How to Write an AI Policy for Your Organisation (2026 Template)

By August 2, 2026, the EU AI Act applies in full to high-risk AI systems — meaning your organisation can face fines of up to €40 million or 7% of global annual turnover for prohibited practices. Most organisations are not ready: a 2025 survey found fewer than 30% of European enterprises had a formal AI policy in place despite deploying AI tools daily across departments.

An AI policy defines who can use AI, what they can use it for, what is forbidden, and what happens when something goes wrong. Without one, your legal, operational, and reputational exposure is real — and as of August 2026, potentially quantified by a regulator.

This article gives you a complete template outline for your AI policy, with the compliance logic behind each section.

The Cost of Operating Without an AI Policy

Three things happen inside every organisation that lacks an AI policy:

Shadow AI proliferates. Employees use ChatGPT, Gemini, Copilot, and other tools without guidance, submitting customer data, financial records, and proprietary source code to systems your legal team has never reviewed.

Liability is unassigned. When an AI-assisted decision causes harm — a biased hiring recommendation, an erroneous customer communication, a compliance gap — no one knows who is accountable.

Regulatory exposure compounds. The EU AI Act requires providers and deployers of high-risk AI to maintain documentation, conduct conformity assessments, and implement human oversight. Deployers without a policy cannot demonstrate these controls.

The financial stakes are specific. Article 5 violations (deploying prohibited AI practices) carry fines up to €40 million or 7% of worldwide annual turnover. Violations of transparency and human oversight requirements (Articles 13–14) carry fines up to €15 million or 3% of turnover. The European AI Office began active investigations in 2025 and enforcement is escalating in 2026.

What Your AI Policy Must Cover: A Template Outline

Use this structure as the backbone of your policy. Each section maps to a specific legal or operational requirement.

Section 1: Scope and Purpose

Define which tools, teams, and use cases the policy covers. Be specific.

Template language: This policy applies to all employees, contractors, and third parties who use artificial intelligence tools in connection with [Organisation Name]'s business operations. It covers all AI systems regardless of whether they were procured centrally or adopted by individual departments.

Section 2: AI Risk Classification

Under the EU AI Act, every AI system your organisation deploys falls into one of four risk tiers: unacceptable risk (banned), high risk (strict requirements), limited risk (transparency obligations), or minimal risk (no specific obligations).

Map your current tools to these categories before writing the rest of the policy. High-risk use cases in most organisations include AI used in recruitment and HR decisions, credit assessment, and customer service systems that influence access to services.

Risk Tier	Examples	Required Controls
Unacceptable	Biometric mass surveillance, social scoring	Prohibited — do not deploy
High	AI in hiring, credit, safety-critical systems	Conformity assessment, human oversight, audit logs
Limited	Chatbots, AI-generated content	Disclosure to end users
Minimal	Spam filters, basic recommendations	No specific obligations

Section 3: Acceptable Use Rules

State clearly what employees are permitted to do. Frame this positively before moving to prohibitions.

Examples of acceptable use:

• Drafting internal documents, with human review before distribution
• Summarising meeting transcripts and notes
• Generating code, with mandatory peer review before deployment
• Analysing public datasets for market research

Section 4: Prohibited Uses

Make this section specific — vague prohibitions are unenforceable and provide no legal protection.

Prohibited uses must include:

• Submitting personally identifiable information, health data, or financial records to external AI systems not covered by an approved data processing agreement
• Using AI to generate content designed to deceive: deepfakes, impersonation, fraudulent communications
• Making consequential decisions — hiring, termination, credit approval, contract award — based solely on AI output without documented human review
• Using AI tools to circumvent security controls or conduct vulnerability research without explicit written authorisation
• Training external AI models on company proprietary data without legal review and contractual permission

Section 5: Data Handling and GDPR Alignment

Any AI system processing personal data of EU residents must comply with GDPR. The obligations your policy must address:

• Lawful basis: identify the legal basis for processing personal data through each AI system (consent, legitimate interest, contractual necessity)
• Data minimisation: AI prompts must not include more personal data than the task requires
• Data subject rights: if AI is used in automated decision-making, data subjects have the right to an explanation — both under GDPR Article 22 and EU AI Act Article 86
• Data processing agreements: all third-party AI providers must sign a DPA before your employees use their services with company or customer data

Key insight: The EU AI Act's explanation right for high-risk AI decisions extends beyond GDPR's Article 22. It applies even when a human participated in the decision — not only to fully automated outcomes. This means a human-reviewed hiring recommendation based on an AI score still requires an explainability mechanism.

Section 6: Human Oversight Requirements

High-risk AI systems require documented human oversight. Your policy must define:

• Which roles are responsible for reviewing AI outputs before consequential actions are taken
• What training those reviewers must complete — the EU AI Act (Article 14) requires that oversight personnel genuinely understand the system's outputs and can identify errors and biases
• How reviewers document their assessment and decision (the audit trail a regulator will ask to see)
• Under what conditions an AI-assisted decision is escalated to senior review

Human oversight is not a signature on a form. Reviewers must have the practical capacity to override the AI recommendation and must have been trained to understand when and why to do so.

Section 7: Incident Response

Define what constitutes an AI incident and what happens when one occurs.

Categories to include:

• Data exposure: company or customer data submitted to an unauthorised or unapproved AI system
• Harmful output: AI generates content that is discriminatory, illegal, or causes harm to a third party
• Decision error: an AI-assisted decision is found to be materially wrong after implementation

Template response timeline:

1. Employee reports incident to IT and legal within 1 hour of discovery
2. IT triages and contains within 4 hours, revoking tool access if necessary
3. Legal assesses regulatory notification obligations within 24 hours (GDPR breach notification is 72 hours to the DPA if personal data is involved)
4. Root cause analysis completed within 5 business days
5. Policy updated if a coverage gap is identified

Section 8: Training Obligations

The EU AI Act requires ongoing training for personnel working with high-risk AI. Your policy should mandate:

• Annual AI literacy training for all employees covering the policy, tool classification, and reporting obligations
• Role-specific training for personnel who use or oversee high-risk AI systems — depth determined by the risk level of the specific system
• Documented acknowledgment that employees have read and understood the current version of the AI policy, retained for audit purposes

Section 9: Review and Governance

AI policy is not a one-time document. Define:

• Who owns the policy (typically: legal or compliance, IT, and one business-unit representative forming a small AI governance committee)
• Review cadence: at minimum when new regulations take effect, when new AI tools are adopted, or when an incident reveals a policy gap
• Where the policy is published internally and how updates are communicated and re-acknowledged

How AgentWorks Enforces Your AI Policy Through Guardrails and Audit Logs

Writing an AI policy is the first step. Enforcing it across a distributed organisation is the operational challenge most leadership teams underestimate.

When employees use AI tools individually, policy documents do not prevent data exposure — they only assign accountability after the fact. Centralising AI usage through a governed platform gives your compliance and IT teams actual enforcement capability, not just paper compliance.

AgentWorks enforces AI policy through three mechanisms:

Agent guardrails: every AI agent deployed on the platform is configured with tool access controls, data scope limits, and output filters. An HR agent can be restricted from accessing financial data. A customer-facing agent can be configured to escalate any output that falls outside pre-approved content categories before it reaches the customer.

Centralised audit logs: every agent interaction — inputs, outputs, tool calls, and decisions — is logged with timestamps, user attribution, and session context. When a regulator asks for evidence of human oversight, your audit log is the answer. When an AI-assisted decision is challenged, the log shows exactly what the agent produced and what the human reviewer decided.

LLM-agnostic deployment: because AgentWorks routes across multiple AI providers rather than locking you into one, you can enforce data residency requirements and direct sensitive workloads to EU-hosted models — without rebuilding your agent infrastructure each time you switch providers. Learn more about multi-model routing on AgentWorks.

Rolling Out Your AI Policy: Implementation Steps

1. Inventory: list all AI tools currently in use across all departments, including tools adopted by individuals outside IT procurement
2. Classify: map each tool to EU AI Act risk tiers — engage legal on any tool used in HR decisions, credit, or public-facing decision-making
3. Draft: use the template outline above; require review from legal, IT, and one business representative before finalising
4. Train: roll out mandatory training before the policy takes effect and document completion per employee
5. Enforce: implement technical controls — an approved tool list, SSO for AI platforms, audit logging — alongside the written policy
6. Review: schedule a policy review when the European AI Office publishes updated guidance (multiple implementing acts are expected Q2–Q4 2026)

Organisations that have completed this process report six to ten weeks from inventory to policy launch when governance is treated as a coordinated project rather than a legal team side task.

EU AI Act and GDPR: What Becomes Enforceable in August 2026

The EU AI Act reaches full applicability for high-risk AI systems on August 2, 2026. Obligations that become enforceable on that date:

• Complete conformity assessments for all high-risk AI systems
• Registration in the EU AI Act database for applicable systems
• Quality management system documentation
• Post-market monitoring plans with defined metrics
• Transparency disclosures for AI-generated content (Article 50)

The European AI Office will publish guidelines on high-risk classification and transparency requirements in Q2 2026. Organisations with their AI policy and governance structure in place before that date will adapt quickly. Those beginning from scratch after August 2026 will face immediate compliance gaps and the regulatory scrutiny that follows.

Frequently Asked Questions

What is the difference between an AI policy and an AI acceptable use policy? An AI policy is the broader governance document covering risk classification, human oversight requirements, incident response, and governance structure. An acceptable use policy (AUP) is one section within it — specifically the rules about what employees can and cannot do with AI tools. A complete AI policy contains the AUP plus the compliance, training, and governance framework that makes enforcement possible.

Does every European organisation need an AI policy? If your organisation deploys any AI system that falls into the EU AI Act's high-risk category — which includes most AI used in hiring, customer onboarding, and credit decisions — a formal AI policy with documented human oversight is a legal requirement. For organisations using only minimal-risk AI, a policy is still best practice for managing GDPR liability and employee accountability.

How often should an AI policy be updated? At minimum: annually, when a significant regulation takes effect, when a new AI tool is adopted, or when an incident reveals a gap. Given the volume of EU AI Act implementing acts expected in 2026, most organisations should plan for at least one mid-year review cycle.

What happens if an employee violates the AI policy? The policy must specify consequences: typically a formal warning for first violations, escalation for repeat violations, and immediate investigation with potential termination for violations that cause data exposure or regulatory breaches. Inconsistent enforcement creates employment law risk, so document violations and responses systematically.

Can AI tools process employee data under the EU AI Act? AI tools used in employment decisions — performance evaluation, scheduling, promotion recommendations — are classified as high risk under the EU AI Act. They require a conformity assessment, transparency disclosures to the employee, and documented human oversight of any consequential decision. Under GDPR, employees also have the right to request human review of automated employment decisions.

What to Do Next

A written AI policy without technical enforcement is a paper exercise. If your organisation is deploying AI agents across departments, the fastest path to genuine compliance is centralising those agents on a governed platform where guardrails, audit logging, and LLM routing are built into the infrastructure — not bolted on as an afterthought.

Start with a free AgentWorks trial to see how policy enforcement works in practice, or review our compliance documentation for a detailed mapping of AgentWorks capabilities to EU AI Act requirements.