A step-by-step guide with template, EU AI Act Article 4 checklist, and practical examples for SMEs — reviewed by a certified Gyoseishoshi who has published 100+ compliance books across 14 countries.
An AI policy is a formal document that defines how your organization uses, governs, and monitors artificial intelligence tools. It establishes acceptable use boundaries, assigns responsibilities, ensures legal compliance with regulations such as the EU AI Act, and protects your business from AI-related risks. Every company using AI — from a ten-person startup to a multinational enterprise — needs one, and EU AI Act Article 4 already requires organizations to ensure AI literacy among all staff who operate or interact with AI systems.
If any of the following five situations apply to your organization, you need a documented AI policy. The more that apply, the more comprehensive your policy should be.
| # | Signal | Why It Matters |
|---|---|---|
| 1 | Employees use AI chatbots (ChatGPT, Copilot, Gemini, Claude) for work tasks | Without rules, confidential data, client information, and trade secrets may be entered into third-party AI systems. Under GDPR Article 28, processing personal data through an AI provider may constitute a data transfer requiring documented safeguards. |
| 2 | AI is used in hiring, performance evaluation, or customer-facing services | These are high-risk applications under EU AI Act Annex III. Article 26 deployer obligations require documented risk assessments, human oversight measures, and ongoing monitoring. |
| 3 | Your organization operates in the EU or serves EU customers | The EU AI Act has extraterritorial reach (Article 2). Any AI system whose outputs affect EU residents falls within scope, regardless of where the company is headquartered. |
| 4 | Clients, partners, or investors are asking about your AI governance | Supply chain pressure is accelerating. Enterprise procurement increasingly requires documented AI policies from vendors. Not having one can disqualify you from contracts. |
| 5 | You have no documented rules on what employees can or cannot do with AI | Without documented rules, your organization has an implicit policy: anything goes. This creates uncontrolled risk exposure across data protection, intellectual property, quality control, and regulatory compliance. |
A complete AI policy addresses eight essential areas. These are not optional components — each one corresponds to specific regulatory expectations or operational necessities.
| # | Section | What It Covers | Regulatory Basis |
|---|---|---|---|
| 1 | Purpose and scope | Why the policy exists, which AI systems it covers, which departments and roles are in scope, and any exclusions. | General governance best practice |
| 2 | Approved AI tools register | A maintained list of every AI system sanctioned for use, including the provider, data processing location, and approved use cases. | Article 26 (deployer record-keeping) |
| 3 | Acceptable use guidelines | What employees can do with AI without approval, what requires explicit authorization, and what is strictly prohibited. Examples for each category. | Article 26 (deployer obligations) |
| 4 | Data protection and privacy rules | What data can and cannot be input into AI systems. Personal data handling, client confidentiality, trade secret protection, and cross-border transfer rules. | GDPR Articles 5, 6, 28; AI Act Article 10 |
| 5 | Human oversight requirements | Which AI decisions require human review before implementation. Escalation procedures when AI outputs are uncertain or potentially harmful. | Article 14 (human oversight), Article 26(1) |
| 6 | Transparency obligations | When and how to disclose AI use to customers, employees, and other affected parties. Labeling requirements for AI-generated content. | Article 50 (transparency for certain AI systems) |
| 7 | Training and AI literacy program | Training content, delivery frequency, assessment methods, and record-keeping. Who needs training, at what depth, and how comprehension is verified. | Article 4 (AI literacy) |
| 8 | Review and update schedule | Frequency of policy reviews, triggers for immediate revision, responsible parties, and change management procedures. | Article 9 (risk management), Article 26(5) |
This process is designed for a company with 10 to 50 employees. Adjust the scope and depth based on your organization's size and AI complexity. Total estimated time: 15 to 25 hours over one to three weeks.
Before you can govern AI, you need to know exactly what AI your organization uses. Most companies significantly underestimate their AI footprint because employees adopt tools independently.
What to do: Survey every department. For each AI tool identified, document: the tool name and provider, who uses it, what data it processes, where data is stored, and whether it was formally approved. Include both obvious AI tools (ChatGPT, Copilot) and embedded AI features in existing software (email autocomplete, CRM lead scoring, document summarization).
A 25-person marketing agency discovered during their audit that 18 employees were using ChatGPT for copywriting (including pasting client briefs containing confidential information), 4 were using Midjourney for client presentations, the CRM had AI-powered lead scoring enabled by default, and the email platform used AI for spam filtering. Their audit spreadsheet grew from an expected 3 tools to 11.
The EU AI Act establishes a four-tier risk framework. Your compliance obligations depend entirely on where each AI system falls within this classification.
| Risk Level | Examples | Your Obligations |
|---|---|---|
| Prohibited (Article 5) | Social scoring, manipulative subliminal techniques, real-time biometric identification in public spaces (with limited exceptions) | Do not deploy. No exceptions. Already enforceable since February 2025. |
| High-risk (Article 6, Annex III) | AI in recruitment, credit scoring, educational assessment, medical diagnosis, critical infrastructure management | Risk assessment, human oversight, technical documentation, conformity assessment. Full compliance by December 2027 (Omnibus extension). |
| Limited-risk (Article 50) | Chatbots, deepfake generators, emotion recognition systems, AI-generated content | Transparency disclosures: inform users they are interacting with AI. Label AI-generated content. Enforceable from August 2025. |
| Minimal-risk | Spam filters, AI-assisted spell check, recommendation engines (non-manipulative), route optimization | No specific obligations beyond general good practice. Voluntary codes of conduct encouraged. |
A logistics company with 40 employees classified their AI: route optimization software (minimal-risk, no special obligations), warehouse safety monitoring camera with AI (potentially high-risk if used for worker surveillance, requiring risk assessment), customer service chatbot (limited-risk, requiring transparency disclosure), and an AI tool tested for screening delivery driver applications (high-risk under Annex III, requiring full conformity procedures).
Clear, specific rules prevent well-intentioned employees from inadvertently creating legal exposure. Vague guidance like "use AI responsibly" is not a policy — it is a hope.
| Allowed (No Approval Needed) | Requires Approval | Prohibited |
|---|---|---|
| Drafting internal summaries from public information | Using AI to generate customer-facing content | Entering personal data of clients or employees into any AI system |
| Grammar and style checking (English text only, no confidential content) | Deploying a new AI tool not on the approved register | Submitting financial data, trade secrets, or unreleased product information |
| Research and brainstorming using publicly available data | Using AI for any decision affecting employment (hiring, performance, termination) | Using AI outputs as the sole basis for decisions with legal consequences |
| Code assistance (non-proprietary code only) | Integrating AI APIs into company products or services | Using AI to generate content that impersonates a real person |
According to a 2025 survey by Salesforce, 55% of employees report using AI tools at work, but only 24% say their employer has clear AI usage guidelines. The gap between adoption and governance is where risk accumulates. An acceptable use framework closes that gap.
Every policy fails without clear ownership. Someone must be accountable for maintaining, enforcing, and updating your AI governance. The EU AI Act does not prescribe a specific organizational structure, but accountability must be unambiguous.
| Organization Size | Recommended Structure | Key Responsibilities |
|---|---|---|
| 1-10 employees | Single responsible person (typically CEO, CTO, or COO) | Maintain AI register, review policy annually, handle incidents, ensure training |
| 11-50 employees | Designated AI Officer (existing role, added responsibility) | Above, plus quarterly reviews, approval workflow for new tools, compliance monitoring |
| 51-250 employees | AI Governance Committee (3-5 members from IT, legal, HR, operations) | Above, plus formal risk assessments, audit program, board reporting, incident response team |
A 30-person software company designated their CTO as AI Officer. She spends approximately two hours per week on AI governance: reviewing the AI register for new tools, checking that quarterly training is scheduled, and addressing any AI-related questions from staff. She escalated one decision to the CEO in six months — approving the use of AI in an automated code review pipeline that would affect all developers.
EU AI Act Article 4 requires providers and deployers to take measures to ensure a sufficient level of AI literacy among their staff and other persons dealing with AI systems on their behalf. This obligation has been enforceable since February 2, 2025. It is not optional, and it is not satisfied by simply giving employees access to AI tools.
What AI literacy means under Article 4: Staff must have sufficient knowledge, skills, and understanding to make informed use of AI systems and to be aware of the opportunities and risks of AI, as well as the possible harm it can cause. The measures must account for the staff member's technical knowledge, experience, education, and context of use.
Building your program:
A 15-person accounting firm created a 90-minute onboarding module covering: what their approved AI tools can and cannot do, three scenarios showing acceptable vs. prohibited use (including a case where a colleague entered client financial data into ChatGPT), and a 10-question quiz. They run quarterly 30-minute refreshers with two practical scenarios each. Total annual time investment per employee: four hours. Total annual cost: zero (created internally using existing resources).
With your audit complete, risks classified, rules defined, roles assigned, and training program designed, you now have the substance to draft the policy. Use the 12-section template structure below. Write clearly, avoid unnecessary jargon, and be specific enough that any employee can understand exactly what is expected.
Start with the highest-priority sections: Purpose, Scope, Acceptable Use, and Prohibited Uses. These four sections alone provide immediate governance value even before the remaining eight are finalized. Complete the full document within two weeks of starting the draft.
A 20-person recruiting firm completed their draft in five working days: Day 1 — Purpose, Scope, Definitions (CEO); Day 2 — AI System Register, Acceptable Use, Prohibited Uses (CEO + Operations Manager); Day 3 — Data Protection, Human Oversight (CEO + DPO where applicable); Day 4 — Transparency, AI Literacy, Incident Response (CEO + HR); Day 5 — Review and Governance, final edit, internal review circulation. Total: approximately eight hours of writing time.
A policy that exists in a shared drive but is never communicated is equivalent to no policy. Implementation is where governance becomes operational.
Implementation checklist:
Review schedule:
| Review Type | Frequency | Scope |
|---|---|---|
| Quick check | Quarterly | AI register updates, new tools adopted, any incidents since last review, training completion rates |
| Full revision | Annually | Complete policy review, regulatory updates (EU AI Act implementing measures, national guidance), alignment with business strategy changes |
| Triggered review | As needed | New AI tool adoption, AI-related incident, regulatory change, significant business change, audit findings |
Use this 12-section structure as the foundation for your AI policy. Each section includes guidance on what to include. Customize every section to reflect your organization's specific AI systems, data flows, and risk profile.
[Company Name] AI Policy
Version: [X.X] | Effective: [Date] | Next Review: [Date]
Approved by: [Name, Title, Date]
Next scheduled review: [Date]
Use this 15-point checklist to verify your AI policy addresses the core requirements of the EU AI Act. Each item references the specific Article that creates the obligation and notes when enforcement begins.
| Requirement | Enforcement | |
|---|---|---|
| ☐ | Art. 4 AI literacy measures documented and implemented for all staff operating or interacting with AI systems | Since Feb 2025 |
| ☐ | Art. 5 Confirmed no prohibited AI practices are deployed (social scoring, subliminal manipulation, biometric categorization for sensitive attributes) | Since Feb 2025 |
| ☐ | Art. 6 / Annex III All AI systems assessed against high-risk criteria; high-risk systems identified and documented | Dec 2027 |
| ☐ | Art. 9 Risk management system established for each high-risk AI system (identification, analysis, estimation, evaluation of risks) | Dec 2027 |
| ☐ | Art. 10 Data governance measures in place for training, validation, and testing data sets used by high-risk AI | Dec 2027 |
| ☐ | Art. 13 High-risk AI systems designed to be sufficiently transparent for deployers to interpret and use outputs appropriately | Dec 2027 |
| ☐ | Art. 14 Human oversight measures implemented for high-risk AI systems, with designated oversight persons identified and trained | Dec 2027 |
| ☐ | Art. 26(1) Deployer obligations documented: using high-risk AI in accordance with instructions, ensuring input data relevance, monitoring for risks | Dec 2027 |
| ☐ | Art. 26(5) Data protection impact assessment (DPIA) conducted where high-risk AI processes personal data | Dec 2027 |
| ☐ | Art. 26(7) Employees and worker representatives informed when subject to high-risk AI system decisions | Dec 2027 |
| ☐ | Art. 50(1) Users informed when interacting with AI-powered chatbots or conversational systems | Since Aug 2025 |
| ☐ | Art. 50(2) AI-generated or manipulated content (images, audio, video, text) clearly labeled as artificially generated | Since Aug 2025 |
| ☐ | Art. 50(4) Deployers of emotion recognition or biometric categorization systems have informed affected persons | Since Aug 2025 |
| ☐ | Art. 51 GPAI (general-purpose AI) systems identified; obligations regarding provider-supplied documentation reviewed and implemented | Aug 2026 |
| ☐ | Art. 72 AI system registration in the EU database completed for high-risk AI systems before placing on market or putting into service | Dec 2027 |
The EU AI Act explicitly recognizes proportionality. Recital 27 states that measures should be proportionate to the size and capabilities of the organization. A 12-person design studio does not need the same governance infrastructure as a multinational bank. Here is how to scale appropriately.
| Organization Size | Policy Scope | Governance Structure | Review Cadence | Training |
|---|---|---|---|---|
| 1-10 employees | One-page policy covering acceptable use, prohibited uses, and data rules. AI register as a simple spreadsheet. | Single responsible person (typically the founder or managing director) | Annual full review, plus triggered reviews for new tools or incidents | 90-minute onboarding session. Annual 30-minute refresher. Informal ongoing guidance. |
| 11-50 employees | Detailed policy (5-10 pages) with all 12 sections. Formal AI register with quarterly updates. | Designated AI Officer (existing role with added AI governance responsibility) | Quarterly focused reviews. Annual comprehensive revision. | Structured onboarding module with quiz. Quarterly 30-minute scenario-based refreshers. Records maintained. |
| 51-250 employees | Comprehensive AI management system (AIMS) with department-specific annexes. Automated compliance monitoring where feasible. | AI Governance Committee (3-5 members: IT, legal/compliance, HR, operations, business unit representative) | Monthly monitoring dashboard. Quarterly committee review. Annual board-level report. | Role-differentiated training (general staff, AI users, AI developers, management). Quarterly refreshers with assessment. Training effectiveness evaluation. |
Regardless of size, every organization must satisfy Article 4 AI literacy requirements and comply with any prohibition and transparency obligations relevant to their AI usage. Proportionality affects the depth and formality of governance, not whether governance exists.
Are you AI Act ready?
Take our free 3-minute assessment to find out where your organization stands.
Take Free AssessmentThe EU AI Act introduces a tiered penalty structure that scales with the severity of the violation and the size of the organization. National competent authorities in each EU member state are responsible for enforcement.
Enforcement is not theoretical. The European AI Office became operational in 2024, and national market surveillance authorities have been designated across EU member states. Organizations that can demonstrate documented AI governance measures — including a formal AI policy, training records, and risk assessments — are in a significantly stronger position during any regulatory inquiry.
A NOTE FROM THE AUTHOR
“I spent more than 20 years reviewing regulatory compliance at the Hiroshima Prefectural Government. The biggest mistake I see businesses make is assuming compliance starts with paperwork. It starts with daily habits. Build the habit first, and the paperwork follows.”
— Takayuki Sawai, Gyoseishoshi (行政書士)
This guide gives you the blueprint. ClearAI Trust OS turns it into daily reality: your policy becomes daily compliance checks, employee quizzes, and a trust score your whole team can track.
This guide is reviewed by Takayuki Sawai, a certified Gyoseishoshi with over 20 years of regulatory experience at the Hiroshima Prefectural Government, and the author of 100+ compliance books across 14 countries. Content is based on the EU AI Act (Regulation (EU) 2024/1689), the May 2025 Omnibus agreement amending Annex III timelines, and established AI governance frameworks. This guide provides general information and does not constitute legal advice for any specific situation. Regulations are subject to change; verify current requirements with your national competent authority. Last updated: June 2026.