In shortAn AI policy is a documented set of rules for how an organisation develops, buys and uses AI. At minimum most organisations need an acceptable-use policy telling staff what they can and cannot do with AI tools. Policies translate governance principles into clear, enforceable rules, and they are among the fastest, highest-value steps in an AI compliance programme.

In this guide

Key facts

DefinitionA documented set of rules for how AI is developed, bought and used
Most commonAn AI acceptable-use policy — the first policy most organisations need
PurposeTurn principles into clear, enforceable, day-to-day rules
Typical setAcceptable use, data and confidentiality, procurement, risk and oversight, incident response
OwnerA named owner keeps policies current as tools and law change
SupportsAI literacy, human oversight and EU AI Act compliance

What an AI policy is and why you need one

An AI policy sets out the rules of the road: what AI may be used, by whom, for what, and with what safeguards. Without one, staff make their own decisions about tools and data, which is how confidential information ends up in public chatbots. A clear policy reduces that risk immediately. See what is an AI policy?

What goes in an AI acceptable-use policy

The everyday essentials: which tools are approved; what data must never be entered into them; requirements to check AI output before relying on it; prohibited uses; the need to disclose AI use where relevant; and how to request a new tool or raise a concern. Keep it short enough that people actually read it.

The wider policy set a framework needs

Beyond acceptable use, a mature governance framework typically adds policies for data and confidentiality, AI procurement and supplier due diligence, risk management and human oversight, and incident response. Scale the set to your size and risk — not every organisation needs all of them on day one.

How policies support EU AI Act compliance

Policies are how obligations become behaviour. They operationalise AI literacy, transparency and human-oversight duties, and they give you the documented rules that ISO/IEC 42001 and buyers expect to see. Good policies are also evidence.

Keeping policies current

AI tools and the law move quickly, so policies need an owner and a review cadence — at least annually and whenever a major new tool or obligation arrives. A policy nobody maintains quickly becomes a liability rather than a control.

Frequently asked questions

What is an AI policy?

A documented set of rules for how an organisation develops, buys and uses AI, including an acceptable-use policy for staff.

What should an AI acceptable-use policy include?

Approved tools, data that must never be entered, output checks, prohibited uses, disclosure rules and how to request tools or raise concerns.

What AI policies does a business need?

Most start with acceptable use, then add data/confidentiality, procurement, risk and oversight, and incident-response policies as they mature.

Does the EU AI Act require an AI policy?

Not by that name, but policies are how you operationalise and evidence literacy, transparency and oversight duties.

How often should AI policies be reviewed?

At least annually and whenever a major new tool or obligation arrives.

Related guides

Sources

Last updated 19 June 2026.