The 5 essential elements of AI policy for your organisation

Home
Insights
Articles
2025
The 5 essential elements of AI policy for your organisation

What questions are you asking about artificial intelligence? A year ago, it probably was ‘what are the possibilities of AI?’ Today, the more urgent question should be: ‘How should we correctly use AI?’

The explosion of AI tools has placed immense power directly into the hands of every employee. This creates incredible opportunities for productivity but also opens the door to significant risks: confidential data being fed into public models, copyrighted material being used without permission, and business decisions being influenced by inaccurate or biased AI-generated content.

Faced with this new reality, many leaders feel paralysed and have no clue how to tackle the impact of this huge AI wave. Setting up policies and rules around AI governance often seems overwhelming. But getting started doesn’t require a six-month project. All you need to take is a focused, pragmatic first step.

This is where your AI policy framework comes in. It’s a set of five foundational documents designed to provide 80% of the necessary governance with 20% of the effort. It’s not the final word on AI governance, but it is the essential first word - the practical, immediate toolkit every organisation needs to install right now to avoid the pitfalls of AI use.

The AI policy framework – a foundation for the future

Waiting for the perfect, all-encompassing AI strategy is a losing game. The technology is changing everyday so it is better to start with something, then miss out on it all.

This approach is effective because it’s:

Fast to implement: You can draft and deploy these core documents in weeks, not months, immediately reducing your biggest unmanaged risks.
Action-oriented: It moves the conversation from abstract principles to concrete rules that your employees can understand and follow every day.
Foundation for the future: These documents create the essential scaffolding upon which you can build a more mature governance program as your AI usage grows and regulations like the EU AI Act become fully enforced.

The 5 core documents of your AI policy framework

AI use policy

What is it? The practical, day-to-day rulebook for all your employees. This document should be written in plain language, with clear “Dos and Don'ts”. It’s the most critical document for mitigating your immediate operational risks.

Why is it essential? Your employees are already using generative AI. This policy closes the gap between their current activity and your company's risk tolerance. It protects your most valuable assets (apart from your people of course): your data and your intellectual property.

Key "don't" rules to include:
- Don’t put any confidential company information, intellectual property, personal data, or customer data into public AI tools. When in doubt, tread on the side of caution and consider the information prohibited for AI use.
- Don’t present AI-generated content as your own original work without verification.
- Don’t use AI-generated outputs for any final decision-making in critical areas (e.g. HR, legal, contracts) without human review and approval.

Key "do" rules to include:
- Do use AI to brainstorm, summarise, and improve your work efficiency.
- Do fact-check all outputs from generative AI before using them in any external communication.
- Do follow the System risk assessment (see doc 4 below) before adopting any new AI tool.
How to use it: Make this policy mandatory for all your employees and contractors and require them to formally accept it. Include it in your annual compliance training. Review and update the policy on a regular basis.

AI Governance Committee (AIGC) terms of reference

What is it? The foundational charter that establishes the central, cross-functional body for AI oversight. This document defines who collaborates on AI decisions and how people in your company will work together with AI. It’s the keystone that gives authority to the other documents.

Why is it essential? AI is too widely applicable for siloed decisions. This committee provides a single forum to align innovation with risk management, ensuring we move forward in a coordinated and responsible way and that one department's initiative doesn't create unintended risks for another.

Key elements to include:
- Mission: To guide the company's responsible and strategic adoption of AI, aligning innovation with our business values, legal obligations, and operational realities.
- Membership: A flexible group led by a designated Committee Lead, with core participation from IT & security, Legal counsel, and relevant department heads as needed. A representative from the management team should also participate.
- Authority & decision-making: The AIGC is primarily a coordination and advisory body. Each manager retains their existing operational authority. However, they commit to following the governance process, making sure all key stakeholders are at least consulted or informed. For strategic or high-impact decisions, the committee formulates a joint recommendation to be formally approved by senior management.
- Record-keeping: The committee must maintain a decision log to formally document all its reviews, recommendations, and approvals for audit and traceability purposes.

How to use it: This document should be the first item for discussion and approval at the launch meeting of the AI Governance Committee, serving as its official mandate.

AI literacy & enablement program outline

What is it? A structured plan to build AI competency across your organisation, balancing skill enablement with responsible governance. A policy is only as good as the people who follow it and this document ensures everyone has the necessary knowledge to do so.

Why is it essential? An untrained workforce is your biggest AI risk. This program operationalises the other policies by moving beyond rules to build practical skills. It directly addresses the AI literacy expectations of the EU AI Act and empowers employees to be a part of the solution, not the problem, by teaching them how to leverage approved tools to their full potential.

Key program tiers to outline:
- Tier 1: AI foundations - mandatory for all employees. The universal baseline of knowledge. Covers your AI Use Policy, critical data security rules, and how to use the System risk assessment (see doc 4 below).
- Tier 2: AI practitioner skills - For managers & power users. This tier focuses on generating value safely. This includes hands-on training in effective prompt engineering, critical evaluation of AI outputs, and how to use the AI vendor due diligence questionnaire (see document 5).
- Tier 3: AI governance & technical expertise - for specialised roles. A deep dive for AIGC members, legal, and technical teams. Covers the complex interplay of key regulations, including the EU AI Act, GDPR, the Data Act, and any industry-specific rules (e.g. in finance or healthcare), alongside advanced bias mitigation and secure AI development.

How to use it: This outline serves as the blueprint for your HR and L&D teams. The program should be integrated into employee onboarding, with Tier 1 as a mandatory starting point. Completion must be tracked for compliance audits and linked to professional development goals to encourage adoption.

AI system inventory & register

What is it? Instead of creating a system from scratch, this is an enhancement to your existing software inventory or asset management process. It updates your current procedures for the new reality of embedded AI, creating a single source of truth for our entire AI landscape.

Why is it essential? This register prevents ‘shadow AI use’ by creating a formal intake process for any tool with AI features. It provides leadership with a clear view of AI risk and creates an auditable trail for regulators.

Key information to capture for each system:
- System name, business owner and purpose.
- Our Role(s): (check all that apply) [ ] Provider [ ] Deployer [ ] Importer [ ] Distributor.
- Activation & commercials:
  - Activation: Is the AI feature on by default or must it be activated?
  - Cost impact: Is there an additional or consumption-based cost for AI use?
  - Terms: Are the terms covered by our existing agreement or are there new T&Cs?
- System risk assessment:
  - Prohibited check: Does it perform a prohibited function (e.g., social scoring)? [ ] Yes (STOP) / [ ] No
  - High-Risk Check: Is it used for hiring, credit scoring, or other critical areas? [ ] Yes (AIGC Review Required) / [ ] No
  - Transparency Check: Is it a chatbot or generates human-like content? [ ] Yes (Transparency Review Required) / [ ] No

How to use it: This updated inventory process must be the mandatory "front door" for any new AI tool. The AIGC reviews the register quarterly to monitor the company's risk profile.

AI vendor due diligence questionnaire

What is it? A standard checklist of questions to send to any vendor before you purchase their AI-powered software.

Why is it essential? It shifts the burden of proof. It forces vendors to be transparent about their own compliance and data practices, allowing you to make an informed decision and document your due diligence.

Key questions to ask:
1. AI Act classification: ‘Under the EU AI Act, what is each party’s role and what is the risk classification of the system in scope? If you claim it is not 'high-risk', please provide your justification.’
2. Data training: ‘Can you provide a summary of the types of data used to train the model scope? Are you compliant with GDPR if personal data is used?’
3. Data usage: ‘Does our company's data get used to train your model for other customers? If so, how can we opt out?’
4. Bias mitigation: ‘What steps have you taken to identify and mitigate potential biases in your algorithm?’
5. Human oversight: ‘What features are included in your system to allow for human oversight and intervention?’

How to use it: Make this a mandatory part of your procurement process for any software with AI features. The vendor's answers become a part of your official record for that system.

Would you like practical, personal advice on how to integrate these five documents within your organisation?

Contact BDO’s AI experts and maximise AI potential while securing yourself from the emerging risks.

Contact our experts

Interested in other AI related topics?

Discover our other AI articles here!