How to Create an AI Policy for Your Company

A step-by-step guide with template, EU AI Act Article 4 checklist, and practical examples for SMEs — reviewed by a certified Gyoseishoshi who has published 100+ compliance books across 14 countries.

An AI policy is a formal document that defines how your organization uses, governs, and monitors artificial intelligence tools. It establishes acceptable use boundaries, assigns responsibilities, ensures legal compliance with regulations such as the EU AI Act, and protects your business from AI-related risks. Every company using AI — from a ten-person startup to a multinational enterprise — needs one, and EU AI Act Article 4 already requires organizations to ensure AI literacy among all staff who operate or interact with AI systems.

Do I Need an AI Policy?

If any of the following five situations apply to your organization, you need a documented AI policy. The more that apply, the more comprehensive your policy should be.

# Signal Why It Matters
1 Employees use AI chatbots (ChatGPT, Copilot, Gemini, Claude) for work tasks Without rules, confidential data, client information, and trade secrets may be entered into third-party AI systems. Under GDPR Article 28, processing personal data through an AI provider may constitute a data transfer requiring documented safeguards.
2 AI is used in hiring, performance evaluation, or customer-facing services These are high-risk applications under EU AI Act Annex III. Article 26 deployer obligations require documented risk assessments, human oversight measures, and ongoing monitoring.
3 Your organization operates in the EU or serves EU customers The EU AI Act has extraterritorial reach (Article 2). Any AI system whose outputs affect EU residents falls within scope, regardless of where the company is headquartered.
4 Clients, partners, or investors are asking about your AI governance Supply chain pressure is accelerating. Enterprise procurement increasingly requires documented AI policies from vendors. Not having one can disqualify you from contracts.
5 You have no documented rules on what employees can or cannot do with AI Without documented rules, your organization has an implicit policy: anything goes. This creates uncontrolled risk exposure across data protection, intellectual property, quality control, and regulatory compliance.

What Your AI Policy Must Cover

A complete AI policy addresses eight essential areas. These are not optional components — each one corresponds to specific regulatory expectations or operational necessities.

# Section What It Covers Regulatory Basis
1 Purpose and scope Why the policy exists, which AI systems it covers, which departments and roles are in scope, and any exclusions. General governance best practice
2 Approved AI tools register A maintained list of every AI system sanctioned for use, including the provider, data processing location, and approved use cases. Article 26 (deployer record-keeping)
3 Acceptable use guidelines What employees can do with AI without approval, what requires explicit authorization, and what is strictly prohibited. Examples for each category. Article 26 (deployer obligations)
4 Data protection and privacy rules What data can and cannot be input into AI systems. Personal data handling, client confidentiality, trade secret protection, and cross-border transfer rules. GDPR Articles 5, 6, 28; AI Act Article 10
5 Human oversight requirements Which AI decisions require human review before implementation. Escalation procedures when AI outputs are uncertain or potentially harmful. Article 14 (human oversight), Article 26(1)
6 Transparency obligations When and how to disclose AI use to customers, employees, and other affected parties. Labeling requirements for AI-generated content. Article 50 (transparency for certain AI systems)
7 Training and AI literacy program Training content, delivery frequency, assessment methods, and record-keeping. Who needs training, at what depth, and how comprehension is verified. Article 4 (AI literacy)
8 Review and update schedule Frequency of policy reviews, triggers for immediate revision, responsible parties, and change management procedures. Article 9 (risk management), Article 26(5)

7 Steps to Create Your AI Policy

This process is designed for a company with 10 to 50 employees. Adjust the scope and depth based on your organization's size and AI complexity. Total estimated time: 15 to 25 hours over one to three weeks.

1
Audit your current AI usage

Before you can govern AI, you need to know exactly what AI your organization uses. Most companies significantly underestimate their AI footprint because employees adopt tools independently.

What to do: Survey every department. For each AI tool identified, document: the tool name and provider, who uses it, what data it processes, where data is stored, and whether it was formally approved. Include both obvious AI tools (ChatGPT, Copilot) and embedded AI features in existing software (email autocomplete, CRM lead scoring, document summarization).

Practical Example

A 25-person marketing agency discovered during their audit that 18 employees were using ChatGPT for copywriting (including pasting client briefs containing confidential information), 4 were using Midjourney for client presentations, the CRM had AI-powered lead scoring enabled by default, and the email platform used AI for spam filtering. Their audit spreadsheet grew from an expected 3 tools to 11.

Estimated: 3-5 hours for SME
2
Classify AI systems by risk level

The EU AI Act establishes a four-tier risk framework. Your compliance obligations depend entirely on where each AI system falls within this classification.

Risk Level Examples Your Obligations
Prohibited (Article 5) Social scoring, manipulative subliminal techniques, real-time biometric identification in public spaces (with limited exceptions) Do not deploy. No exceptions. Already enforceable since February 2025.
High-risk (Article 6, Annex III) AI in recruitment, credit scoring, educational assessment, medical diagnosis, critical infrastructure management Risk assessment, human oversight, technical documentation, conformity assessment. Full compliance by December 2027 (Omnibus extension).
Limited-risk (Article 50) Chatbots, deepfake generators, emotion recognition systems, AI-generated content Transparency disclosures: inform users they are interacting with AI. Label AI-generated content. Enforceable from August 2025.
Minimal-risk Spam filters, AI-assisted spell check, recommendation engines (non-manipulative), route optimization No specific obligations beyond general good practice. Voluntary codes of conduct encouraged.
Practical Example

A logistics company with 40 employees classified their AI: route optimization software (minimal-risk, no special obligations), warehouse safety monitoring camera with AI (potentially high-risk if used for worker surveillance, requiring risk assessment), customer service chatbot (limited-risk, requiring transparency disclosure), and an AI tool tested for screening delivery driver applications (high-risk under Annex III, requiring full conformity procedures).

Estimated: 2-3 hours for SME
3
Define acceptable use rules

Clear, specific rules prevent well-intentioned employees from inadvertently creating legal exposure. Vague guidance like "use AI responsibly" is not a policy — it is a hope.

Allowed (No Approval Needed) Requires Approval Prohibited
Drafting internal summaries from public information Using AI to generate customer-facing content Entering personal data of clients or employees into any AI system
Grammar and style checking (English text only, no confidential content) Deploying a new AI tool not on the approved register Submitting financial data, trade secrets, or unreleased product information
Research and brainstorming using publicly available data Using AI for any decision affecting employment (hiring, performance, termination) Using AI outputs as the sole basis for decisions with legal consequences
Code assistance (non-proprietary code only) Integrating AI APIs into company products or services Using AI to generate content that impersonates a real person
Why This Matters

According to a 2025 survey by Salesforce, 55% of employees report using AI tools at work, but only 24% say their employer has clear AI usage guidelines. The gap between adoption and governance is where risk accumulates. An acceptable use framework closes that gap.

Estimated: 2-3 hours for SME
4
Assign roles and responsibilities

Every policy fails without clear ownership. Someone must be accountable for maintaining, enforcing, and updating your AI governance. The EU AI Act does not prescribe a specific organizational structure, but accountability must be unambiguous.

Organization Size Recommended Structure Key Responsibilities
1-10 employees Single responsible person (typically CEO, CTO, or COO) Maintain AI register, review policy annually, handle incidents, ensure training
11-50 employees Designated AI Officer (existing role, added responsibility) Above, plus quarterly reviews, approval workflow for new tools, compliance monitoring
51-250 employees AI Governance Committee (3-5 members from IT, legal, HR, operations) Above, plus formal risk assessments, audit program, board reporting, incident response team
Practical Example

A 30-person software company designated their CTO as AI Officer. She spends approximately two hours per week on AI governance: reviewing the AI register for new tools, checking that quarterly training is scheduled, and addressing any AI-related questions from staff. She escalated one decision to the CEO in six months — approving the use of AI in an automated code review pipeline that would affect all developers.

Estimated: 1-2 hours for SME
5
Build your AI literacy program

EU AI Act Article 4 requires providers and deployers to take measures to ensure a sufficient level of AI literacy among their staff and other persons dealing with AI systems on their behalf. This obligation has been enforceable since February 2, 2025. It is not optional, and it is not satisfied by simply giving employees access to AI tools.

What AI literacy means under Article 4: Staff must have sufficient knowledge, skills, and understanding to make informed use of AI systems and to be aware of the opportunities and risks of AI, as well as the possible harm it can cause. The measures must account for the staff member's technical knowledge, experience, education, and context of use.

Building your program:

  • Content: What AI is and what it is not; capabilities and limitations of the specific tools your company uses; your organization's acceptable use rules; how to identify AI errors and hallucinations; data protection obligations when using AI; when and how to escalate concerns.
  • Delivery: Initial training at onboarding plus periodic refreshers (at minimum annually, recommended quarterly). Self-paced or instructor-led, depending on resources. Document completion and assessment results.
  • Assessment: Brief quizzes or practical exercises to verify comprehension. Article 4 requires actual understanding, not passive attendance.
  • Records: Maintain records of who completed training, when, what was covered, and assessment results. These records demonstrate compliance to regulators.
Practical Example

A 15-person accounting firm created a 90-minute onboarding module covering: what their approved AI tools can and cannot do, three scenarios showing acceptable vs. prohibited use (including a case where a colleague entered client financial data into ChatGPT), and a 10-question quiz. They run quarterly 30-minute refreshers with two practical scenarios each. Total annual time investment per employee: four hours. Total annual cost: zero (created internally using existing resources).

Estimated: 3-5 hours for SME (initial program creation)
6
Draft the policy document

With your audit complete, risks classified, rules defined, roles assigned, and training program designed, you now have the substance to draft the policy. Use the 12-section template structure below. Write clearly, avoid unnecessary jargon, and be specific enough that any employee can understand exactly what is expected.

Start with the highest-priority sections: Purpose, Scope, Acceptable Use, and Prohibited Uses. These four sections alone provide immediate governance value even before the remaining eight are finalized. Complete the full document within two weeks of starting the draft.

Practical Example

A 20-person recruiting firm completed their draft in five working days: Day 1 — Purpose, Scope, Definitions (CEO); Day 2 — AI System Register, Acceptable Use, Prohibited Uses (CEO + Operations Manager); Day 3 — Data Protection, Human Oversight (CEO + DPO where applicable); Day 4 — Transparency, AI Literacy, Incident Response (CEO + HR); Day 5 — Review and Governance, final edit, internal review circulation. Total: approximately eight hours of writing time.

Estimated: 5-8 hours for SME
7
Implement, communicate, and schedule reviews

A policy that exists in a shared drive but is never communicated is equivalent to no policy. Implementation is where governance becomes operational.

Implementation checklist:

  • Distribute the policy to all staff with a clear cover message from leadership explaining why it matters.
  • Collect written acknowledgment of receipt and understanding from every employee.
  • Conduct the initial AI literacy training session within 30 days of policy adoption.
  • Add the policy to the new employee onboarding process.
  • Update employment contracts or handbooks to reference the AI policy where appropriate.
  • Set calendar reminders for quarterly focused reviews and annual comprehensive revision.
  • Establish a reporting channel for AI-related concerns or incidents.

Review schedule:

Review Type Frequency Scope
Quick check Quarterly AI register updates, new tools adopted, any incidents since last review, training completion rates
Full revision Annually Complete policy review, regulatory updates (EU AI Act implementing measures, national guidance), alignment with business strategy changes
Triggered review As needed New AI tool adoption, AI-related incident, regulatory change, significant business change, audit findings
Estimated: 2-4 hours for SME (initial rollout)

AI Policy Template Outline

Use this 12-section structure as the foundation for your AI policy. Each section includes guidance on what to include. Customize every section to reflect your organization's specific AI systems, data flows, and risk profile.

AI Policy Template Structure

[Company Name] AI Policy
Version: [X.X]  |  Effective: [Date]  |  Next Review: [Date]

1. Purpose
State why the policy exists and what it seeks to achieve. Reference the EU AI Act and any other applicable regulations. Articulate the organization's commitment to responsible AI use. Two to three sentences is sufficient.
2. Scope
Define who the policy applies to (all employees, contractors, third-party vendors), which AI systems it covers (all AI tools used for or on behalf of the organization), and any exclusions. Be explicit: ambiguity in scope creates gaps in governance.
3. Definitions
Define key terms in plain language: artificial intelligence, AI system (per EU AI Act Article 3), general-purpose AI, high-risk AI system, deployer, provider, personal data, and any organization-specific terms. These definitions prevent misinterpretation and align with regulatory language.
4. AI System Register
Maintain a table listing every approved AI system: tool name, provider, risk classification, approved use cases, data processed, data storage location, responsible person, and date of last review. This register is a living document updated whenever a tool is added, removed, or changed.
5. Acceptable Use
Describe permitted uses of AI tools in specific, actionable terms. Provide examples for each department or role if applicable. Include the approval process for using AI in novel ways not explicitly covered. Cross-reference the Prohibited Uses section.
6. Prohibited Uses
List every use of AI that is categorically forbidden, regardless of circumstances. Include: entering personal data without explicit authorization, using AI for decisions with legal effects without human review, deploying AI systems classified as prohibited under Article 5, and any organization-specific prohibitions. Make this section unambiguous.
7. Data Protection
Specify data handling rules: what categories of data may and may not be input into AI systems, GDPR compliance measures (lawful basis, data minimization, purpose limitation), cross-border transfer safeguards, and data retention policies for AI interactions. Reference your existing data protection policy where applicable.
8. Human Oversight
Define which AI-assisted decisions require human review and at what stage. Specify the qualifications or authority level required for oversight. Document escalation procedures for edge cases. Reference Article 14 requirements for high-risk AI systems.
9. Transparency
Describe how and when the organization will disclose AI use to affected parties. Cover customer-facing transparency (chatbot disclosures, AI-generated content labeling) and internal transparency (informing employees about AI-assisted decision-making that affects them). Reference Article 50 obligations.
10. AI Literacy and Training
Outline the training program: content covered, delivery method, frequency (initial plus refreshers), assessment method, and record-keeping requirements. Specify who is responsible for maintaining and updating training materials. Reference Article 4 obligations.
11. Incident Response
Define what constitutes an AI-related incident (data breach via AI, discriminatory AI output, AI system failure, unauthorized AI use). Specify reporting channels, response timeline, investigation procedures, and remediation steps. Include obligations to report serious incidents to relevant authorities.
12. Review and Governance
State the review schedule (quarterly focused, annually comprehensive, triggered as needed). Define who is responsible for each type of review. Describe the change management process: how amendments are proposed, approved, communicated, and documented. Include version control procedures.

Approved by: [Name, Title, Date]
Next scheduled review: [Date]

EU AI Act Compliance Checklist

Use this 15-point checklist to verify your AI policy addresses the core requirements of the EU AI Act. Each item references the specific Article that creates the obligation and notes when enforcement begins.

Requirement Enforcement
Art. 4 AI literacy measures documented and implemented for all staff operating or interacting with AI systems Since Feb 2025
Art. 5 Confirmed no prohibited AI practices are deployed (social scoring, subliminal manipulation, biometric categorization for sensitive attributes) Since Feb 2025
Art. 6 / Annex III All AI systems assessed against high-risk criteria; high-risk systems identified and documented Dec 2027
Art. 9 Risk management system established for each high-risk AI system (identification, analysis, estimation, evaluation of risks) Dec 2027
Art. 10 Data governance measures in place for training, validation, and testing data sets used by high-risk AI Dec 2027
Art. 13 High-risk AI systems designed to be sufficiently transparent for deployers to interpret and use outputs appropriately Dec 2027
Art. 14 Human oversight measures implemented for high-risk AI systems, with designated oversight persons identified and trained Dec 2027
Art. 26(1) Deployer obligations documented: using high-risk AI in accordance with instructions, ensuring input data relevance, monitoring for risks Dec 2027
Art. 26(5) Data protection impact assessment (DPIA) conducted where high-risk AI processes personal data Dec 2027
Art. 26(7) Employees and worker representatives informed when subject to high-risk AI system decisions Dec 2027
Art. 50(1) Users informed when interacting with AI-powered chatbots or conversational systems Since Aug 2025
Art. 50(2) AI-generated or manipulated content (images, audio, video, text) clearly labeled as artificially generated Since Aug 2025
Art. 50(4) Deployers of emotion recognition or biometric categorization systems have informed affected persons Since Aug 2025
Art. 51 GPAI (general-purpose AI) systems identified; obligations regarding provider-supplied documentation reviewed and implemented Aug 2026
Art. 72 AI system registration in the EU database completed for high-risk AI systems before placing on market or putting into service Dec 2027

Scaling AI Governance to Your Organization Size

The EU AI Act explicitly recognizes proportionality. Recital 27 states that measures should be proportionate to the size and capabilities of the organization. A 12-person design studio does not need the same governance infrastructure as a multinational bank. Here is how to scale appropriately.

Organization Size Policy Scope Governance Structure Review Cadence Training
1-10 employees One-page policy covering acceptable use, prohibited uses, and data rules. AI register as a simple spreadsheet. Single responsible person (typically the founder or managing director) Annual full review, plus triggered reviews for new tools or incidents 90-minute onboarding session. Annual 30-minute refresher. Informal ongoing guidance.
11-50 employees Detailed policy (5-10 pages) with all 12 sections. Formal AI register with quarterly updates. Designated AI Officer (existing role with added AI governance responsibility) Quarterly focused reviews. Annual comprehensive revision. Structured onboarding module with quiz. Quarterly 30-minute scenario-based refreshers. Records maintained.
51-250 employees Comprehensive AI management system (AIMS) with department-specific annexes. Automated compliance monitoring where feasible. AI Governance Committee (3-5 members: IT, legal/compliance, HR, operations, business unit representative) Monthly monitoring dashboard. Quarterly committee review. Annual board-level report. Role-differentiated training (general staff, AI users, AI developers, management). Quarterly refreshers with assessment. Training effectiveness evaluation.

Regardless of size, every organization must satisfy Article 4 AI literacy requirements and comply with any prohibition and transparency obligations relevant to their AI usage. Proportionality affects the depth and formality of governance, not whether governance exists.

Are you AI Act ready?

Take our free 3-minute assessment to find out where your organization stands.

Take Free Assessment

Penalties for Non-Compliance

The EU AI Act introduces a tiered penalty structure that scales with the severity of the violation and the size of the organization. National competent authorities in each EU member state are responsible for enforcement.

Up to EUR 35M or 7% of global annual turnover For deploying prohibited AI practices (Article 5 violations). Whichever amount is higher applies. For SMEs and startups, the lower of the two thresholds applies.
Up to EUR 15M or 3% of global annual turnover For other infringements including non-compliance with AI literacy obligations (Article 4), transparency requirements (Article 50), and deployer obligations (Article 26).
Up to EUR 7.5M or 1% of global annual turnover For supplying incorrect, incomplete, or misleading information to authorities or notified bodies.

Enforcement is not theoretical. The European AI Office became operational in 2024, and national market surveillance authorities have been designated across EU member states. Organizations that can demonstrate documented AI governance measures — including a formal AI policy, training records, and risk assessments — are in a significantly stronger position during any regulatory inquiry.

Frequently Asked Questions

Is an AI policy legally required?
Under the EU AI Act, organizations are not explicitly required to have a single document called an "AI policy." However, Article 4 mandates AI literacy measures, Article 26 imposes deployer obligations including monitoring and record-keeping, and Article 50 requires transparency disclosures. In practice, meeting these obligations without a formal AI policy is nearly impossible. Several EU member states are also introducing national guidance that specifically recommends or requires documented AI governance frameworks. Outside the EU, jurisdictions including Canada (AIDA), Brazil (AI Bill), and certain US states are developing similar requirements.
How long does it take to create an AI policy?
For a company with 10 to 50 employees, expect to invest approximately 15 to 25 hours spread over one to three weeks. This includes the AI audit (3-5 hours), risk classification (2-3 hours), drafting the policy (5-8 hours), internal review (2-4 hours), and training preparation (3-5 hours). Larger organizations with complex AI deployments may need four to eight weeks. The key factor is not company size alone but the number and complexity of AI systems in use.
Does the EU AI Act apply to companies outside Europe?
Yes. The EU AI Act has extraterritorial reach under Article 2. It applies to any organization that places AI systems on the EU market or whose AI system outputs are used within the EU, regardless of where the organization is headquartered. A company in New York using AI to process job applications from EU candidates, or a Singapore-based firm deploying a customer service chatbot accessible to EU residents, falls within scope. This mirrors the extraterritorial approach of the GDPR.
What happens if we don't have an AI policy by August 2026?
The enforcement timeline has multiple phases. Article 4 AI literacy obligations have been enforceable since February 2025. Article 50 transparency requirements apply from August 2025. The Omnibus agreement extended the deadline for Annex III high-risk system compliance to December 2027. Penalties range from EUR 7.5 million or 1% of global turnover for incorrect information, up to EUR 35 million or 7% of global turnover for prohibited AI practices. For SMEs, the lower of the two thresholds (fixed amount or percentage) applies.
Can we use a template or do we need a custom policy?
A template provides valuable structure, but every AI policy must be customized. The EU AI Act requires measures proportionate to your specific AI usage, organizational size, and risk profile. A logistics company using AI for route optimization has fundamentally different governance needs than a recruitment firm using AI to screen candidates. Use the 12-section template structure in this guide as your foundation, then tailor each section to your actual AI systems, data flows, and operational context.
Who should be responsible for AI governance in a small company?
In companies with fewer than 50 employees, AI governance typically rests with a single designated person, often the CEO, CTO, Head of Operations, or Data Protection Officer if one exists. This person does not need to be a technical expert in AI but must understand the organization's AI systems, the applicable legal framework, and the company's risk tolerance. For companies with 50 or more employees, consider establishing a small AI governance committee with representatives from IT, legal or compliance, HR, and operations.
Do we need an AI policy if we only use ChatGPT?
Yes. ChatGPT and similar general-purpose AI systems are classified as general-purpose AI (GPAI) under Article 51 of the EU AI Act. While the heaviest compliance obligations fall on the provider (OpenAI), deployer obligations under Article 26 still apply to your organization. You need documented rules on what data employees can input, how outputs are reviewed, and what transparency measures are in place. Even a single-page policy covering acceptable use, prohibited data inputs, and human review requirements is significantly better than no policy at all.
How often should we update our AI policy?
At minimum, conduct a focused review quarterly and a comprehensive revision annually. However, specific events should trigger an immediate review: adopting a new AI tool, a regulatory change (such as new national implementing measures for the EU AI Act), an AI-related incident, a significant change in business operations, or findings from internal audits. The EU AI Act framework emphasizes continuous monitoring, so treat your AI policy as a living document rather than a one-time compliance exercise.
What is the difference between an AI policy and AI governance?
An AI policy is a document that defines rules, responsibilities, and procedures. AI governance is the broader system of structures, processes, and oversight mechanisms that ensure AI is used responsibly across the organization. The policy is a component of governance, not a substitute for it. Full AI governance includes the policy document, risk management procedures, technical safeguards, monitoring systems, training programs, incident response plans, and regular audits. For smaller organizations, a well-structured AI policy with clear review processes may constitute sufficient governance.
How does an AI policy protect our business?
An AI policy provides five layers of protection. First, regulatory compliance: it demonstrates due diligence to regulators enforcing the EU AI Act and similar legislation. Second, data security: it prevents employees from inadvertently sharing confidential information, trade secrets, or personal data with AI systems. Third, quality control: it ensures AI outputs are reviewed before being used in business decisions, reducing errors. Fourth, liability limitation: documented policies and training records provide evidence of responsible AI practices if legal issues arise. Fifth, operational consistency: it ensures all employees use AI tools in alignment with organizational values and risk tolerance.

A NOTE FROM THE AUTHOR

“I spent more than 20 years reviewing regulatory compliance at the Hiroshima Prefectural Government. The biggest mistake I see businesses make is assuming compliance starts with paperwork. It starts with daily habits. Build the habit first, and the paperwork follows.”

— Takayuki Sawai, Gyoseishoshi (行政書士)

Create Your AI Policy — Then Automate It

This guide gives you the blueprint. ClearAI Trust OS turns it into daily reality: your policy becomes daily compliance checks, employee quizzes, and a trust score your whole team can track.

$19/month after free period. No credit card required.

This guide is reviewed by Takayuki Sawai, a certified Gyoseishoshi with over 20 years of regulatory experience at the Hiroshima Prefectural Government, and the author of 100+ compliance books across 14 countries. Content is based on the EU AI Act (Regulation (EU) 2024/1689), the May 2025 Omnibus agreement amending Annex III timelines, and established AI governance frameworks. This guide provides general information and does not constitute legal advice for any specific situation. Regulations are subject to change; verify current requirements with your national competent authority. Last updated: June 2026.