Is this template enough on its own to be compliant?

No. The template is a starting point that gives you a defensible structure, but it has to be adapted to your organisation, signed off by your legal adviser or DPO, and supported by training, an approval workflow and an incident log. A document on a shared drive that nobody has read is not a control. Treat the template as the skeleton of your governance: real compliance comes from the named owners, the live tool list, the DPIA process and the board sign-off that surrounds it.

Do we really need a DPIA for everyday tools like ChatGPT or Copilot?

If staff use those tools with personal or commercially sensitive data at any scale, yes. A DPIA is required before deploying AI that processes personal data at scale, involves profiling or supports significant decisions about people. For general assistants the practical answer is to restrict the tools to public or internal data only by policy, and require a DPIA the moment anyone wants to extend that scope. That keeps the burden proportionate while still satisfying UK GDPR.

Who should own the AI governance policy day to day?

The policy needs a single named owner at senior level, supported by an AI Steering Committee that reports to the board. The Data Protection Officer covers GDPR and DPIAs, IT covers security and vendor review, and AI Champions in each department handle practical issues. Line managers enforce day-to-day compliance. Avoid leaving ownership with a committee alone; a committee can review, but only an individual can be called when something goes wrong at half past six on a Friday.

How quickly do we have to report an AI incident?

Every AI incident must be reported within 24 hours of discovery. Critical incidents involving financial loss, data breach or an unlawful automated decision go straight to the DPO, senior leadership and legal on the same day. Significant incidents such as an unapproved tool being used with client data go to the AI Champion and IT within 24 hours. Minor near-misses are logged and reported within 48 hours. Reporting timelines are written into the policy so staff do not have to invent a route under pressure.

How often should the policy be reviewed?

At least annually, and sooner if a regulatory, incident or technology trigger fires. New ICO guidance or [EU AI Act](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689) changes count as regulatory triggers. Any Severity 1 or 2 incident that reveals a policy gap counts as an incident trigger. A new AI capability, a new vendor class, or AI moving into a new business function counts as a technology trigger. Most UK organisations should expect at least one trigger event per quarter in the current regulatory cycle, so plan capacity for it.

Governance & Strategy · for leaders & councils

AI Governance Policy Template for UK Organisations

An AI governance policy is the formal document that sets the rules, responsibilities and controls for AI use across your organisation. This template gives UK organisations eight core sections covering scope, principles, approved tools, GDPR compliance, accountability roles, incident response, breach consequences and review cycles. It is written to be readable, board-friendly and adaptable, and is intended to sit alongside an acceptable use policy, staff training and a risk register.

Why a written policy is the floor, not the ceiling

Most UK organisations already use AI tools daily, often without a single written rule about how. ChatGPT, Microsoft Copilot, Claude and dozens of embedded AI features inside existing software are in active use across HR, finance, marketing and operations. Without a governance policy you cannot tell an auditor what is allowed, you cannot demonstrate Article 22 oversight, and you cannot fairly discipline a member of staff who pastes client data into a public chatbot.

This template is the floor. It is a Version 1.3 document, last reviewed in February 2026, intended to be adapted with your real internal roles, approval routes and approved tool list. It does not constitute legal advice and should be signed off by your legal adviser, compliance lead or Data Protection Officer before formal adoption.

Section 1: Policy purpose and scope

An AI Governance Policy is a formal organisational document that sets the rules, responsibilities and controls for AI use. It applies to every employee, contractor and third-party supplier who uses, develops, procures or oversees AI systems on behalf of the organisation.

The scope needs to be specific so that staff know what counts as AI for the purposes of the policy and what does not.

In scope: general AI assistants, machine learning tools, automated decision support, AI-powered software, APIs, internal AI tools and third-party AI services.
Out of scope: basic macros, scheduled rules and standard rule-based software that does not learn, infer, generate or adapt using AI techniques.

Section 2: Core governance principles

Six principles sit at the head of the policy. Each one becomes the test you apply when a new tool, use case or supplier is proposed.

Accountability: all AI use is traceable to a named individual or team.
Transparency: staff, clients and users are informed where appropriate.
Data minimisation: only the minimum data needed for the stated purpose is used.
Human oversight: AI recommendations are inputs, not final decisions.
Fairness: bias risks are assessed and adverse outcomes reviewed.
Security: AI tools must meet the same security standards as other systems.

Section 3: Approved tools and authorisation

Only AI tools that have completed the organisational approval process may be used for business purposes. Use of an unapproved AI tool for work is treated as a policy breach. To request approval for a new AI tool, staff submit an AI Tool Approval Request to the nominated governance owner. A DPIA is required where personal data is processed at scale or where the use case creates material risk to individuals.

Tool category	Examples	Approval level required	Data classification restriction
General AI assistants	ChatGPT, Microsoft Copilot, Claude	IT Manager + DPO	Public or internal data only. No personal, confidential or commercially sensitive data unless explicitly approved.
HR and recruitment AI	CV screening tools, interview scoring	HR Director + DPO + Legal	Strict minimisation. Bias assessment required before deployment.
Customer-facing AI	Chatbots, automated email, recommendation engines	Operations Director + DPO + Board	Human escalation path mandatory. Article 22 and transparency review required.
Financial AI	Fraud detection, forecasting, expense automation	Finance Director + IT + DPO	Audit trail required for all AI-informed decisions.
Content creation AI	Copywriting, image generation, translation	Department Head	No client, confidential or commercially sensitive information unless formally approved.

Section 4: Data protection and GDPR compliance

All AI use must comply with UK GDPR and the Data Protection Act 2018. Where AI processes personal data, lawful basis, data subject rights, DPIA triggers and processor obligations must be addressed before deployment.

Practically that means four checks before any tool with personal data goes live.

Lawful basis: identify and document the basis before personal data enters the system; legitimate interests assessments are required where consent is not used.
Data subject rights: individuals can request review, explanation and human intervention where AI-informed processing affects them.
DPIA requirement: complete a DPIA before deploying systems that process personal data at scale, involve profiling or support significant decisions.
Third-party processors: AI vendors handling personal data must sign a DPA, and any non-UK transfer position must be reviewed and documented.

Section 5: Governance structure and accountability

Roles and escalation routes are written into the policy so that nobody is left guessing who owns a question. Replace the role names with your own structure before adoption.

Role	Responsibilities	Escalation path
AI Steering Committee	Strategic oversight, approval of high-risk AI deployments, quarterly performance and risk review.	Reports to Board
Data Protection Officer	GDPR compliance, DPIAs, data rights and regulatory liaison.	ICO where required
IT / Information Security	Security assessment, access control, vendor review and AI-related incident response.	CTO / Operations Director
AI Champions	Department liaison, staff support, issue reporting and practical AI feedback.	Department Head
Line Managers	Ensure staff use approved AI tools and follow policy.	Department Head
All Staff	Use approved tools only, report incidents, complete training and follow data rules.	Line Manager / AI Champion

Section 6: AI incident response

An AI incident is any event where an AI system causes harm, creates a significant error, is used outside policy boundaries or creates a data protection concern. Every incident must be reported within 24 hours of discovery. Three severity levels are defined so that staff know what to do without waiting for a meeting.

Severity 1, Critical: financial loss, data breach, unlawful automated decision or major reputational damage. Immediate escalation to DPO, senior leadership and legal.
Severity 2, Significant: incorrect business decision, unapproved tool used with client data or suspected bias issue. Report to AI Champion and IT within 24 hours.
Severity 3, Minor: inaccurate output caught before use, near-miss or policy clarification issue. Log and report within 48 hours.

Section 7: Compliance and consequences

Compliance is mandatory. Response depends on the seriousness of the breach, the data involved and whether the action was deliberate. The policy spells out the consequence for each category so that HR can apply it consistently.

Breach type	Example	Consequence
Minor	Using an approved tool outside its permitted data scope	Guidance, retraining, added oversight
Significant	Using an unapproved AI tool for work purposes	Formal warning, mandatory retraining
Serious	Entering personal or client data into a non-approved tool	Disciplinary action and possible regulatory review
Critical	Deliberate misuse to bypass controls	Termination and legal escalation where applicable

Section 8: Policy review and document control

The policy is reviewed at least annually, or sooner where regulation, organisational AI use or technology changes materially. Three trigger types prompt an immediate review: a regulatory trigger such as new ICO guidance or EU AI Act changes, an incident trigger from any Severity 1 or 2 event that reveals a policy gap, and a technology trigger such as a new AI capability, vendor class or AI moving into a new business function.

Version control is part of the document. The current template is Version 1.3 (February 2026), updating earlier versions that added EU AI Act references, DPIA triggers and the AI Champions role.

What you usually need to adapt before adoption

This template works best when adapted with your real internal roles, approval routes, approved tools and disciplinary framework. It should sit alongside staff training, an AI tool approval workflow, incident logging and a board-approved governance structure.

Roles and names: replace placeholders with your actual governance roles, named owners and escalation routes.
Approved tools: insert your real AI tool list, data classifications and usage boundaries.
HR linkage: align consequences with your HR policy, acceptable use policy and security policy.

Take the next step

Want help applying this to your organisation? Use the resource below or book a 30 minute strategy call with Simon — no pitch, just practical advice.

Frequently asked questions

Related resources

Governance & Strategy

Find Out Where AI Can Save or Generate Money in Your Organisation

Book a free 30-minute call with Simon. Bring a real problem — staff time, governance worry, vendor proposal, failing pilot — and leave with a concrete first step you can take next week.

07973 210 895