs are informational in nature. For decisions that carry legal, financial, or regulatory consequences, consult qualified professionals.

6. Your Responsibility

You are responsible for:

The accuracy and completeness of the inputs you provide
Independently verifying findings before making security decisions based on them
Engaging qualified professionals for critical security, compliance, or legal decisions
Understanding the limitations of AI-generated assessments

Steeled Inc. is not liable for decisions made based on AI-generated outputs. See the Terms of Service for our full limitation of liability.

7. AI Model Disclosure

CyberStackHub uses large language models from third-party AI providers including Anthropic and OpenAI to generate assessments. These providers process your inputs to generate outputs. We do not use your inputs to train AI models. For more on how your data is handled during AI inference, see our Privacy Policy.

8. Feedback and Corrections

If you believe an AI-generated output contains a material error or misleading information, please report it to feedback@cyberstackhub.ai. We take accuracy seriously and use feedback to improve our tools.