Writing an AI Policy: Step-by-Step Template for Organisations

Updated: June 2026 — full revision to Validai quality standard

Introduction: Why Your Organisation Needs an AI Policy

The EU AI Act does not explicitly require a standalone "AI policy" document. But it does require organisations to demonstrate systematic governance of AI systems — and that systematic governance is most effectively expressed and communicated through a formal policy. An AI policy is the governance instrument that translates regulatory obligations into organisational commitments, processes, and accountabilities.

Without a policy, you cannot demonstrate to supervisory authorities that AI governance is systematic rather than ad hoc. Without a policy, staff do not know what is expected of them. Without a policy, new AI purchases happen without governance oversight.

Who Should Approve the AI Policy?

The AI policy should be approved by senior management — ideally the Board or Management Team — and owned by a named AI Officer or equivalent. Senior sign-off demonstrates organisational commitment and creates accountability at the governance level.

Mandatory Elements of an EU AI Act-Aligned AI Policy

1. Scope

Define which systems and activities the policy covers. Include: all AI systems used by the organisation, all staff and contractors who use AI, and AI systems used on the organisation's behalf by third parties.

2. Principles

Articulate the organisation's AI principles. These should reflect EU AI Act values: human oversight, transparency, non-discrimination, accountability, and privacy. Principles give the policy normative weight and guide interpretation of specific rules.

3. Governance Structure

Name the AI Officer and define their responsibilities. Define who has approval authority for new AI system deployments. Define the escalation path for AI compliance concerns.

4. AI Inventory and Classification

State that a formal AI inventory will be maintained, describe the classification methodology, and define who is responsible for classification decisions.

5. Prohibited Uses

Explicitly list AI uses that are prohibited under Art. 5, with examples relevant to your organisation's context. This is a non-negotiable policy element that protects the organisation from rogue deployments.

6. Approval Process for New AI

Define the process for procuring or developing new AI systems: inventory registration, classification, DPIA/FRIA where required, governance sign-off, and supplier due diligence.

7. Human Oversight Requirements

State that high-risk AI systems require qualified human oversight, define the minimum oversight standards, and reference the oversight log requirements.

8. Training and Literacy

State the Art. 4 literacy obligation and describe your training programme.

9. Incident Reporting

Define what constitutes an AI incident, the internal reporting chain, and the conditions for external reporting to the AP under Art. 73.

10. Policy Review

State the review frequency (minimum annual) and the trigger conditions for interim review (significant new AI deployment, regulatory change, serious incident).

AI Policy Template

[Organisation Name] — AI Governance Policy
Version: 1.0 | Approved by: [Name, Role] | Date: [Date] | Review date: [Date + 1 year]

1. Purpose and Scope
This policy governs the use, procurement, and development of artificial intelligence systems at [Organisation Name]. It applies to all staff, contractors, and third parties who use AI systems on our behalf.

2. AI Principles
We commit to: human oversight of consequential AI decisions; transparency with individuals affected by AI; non-discriminatory AI deployment; continuous monitoring of AI system performance; and compliance with all applicable regulation including the EU AI Act.

3. AI Officer
[Name/Role] is appointed as AI Officer responsible for maintaining the AI inventory, overseeing classification, and ensuring policy compliance.

4. Prohibited Uses
No AI system may be used for: social scoring by public authorities; real-time biometric identification in public spaces for law enforcement; subliminal manipulation; exploitation of vulnerable groups; or any other purpose prohibited by Art. 5 EU AI Act.

5. New AI Procurement Process
No new AI system may be deployed without: registration in the AI inventory, classification assessment, and AI Officer approval. High-risk AI additionally requires DPIA/FRIA and Management Team approval.

Compliance Checklist

1. Is there a formally approved AI policy?
2. Does the policy cover all ten mandatory elements?
3. Is the AI Officer named and have defined responsibilities?
4. Is there a documented approval process for new AI procurement?
5. Are Art. 5 prohibited uses explicitly addressed?
6. Is there an annual policy review process?