AI policy template for companies – 7-point framework aligned with the EU AI Act

Until 2024, an internal AI policy was a voluntary topic – a question of board maturity and corporate culture. From August 2026, with the full entry into force of the EU AI Act, the situation has changed qualitatively. Every company that uses AI systems in its operations – including widely available ones such as ChatGPT, Microsoft Copilot, Claude or Gemini – now has concrete documentation and organisational obligations.

The most important obligation is simple: the organisation must know which AI systems it uses, for what purposes, who is accountable for them, how it assesses their risk, and how it ensures that employees use them in a way that is safe for company and personal data. An AI policy is how the organisation documents these decisions – and at the same time how it communicates them to teams.

AI Act violations are expensive. Using prohibited AI systems can trigger fines of up to €35m or 7% of global annual turnover (whichever is higher). Failure to meet information and documentation duties – up to €15m or 3% of turnover. These figures sound corporate, but they apply equally to mid-sized firms processing data of European customers with AI.

The other side of the coin is even more important. An AI policy is not just a compliance document – it is an operational tool. A well-written policy reduces shadow AI incidents, structures AI tool purchasing across the company, gives employees clarity on what is allowed, and lets the organisation approve new tools faster.

The AI Act divides AI systems into four risk classes: unacceptable, high-risk, limited-risk and minimal-risk. Most tools that companies use in everyday work (text assistants, image generators, data analysis tools) fall into the 'limited' or 'minimal' risk category. In practice this means the company mostly has obligations around transparency, documentation and responsible oversight – without expensive certification audits.

Concretely, the company must: maintain an internal register of AI systems in use, inform employees and customers about AI use where it matters (e.g. customer service), ensure employees have sufficient AI knowledge (so-called 'AI literacy'), appoint persons responsible for oversight, and have a documented incident response procedure.

Some scenarios are outright prohibited: AI systems for social scoring of citizens, untargeted biometric categorisation in public spaces, manipulation of employee emotions in the workplace. In a typical services, trading or manufacturing company these prohibitions do not come up – but the AI policy must explicitly list them so that employees do not accidentally introduce a prohibited system on their own.

Supervisory authorities will primarily verify four things: whether the company has an AI policy, whether it keeps a register of systems, whether it trains employees, and whether it has an incident procedure. Lack of any of these four is a classic ground for an administrative penalty – even if no specific incident has occurred.

An AI policy should not be a long, lawyerly document. In practice a short, concise format works best – split into seven concrete areas, each of which an employee should be able to understand in less than two minutes. The whole policy fits on 4–6 pages, available on the intranet and in the onboarding pack.

Area one is the catalogue of approved AI tools. A list of tools allowed for business use, split into three categories: approved for use with any data (e.g. corporate Microsoft Copilot, Claude for Work with an agreement), approved only for public data (e.g. public ChatGPT for general content marketing), not approved for business use (e.g. experimental tools without a security audit).

Area two is data classification and permitted uses. The policy must clearly define which categories of company data can be passed to AI tools. A classic split: public (anywhere), internal (only to tools with a corporate agreement), confidential (only to tools with a private AI architecture), secret (forbidden in any AI tool).

Area three is roles and accountability. The policy names concrete persons or functions: who owns the AI policy (usually CIO/CTO or a compliance officer), who maintains the system register, who approves new tools, who runs training, who receives incident reports. Without concrete names or functions the policy is a dead document.

Area four is the approval path for new AI solutions. Every new AI tool in the company should pass a lightweight assessment: why are we introducing it, what data will it process, who will use it, what is its security model, does it have a certification. For low-risk tools the procedure is a one-page form; for tools handling confidential data – a more thorough analysis.

Area five is audit and monitoring rules. How often the company verifies whether the policy is actually applied – once a year, twice a year. Who reviews tools in use (no shadow AI appearing), how training effectiveness is verified, how the policy is updated after material changes (new AI Act amendments, new tool categories).

Area six is the incident response procedure. If there is a data leak through an AI tool, an AI-generated wrong decision, or employee misuse – who is notified immediately, how the incident is documented, when relevant authorities are informed (data protection regulator for personal data, sector regulators for finance), how we communicate the incident to customers.

Area seven is consequences of policy violations. Directly, without generalities: which violations lead to a warning conversation, which to a written reprimand, which to termination. This is not a punitive area – it is an area that gives employees predictability and lets HR make consistent decisions.

The template below presents a ready structure for a company AI policy that can be implemented within 7–14 days of board decision. Each section is deliberately short so that employees actually read it. For most mid-sized companies the final policy fits on 5–6 pages of A4.

Section 1. Introduction and purpose of the policy. 'This policy defines the rules for using artificial intelligence in [Company Name] to ensure data security, regulatory compliance (in particular GDPR and the EU AI Act), and responsible AI use in everyday work. The policy applies to all employees and contractors, regardless of employment form.'

Section 2. Catalogue of approved AI tools. A three-column table: tool name, permitted data categories, business owner (name of the policy approver for this tool). Updated quarterly by the designated AI Officer.

Section 3. Data classification. 'Company data is divided into four classes: public (marketing materials, website content), internal (procedures, operational documentation, project data), confidential (customer data, contracts, non-public financial data, HR data), secret (legally protected data, negotiation strategies, M&A data). Each class has approved AI tools listed in Section 2.'

Section 4. Roles and accountability. List of functions: AI Officer (policy owner, coordinator of submissions, maintains system register), Compliance Officer (audits, regulator contact), Information Security Officer (security incidents), HR Director (training, consequences of violations), department heads (operational responsibility for policy adherence in their teams).

Section 5. Procedure for introducing new AI tools. 'An employee requesting approval of a new AI tool completes the assessment form (Annex 1) and submits it to the AI Officer. The AI Officer reviews within 5 working days. For tools handling 'confidential' class data or higher, additional approval from the Information Security Officer and Compliance Officer is required.'

Section 6. Incident procedure. 'Every employee has the duty to immediately report an AI-related incident (data leak, AI-generated wrong decision with material consequences, suspected misuse) to the AI Officer and direct line manager. The incident is documented in the internal register. In the event of personal data leakage, the data protection authority is notified within 72 hours under GDPR Art. 33.'

Section 7. Training and AI literacy. 'Every new hire completes AI policy training as part of onboarding. All employees refresh the training annually. Positions with intensive AI contact (IT, analysts, customer service) take extended domain training at least twice a year.'

Section 8. Audit and policy review. 'The AI policy is reviewed and updated at least once a year and after every material change in law, the emergence of a new generation of AI tools, or a significant incident. The review is led by the AI Officer together with the Compliance Officer and presented to the board.'

Section 9. Consequences of violations. 'Policy violations are assessed by the HR Director and direct line manager. Intentional violations leading to confidential data leakage may result in termination without notice and pursuit of civil damages.'

The most common mistake when writing an AI policy is an overly complex data classification. An employee with 12 categories in their head simply doesn't use it in practice – after the first week they go back to intuition. An effective policy is based on four clear classes that everyone in the organisation understands with one example each.

Public data is anything that is already accessible externally: website content, published marketing materials, publicly available offers, financial statements of listed companies, public register entries. For this data the policy imposes no restrictions – the employee can paste it into any AI tool without consequences.

Internal data is material that we do not publish externally, but whose leakage would not cause serious consequences: operational procedures, process documentation, training materials, internal presentations, non-public meeting notes. Approved AI tools for this category are those with which the company has an agreement guaranteeing that the data is not used to train public models (Microsoft 365 Copilot, ChatGPT Enterprise/Team, Claude for Work, Gemini for Workspace).

Confidential data covers anything related to customers, contracts, non-public financials and employees: customer personal data, contract content, financial data outside published statements, HR data, offers in negotiation. For this data, only corporate-grade solutions are permitted, with retention and EU storage guarantees (typically Microsoft 365 Copilot on an appropriate plan, Azure OpenAI with private endpoints, enterprise deployments of Claude or Gemini through Vertex AI).

Secret data is a special category: strategic M&A data, competitive intelligence, legal negotiation strategies, restructuring plans, specially protected categories under GDPR Art. 9 (medical, biometric). For this class the policy should require a private AI architecture – systems operating exclusively in the company's infrastructure, without any transfer to external providers. Covered in depth in private AI for business.

The AI Act requires the company to maintain a register of AI systems used in the organisation. This requirement often surprises boards: 'but we don't have our own AI systems'. In practice, every SaaS tool with an AI feature, every CRM plugin with generative text, every Microsoft 365 Copilot licence – these are AI systems under the regulation. A typical mid-sized company has dozens of them.

The register does not need to be complex. A spreadsheet table available to the AI Officer and Compliance is fully sufficient. Minimum fields: system name, vendor, AI Act risk class, data categories processed, functional owner in the company, approval date, last review date, link to vendor compliance documentation.

We update the register in three situations: when introducing a new AI tool (filled by the AI Officer in the approval path from Section 5 of the policy), on material change in an existing tool (e.g. vendor adds a new AI module to an existing system), and as part of the annual review (verification that the list is current, no system has been retired).

The most common mistake: maintaining a register only for tools 'bought centrally' by IT. In practice marketing, sales and HR teams often introduce their own AI tools within their budgets. The policy must require every such tool to be in the register – otherwise shadow AI appears quickly, with no one monitoring it.

Article 4 of the AI Act introduces the concept of 'AI literacy' – the duty to ensure that persons involved in handling AI systems in the company have sufficient knowledge to use them in an informed and safe manner. This requirement entered into force earlier than most other obligations (February 2025), but often escapes board attention.

AI literacy does not mean every employee must complete a technical course on neural networks. It means they know the basics: what an AI tool is, what its limitations are (e.g. 'it can fabricate facts'), what data may be passed to it, how to recognise a wrong answer, how to report incidents. In practice a two-hour training covers the needs of most positions.

The AI policy should clearly describe three levels of training. Basic level (all employees, 2h, annually) – general rules, company policy, data classification, incident procedure. Advanced level (departments using AI intensively, 4–6h, twice a year) – domain specifics, industry scenarios, error recognition. Expert level (AI Officer, IT, Compliance, 1–2 days annually) – AI Act, audit, risk assessment, incident management.

Effective training is practical. The most common mistake is e-learning where the employee clicks 'next, next, next' and passes a multiple-choice test at the end. Short workshops in groups of 5–10 people work better, based on real scenarios from the company: 'you got an email asking you to analyse this contract in ChatGPT – what do you do?'. After such a workshop the employee actually knows what to do.

The weakest element of most AI policies is the incident procedure. It often reduces to 'in case of an incident, notify the AI Officer'. This is far too little – an employee under stress needs concrete steps, not a general directive. A good procedure fits on one page and describes four types of incidents with a specific response path for each.

Type 1: leak of confidential data into a public AI tool. Example: an employee pasted a contract fragment into public ChatGPT. Procedure: (1) immediate notification of the AI Officer and direct line manager, (2) document the scope of the leak (which data, when, into which tool), (3) assess whether the leak includes personal data – if so, notify the data protection authority within 72h under GDPR Art. 33, (4) assess whether customer notification is required, (5) record in the incident register.

Type 2: AI-generated wrong decision with material consequences. Example: an AI customer service agent gave wrong information that caused financial loss or complaints. Procedure: (1) stop the agent or its functionality, (2) determine the scope of damage and number of cases, (3) communicate with customers, (4) analyse the cause – model error, integration error, prompt error, (5) correct and restart under supervision.

Type 3: employee misuse of AI. Example: employee used an AI tool in a way violating company policy (e.g. generated a fake contract, automated something without manager's knowledge). Procedure: (1) report to HR Director, (2) internal investigation, (3) decision on consequences per Section 9 of the policy.

Type 4: external AI-enabled attack. Example: someone sent an AI-generated phishing email, impersonated the CEO using a generative voice, attempted to manipulate the company chatbot. Procedure: (1) Information Security Officer takes over, (2) assessment whether breach occurred (data loss, funds), (3) standard cyber incident procedure, (4) report to AI Officer for register documentation.

Experience from dozens of deployments shows five mistakes most organisations make in their first AI policy attempt. Each causes the policy to not be actually applied – employees sign it and forget.

Mistake 1: policy as a legal document, not an operational one. The board commissions a policy from a law firm. A 30-page document returns full of references to AI Act and GDPR articles. The employee reads two paragraphs, decides 'this is not for me', and returns to their habits. The policy should be written in operational language; the legal section can be an annex for Compliance.

Mistake 2: overly restrictive policy. The board fears risk, so introduces a ban on using any AI tools without individual approval. Result: employees still use AI, just without the organisation's knowledge – 'shadow AI' from personal phones and accounts appears. Better strategy: give employees a legal, safe alternative (e.g. Microsoft Copilot with corporate agreement) and write the policy around what is allowed.

Mistake 3: lack of concrete roles. The policy says 'should be reported', 'should be approved', 'should be updated' – without naming a specific function. Result: nothing happens, because no one feels responsible. Every procedure in the policy must have an assigned function (not a name – a function, because names change).

Mistake 4: one-time project. The company writes the policy once, signs it, dumps it on the intranet and forgets for 3 years. In that time 5 new classes of AI tools appear, regulations change, two employees introduce shadow AI. The policy must be reviewed at least annually, ideally every six months.

Mistake 5: no training on the policy. The policy hangs on the intranet but no one reads it. Introducing a policy without a 2-hour training for all employees is wasted time. The best organisations combine the policy rollout with practical workshops where employees solve real scenarios.

An AI policy does not require months of consultation. An average company can deploy a complete policy within 14 days of board decision. The key is working in a small task force (board + Compliance + IT + HR, 4–5 people total) and building on a proven template rather than writing from scratch.

Days 1–3: current state assessment. Inventory of AI tools used in the company (survey of department heads), identification of data categories processed, assessment of current incidents and concerns. Output: one-page baseline diagnosis.

Days 4–8: writing the first version. Using the template (section 'AI policy template' in this article), adapting to company specifics, filling in the tools table, naming concrete roles. Output: 9-section policy draft plus AI system register in a spreadsheet.

Days 9–11: internal consultation. The draft goes to heads of key departments (sales, customer service, finance, IT) for comments. Goal: ensure the policy is realistic, does not block operations, is understandable to employees without legal background.

Days 12–13: finalisation and approval. Revisions, board approval, document signing, publication on the intranet. Preparation of training materials (slides or short 5–7 minute video with the most important rules).

Day 14 and beyond: policy announcement + training. Board communication to all employees, schedule of two-hour workshops in groups of 5–10 people (spread over 2–4 weeks). After training, each employee signs an acknowledgement.

In the same 14-day window it is worth planning one more element: a consultation with a partner specialising in AI deployments (Algorcomp advisory and strategy), so the policy reflects the current state of the AI tool market, not just the state on the day it was written.

Most mid-sized companies already have several regulatory documents: information security policy, data protection (GDPR) policy, work regulations, industry-specific policies (e.g. compliance for regulated service firms). The AI policy is not meant to replace them – it should plug into them.

The information security policy describes general data protection rules in the company – who has access to which systems, how they are encrypted, how they are audited. The AI policy inherits these rules and adds a specific layer: how general rules translate to specific AI tools. In the AI policy a reference suffices: 'All AI systems are subject to the Information Security Policy [version date], in particular the section on data classification and access control.'

The data protection policy (GDPR) describes how the company processes personal data – legal grounds, retention, sharing with parties. The AI policy expands this to AI tool specifics: which tools are approved 'processors' under GDPR, what data processing agreements are signed, how the legal basis for processing personal data in AI tools is documented.

The work regulations can include a brief mention of the AI policy in the 'employee duties' section – so a policy violation has a clear status in the employment relationship. Wording: 'The employee is obliged to comply with the AI Use Policy of [Company Name], the current version of which is available on the intranet.' Full content stays in the AI policy.

The AI policy should not duplicate other documents' content. Its role is to be a single source of truth in the AI area, not a collection of GDPR and AI Act quotes. An employee returning to the AI policy is looking for an answer to a specific operational question – not a law lecture.

Is an AI policy mandatory? Yes, in practically every company using AI tools in business activity. The EU AI Act, from August 2026, requires organisations to document which AI systems they use, who is responsible, and how they manage their risk. An AI policy is the most efficient way to meet this obligation.

Does a small company (under 20 people) also need an AI policy? Yes. The AI Act does not differentiate obligations by company size. For small companies the policy can be shorter (2–3 pages instead of 5–6), but all seven areas must be covered. In small firms one person typically holds several roles (CEO often combines AI Officer, Compliance and HR Director).

Is it enough to use the AI vendor's policy? No. AI vendors (Microsoft, OpenAI, Google) publish their own documents on rules for using their tools – these are their terms of service, not the company's policy. The company must have its own policy describing how it itself uses these tools in its operations.

How often should the AI policy be updated? At least annually, ideally every six months. Additionally after every material change in law (further AI Act implementing acts), the emergence of a new generation of tools (e.g. a new Microsoft Copilot version with a different pricing model), or after a material incident in the company.

Does the AI policy have to be in the local language? Yes, if the company operates in a given country and employs local-language employees. The policy is a document addressed to employees – it must be understandable to them. International firms often have two versions (e.g. PL + EN) with a clause governing which version prevails.

Who bears liability for an AI policy violation? Depending on the scale: the specific employee (employment consequences per Section 9 of the policy), the department head (oversight responsibility), the AI Officer (policy responsibility), the board (organisational responsibility). For serious violations (data leak) liability can be civil and administrative.

Do we need an external advisor to write the AI policy? Not strictly necessary, but an outside perspective (law firm or AI-specialised consultancy) typically shortens the process by 4–6 weeks and increases certainty that the policy covers all AI Act areas. Realistic cost: PLN 8–20k for a mid-sized company.

The AI policy has stopped being an aspirational topic and become an operational standard. Every company using AI tools – and in 2026 that is practically every organisation – needs a document that structures how AI is used, protects company data, and meets the AI Act requirements.

A good policy is short, practical, built on a proven template and written in language understandable to an employee without legal background. It covers seven areas: catalogue of approved tools, data classification, roles and accountability, approval path for new solutions, audit rules, incident procedure, consequences of violations. It fits on 5–6 pages and is implemented in 14 days from board decision.

The most important effect of a well-deployed policy is not legal, but operational. The policy eliminates 'shadow AI', structures tool purchasing in the company, gives employees clarity. After the first months following deployment, companies observe a significant decline in AI-related incidents and at the same time a rise in conscious, productive use of AI tools in everyday work.

At Algorcomp we support clients in designing an AI policy tailored to the company's specifics and in conducting a full AI maturity audit – from inventory of tools used, through AI Act compliance assessment, to deployment of training and procedures. The wider context of AI management in an organisation is also covered in our article on AI governance for business, and the most common risks of lacking a policy – in our shadow AI analysis.