truck8.ai

Creating an AI Policy: Practical Guide + Template

An AI use policy doesn't have to be a legal document. It's simply clarity — for your employees, your clients, and yourself.

7 min readTom Mekenkamp

Why you need an AI policy now

I regularly speak with directors and managers who say: 'Our people are already using AI heavily, but we've never written anything down about it.' I recognise that. Adoption moves fast. Policy always lags behind. But at some point the gap gets too wide.

Creating an AI policy sounds like something for large corporations with legal departments. It isn't. A simple, clear policy is especially valuable for SMEs — not because the law (yet) requires it, but because your employees know where they stand, you reduce the risk of data leaks or mistakes, and your clients can see that you take AI seriously.

The European AI Act is rolling out in phases (the first obligations applied from February 2025). Most SMEs fall into the 'limited risk' category or use AI systems that vendors are already certifying. But the AI Act does introduce an AI literacy obligation for employees who work with AI — and that is precisely why internal policy makes sense right now.

Disclaimer: this article is not legal advice. For obligations under the AI Act, GDPR, or sector-specific regulations, consult a lawyer or compliance specialist.

What a good AI policy contains: the template

Below you'll find the building blocks for an AI use policy that works in practice. You don't need to get everything perfect in one go — start with the sections most relevant to your situation and expand from there.

1. Purpose and scope

State in one or two sentences why this policy exists and who it applies to. For example: 'This policy describes how employees of [company name] may use AI tools in their work. It applies to all employees, freelancers, and partners who work with company systems or data.'

Scope: does it cover only generative AI (ChatGPT, Copilot, Claude) or also automated decision-making, recommendation systems, and data screening? Be specific.

2. Permitted and prohibited uses

This is the core of the policy and the most-read section. Provide concrete examples — abstract rules are never followed.

  • Permitted: improving text, summarising internal documents, writing and reviewing code, generating ideas for campaigns or products.
  • Permitted with approval: automated client communications, AI-generated quotes or reports sent to clients.
  • Prohibited: entering client data, financial data, or personal data into public AI tools (free ChatGPT, free Claude.ai) without a data processing agreement.
  • Prohibited: publishing or sending AI output to clients without human review.
  • Prohibited: using AI for decisions about employees (selection, performance reviews) without explicit approval from HR and management.

3. Data use, privacy, and GDPR

This section provides the most protection for your business. GDPR applies whenever you enter personal data into an AI tool — the AI vendor becomes a data processor and you need a Data Processing Agreement (DPA).

  • Only use AI tools with a signed DPA when processing personal data.
  • Check whether the AI vendor uses your data for training — turn this off in the settings or choose a paid plan that excludes it.
  • Record in your AI register (see also the AI Act) which tools are used and for which category of processing.
  • When in doubt: anonymise or pseudonymise data before entering it.

4. Human oversight and accountability

AI makes mistakes. Language models hallucinate facts, produce plausible-sounding inaccuracies, and miss context. Specify who is responsible for AI output and how oversight is organised.

  • AI output that goes to clients is always reviewed by an employee with relevant expertise.
  • The employee who uses or publishes AI output is ultimately responsible — not the tool.
  • For higher-risk applications (legal texts, medical information, financial advice) a four-eyes principle applies.

5. Transparency with clients

When do you tell clients that AI was used? There is no universal legal obligation for every application, but transparency builds trust.

  • Specify the situations in which you inform clients that AI was used (e.g. automated replies, AI-generated reports).
  • Consider a standard line in your email signature or proposals: 'Parts of this document were drafted with AI assistance and have been reviewed for content by our team.'
  • Never use AI to impersonate a human employee when that is not the case.

6. AI literacy and training

The AI Act requires organisations, from 2025 onwards, to ensure that employees working with AI systems have sufficient AI literacy. A formal certificate is not required — but guidance and awareness are.

  • New employees receive an introduction to this policy and the AI tools you use.
  • There is a designated contact (AI coordinator or manager) for questions about AI use.
  • At least once a year, the policy is discussed with the team and new tools are evaluated.

7. Security

  • Use only approved AI tools on the internal list — no personal accounts containing company data.
  • Password management and MFA requirements apply to AI tool accounts too.
  • Report security incidents involving AI tools through the existing incident process.

8. Compliance and review

A policy that isn't enforced doesn't really exist. Keep it manageable with a simple review cycle.

  • The policy is reviewed at least every six months, or immediately following a relevant change in legislation or an AI-related incident.
  • Violations are handled like other conduct issues — proportionally and in line with the employee handbook.
  • The version and date of the last revision appear at the top of the document.

How to create the policy: five steps

Creating an AI policy doesn't have to take months. Here is an approach I've seen work in practice at SMEs.

  • Step 1 — Map current usage: ask employees which AI tools they already use. You'll be surprised by the variety. This immediately defines your scope.
  • Step 2 — Determine your risk level: do you process special categories of personal data or work in a regulated sector? If so, the bar is higher. If not, a compact set of guidelines is sufficient.
  • Step 3 — Write a draft using this template: use the eight sections above as your skeleton. Keep it concise — two to four pages is enough for most SMEs.
  • Step 4 — Discuss it with your team: the policy only works if employees see themselves in it. Ask for feedback, incorporate it, and formalise the result.
  • Step 5 — Communicate and embed: distribute the policy, add it to your onboarding materials, and schedule a first review in six months.

Common mistakes in AI policies

  • Too vague: 'use AI responsibly' says nothing. Give concrete examples of what is and isn't allowed.
  • Only prohibitions, no guidance: employees then stop reporting what they do — not stop doing it. Policy works better when you also show how to do things well.
  • Written once, never updated: AI tools change rapidly. A policy two years old is already out of date.
  • Legal language only, no practical clarity: if your employees don't understand it, they won't follow it. Write in plain language.
  • Treating privacy and AI separately: GDPR and your AI policy are directly linked. Combine them or make them explicitly consistent.

Keeping the policy alive

An AI policy is not a document you create and forget. The pace at which AI tools evolve means your policy needs to be a living document.

Assign an owner — it doesn't need to be a full-time role, but someone has to put the six-monthly review on the agenda. In larger organisations this grows into an AI coordinator or a designated person within IT or compliance.

Keep a simple list of approved tools, including what they're approved for and which DPAs are in place. That also doubles as your 'AI register' as the AI Act implicitly expects.

And remember: the goal is not a perfect document. The goal is a team that works with AI consciously and safely — and projects that confidence to clients.

Key takeaways

  • An AI policy doesn't need to be long — two to four pages with clear rules is enough for most SMEs.
  • Banning personal data from public AI tools is the most critical gap in the majority of businesses.
  • The AI Act already mandates AI literacy; an internal policy is the practical way to meet that requirement.
  • Involve employees in writing the policy — top-down mandates don't get followed.
  • Schedule a review after six months: AI tools change fast and your policy needs to keep up.
TM

Written by

Tom Mekenkamp

AI consultant & founder of truck8.ai

15+ years leading transformations at AB-InBev, Royal BAM and beyond — now building AI products and helping SMEs implement AI.

About Tom LinkedIn

Ready to tackle AI strategy and policy together?

In the boardroom workshop you'll spend one day building a concrete AI strategy for your organisation — including the conditions, responsibilities, and first steps for a working AI use policy.

View the boardroom workshop