Writing an AI policy: step-by-step template for organisations

Updated: June 2026

Introduction: why your organisation needs an AI policy

The EU AI Act does not explicitly require a standalone "AI policy" document. But it does require organisations to demonstrate systematic governance of AI systems, and that systematic governance is most effectively expressed and communicated through a formal policy. An AI policy is the governance instrument that translates regulatory obligations into organisational commitments, processes, and accountabilities.

Without a policy, you cannot demonstrate to supervisory authorities that AI governance is systematic rather than ad hoc. Without a policy, staff do not know what is expected of them. Without a policy, new AI purchases happen without governance oversight.

Who should approve the AI policy?

The AI policy should be approved by senior management, ideally the Board or Management Team, and owned by a named AI Officer or equivalent. Senior sign-off demonstrates organisational commitment and creates accountabilityaccountabilityThe principle that a named human or organization answers for an AI system's outcomes, through ownership, documentation, audit trails and redress — never the system itself.Open full entry → at the governance level.

Mandatory elements of an EU AI Act-Aligned AI policy

1. scope

Define which systems and activities the policy covers. Include: all AI systems used by the organisation, all staff and contractors who use AI, and AI systems used on the organisation's behalf by third parties.

2. principles

Articulate the organisation's AI principles. These should reflect EU AI Act values: human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry →, transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry →, non-discrimination, accountability, and privacy. Principles give the policy normative weight and guide interpretation of specific rules.

3. governance structure

Name the AI Officer and define their responsibilities. Define who has approval authority for new AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → deployments. Define the escalation path for AI compliance concerns.

4. AI inventory and classification

State that a formal AI inventoryAI inventoryA register of all AI systems an organization builds, buys or embeds, with owners and risk tiers — the prerequisite for governing any of them.Open full entry → will be maintained, describe the classification methodology, and define who is responsible for classification decisions.

5. prohibited uses

Explicitly list AI uses that are prohibited under Art. 5, with examples relevant to your organisation's context. This is a non-negotiable policy element that protects the organisation from rogue deployments.

6. approval process for new AI

Define the process for procuring or developing new AI systems: inventory registration, classification, DPIADPIAData Protection Impact Assessment — required before likely-high-risk processing (systematic profiling with significant effects, large-scale special categories, public monitoring); AI development triggers it constantly.Open full entry →/FRIAFRIAFundamental Rights Impact Assessment — required of public bodies and certain private deployers before using some high-risk AI systems under the EU AI Act.Open full entry → where required, governance sign-off, and supplier due diligence.

7. human oversight requirements

State that high-risk AI systems require qualified human oversight, define the minimum oversight standards, and reference the oversight log requirements.

8. training and literacy

State the Art. 4 literacy obligation and describe your training programme.

9. incident reporting

Define what constitutes an AI incidentAI incidentAny event where an AI system's outputs, actions or data handling caused or plausibly could cause harm, or materially deviated from validated behaviour — including harmful outputs from a system that is technically working.Open full entry →, the internal reporting chain, and the conditions for external reporting to the competent supervisory authority under Art. 73.

10. policy review

State the review frequency (minimum annual) and the trigger conditions for interim review (significant new AI deployment, regulatory change, serious incidentserious incidentAn AI incident causing (or nearly causing) death, serious harm to health, property, fundamental rights or infrastructure — triggering regulatory reporting duties for high-risk systems.Open full entry →).

AI policy template

[Organisation Name], AI Governance Policy
Version: 1.0 | Approved by: [Name, Role] | Date: [Date] | Review date: [Date + 1 year]

1. Purpose and Scope
This policy governs the use, procurement, and development of artificial intelligence systems at [Organisation Name]. It applies to all staff, contractors, and third parties who use AI systems on our behalf.

2. AI Principles
We commit to: human oversight of consequential AI decisions; transparency with individuals affected by AI; non-discriminatory AI deployment; continuous monitoringcontinuous monitoringOngoing observation of a deployed system's performance, drift, fairness and usage against thresholds with named owners — the control that matches AI's speed and scale.Open full entry → of AI system performance; and compliance with all applicable regulation including the EU AI Act.

3. AI Officer
[Name/Role] is appointed as AI Officer responsible for maintaining the AI inventory, overseeing classification, and ensuring policy compliance.

4. Prohibited Uses
No AI system may be used for: social scoringsocial scoringEvaluating people over time across contexts, with detrimental or disproportionate treatment as a result — a prohibited AI practice in the EU.Open full entry → by public authorities; real-time biometric identification in public spaces for law enforcement; subliminal manipulation; exploitation of vulnerable groups; or any other purpose prohibited by Art. 5 EU AI Act.

5. New AI Procurement Process
No new AI system may be deployed without: registration in the AI inventory, classification assessment, and AI Officer approval. High-risk AI additionally requires DPIA/FRIA and Management Team approval.

Compliance checklist

1. Is there a formally approved AI policy?
2. Does the policy cover all ten mandatory elements?
3. Is the AI Officer named and have defined responsibilities?
4. Is there a documented approval process for new AI procurement?
5. Are Art. 5 prohibited uses explicitly addressed?
6. Is there an annual policy review process?