Minimum Policy Set for AI Use
Most organisations do not need a 200-page AI policy framework. They need a working minimum. Something that creates accountability, protects data, and gives staff a clear answer when they ask: “Are we allowed to use this?”
This is what a minimum viable policy set looks like in practice.
The Problem with Doing Nothing
Without baseline governance, you have no baseline. You cannot measure risk. You cannot train staff. You cannot respond to incidents. When something goes wrong — and in AI adoption, something always does eventually — you have no framework to fall back on.
The risk of jumping into AI adoption without governance is not theoretical. It includes shadow AI deployment, data leaking through unreviewed tools, compliance gaps under UK GDPR, and reputational exposure if something goes publicly wrong.
The Five Documents You Need First
1. Acceptable Use Policy
Defines what AI tools are permitted, who can use them, and for what purposes. This is the front line of governance. Without it, staff make their own decisions — and those decisions are inconsistent.
2. Data Protection Standards
Sets the rules for how personal data flows through AI systems. Which tools can touch personal data? What consent is required? How is data deleted? This document connects your AI governance to your existing UK GDPR obligations.
3. Vendor Evaluation Framework
A checklist of questions to ask before buying or trialling any AI tool. Covers data residency, model training clauses, security certifications, and exit rights. Without this, procurement decisions are made on demos and sales calls rather than evidence.
4. Incident Reporting Procedures
What happens when an AI system produces a harmful output, leaks data, or causes a compliance issue? This document defines the escalation path, the notification timeline, and the post-incident review process.
5. AI Tool Register
A living inventory of every AI system in use across the organisation. Who owns it, what it does, what data it touches, when it was last reviewed. Without this register, you cannot govern what you cannot see.
What This Minimum Set Gives You
With these five documents in place, three things change. Your team has clarity on what is permitted. Your leadership team has an audit trail for compliance conversations. And accountability sits at the right level — not with whoever happened to sign up for a free trial.
The Full Policy Landscape
The five documents above are the floor. Organisations taking AI seriously — especially those handling personal data, operating in regulated sectors, or pursuing ISO 42001 — will need a broader set. The full recommended policy framework includes:
Complete AI Policy Set
- Privacy Policy
- Acceptable Use Policy
- Vendor Evaluation Policy
- ISO 42001 Readiness Checklist
- UK GDPR Compliance Policy
- Prompt Injection Prevention Policy
- Data Protection Standards
- Data Subject Access Request (DSAR) Policy
- AI Policy
- Risk Register
- Investigation Procedure Policy
- Website Terms and Conditions
- AI Governance Policy
- AI Tool Approval Register
- Deepfakes and Synthetic Media Policy
- AI Bias Testing and Fairness Framework
- AI Incident Classification and Reporting Policy
Implementation Timeline
The minimum set does not take months to produce. A focused effort across four weeks is enough:
- Weeks 1–2: Stakeholder workshops to agree scope and ownership
- Week 3: Board or leadership sign-off
- Week 4 onwards: Staff briefing, tool registration, and ongoing review cycle
Next step: Run an AI readiness audit before you draft anything. It tells you which policies are urgent and which can wait — and it stops you over-engineering before you understand your actual risk profile.
Need help building your governance framework?
Simon Steggles works with UK SMEs and councils as a Fractional AI Director. The minimum policy set is usually the starting point.