What is an AI policy?

Key facts

• Definition: a documented set of rules for how AI is developed, bought and used.
• The most common starting point is an AI acceptable-use policy.
• Purpose: turn principles into clear, enforceable, day-to-day rules.
• A mature set adds data/confidentiality, procurement, risk and oversight, and incident-response policies.
• Policies need a named owner and a review cadence as tools and law change.

Why do you need an AI policy?

An AI policy sets the rules of the road: what AI may be used, by whom, for what, and with what safeguards. Without one, staff make their own decisions about tools and data — which is how confidential information ends up in public chatbots. A clear policy reduces that risk immediately.

What goes in an AI acceptable-use policy?

The everyday essentials: which tools are approved; what data must never be entered into them; requirements to check AI output before relying on it; prohibited uses; the need to disclose AI use where relevant; and how to request a new tool or raise a concern. Keep it short enough that people actually read it.

What wider policies does a framework need?

Beyond acceptable use, a mature governance framework typically adds policies for data and confidentiality, AI procurement and supplier due diligence, risk management and human oversight, and incident response. Scale the set to your size and risk.

How do AI policies support EU AI Act compliance?

Policies are how obligations become behaviour. They operationalise AI literacy, transparency and human-oversight duties, and they give you the documented rules that ISO/IEC 42001 and buyers expect to see.

How do you keep AI policies current?

AI tools and the law move quickly, so policies need an owner and a review cadence — at least annually and whenever a major new tool or obligation arrives. See our AI policies guide.

Frequently asked questions

What is an AI policy?

A documented set of rules for how an organisation develops, buys and uses AI, including an acceptable-use policy for staff.

What should an AI acceptable-use policy include?

Approved tools, data that must never be entered, output checks, prohibited uses, disclosure rules and how to request tools or raise concerns.

What AI policies does a business need?

Most start with acceptable use, then add data/confidentiality, procurement, risk and oversight, and incident-response policies as they mature.

Does the EU AI Act require an AI policy?

Not by that name, but policies are how you operationalise and evidence literacy, transparency and oversight duties.

How often should AI policies be reviewed?

At least annually, and whenever a major new tool or obligation arrives.

Who should own the AI policy?

A named owner — often in legal, risk or a dedicated AI lead — responsible for keeping it current.

Related pages

• AI policies: the complete guide
• What is AI governance?
• What is AI literacy?
• Check your AI Act exposure

Sources

• Regulation (EU) 2024/1689 — EUR-Lex
• NIST AI Risk Management Framework

Last updated 19 June 2026.