Skip to main content

Governance & Strategy · for leaders & councils

AI Governance Policy Template for UK Organisations

An AI governance policy is the formal document that sets the rules, responsibilities and controls for AI use across your organisation. This template gives UK organisations eight core sections covering scope, principles, approved tools, GDPR compliance, accountability roles, incident response, breach consequences and review cycles. It is written to be readable, board-friendly and adaptable, and is intended to sit alongside an acceptable use policy, staff training and a risk register.

Why a written policy is the floor, not the ceiling

Most UK organisations already use AI tools daily, often without a single written rule about how. ChatGPT, Microsoft Copilot, Claude and dozens of embedded AI features inside existing software are in active use across HR, finance, marketing and operations. Without a governance policy you cannot tell an auditor what is allowed, you cannot demonstrate Article 22 oversight, and you cannot fairly discipline a member of staff who pastes client data into a public chatbot.

This template is the floor. It is a Version 1.3 document, last reviewed in February 2026, intended to be adapted with your real internal roles, approval routes and approved tool list. It does not constitute legal advice and should be signed off by your legal adviser, compliance lead or Data Protection Officer before formal adoption.

Section 1: Policy purpose and scope

An AI Governance Policy is a formal organisational document that sets the rules, responsibilities and controls for AI use. It applies to every employee, contractor and third-party supplier who uses, develops, procures or oversees AI systems on behalf of the organisation.

The scope needs to be specific so that staff know what counts as AI for the purposes of the policy and what does not.

  • In scope: general AI assistants, machine learning tools, automated decision support, AI-powered software, APIs, internal AI tools and third-party AI services.
  • Out of scope: basic macros, scheduled rules and standard rule-based software that does not learn, infer, generate or adapt using AI techniques.

Section 2: Core governance principles

Six principles sit at the head of the policy. Each one becomes the test you apply when a new tool, use case or supplier is proposed.

  • Accountability: all AI use is traceable to a named individual or team.
  • Transparency: staff, clients and users are informed where appropriate.
  • Data minimisation: only the minimum data needed for the stated purpose is used.
  • Human oversight: AI recommendations are inputs, not final decisions.
  • Fairness: bias risks are assessed and adverse outcomes reviewed.
  • Security: AI tools must meet the same security standards as other systems.

Section 3: Approved tools and authorisation

Only AI tools that have completed the organisational approval process may be used for business purposes. Use of an unapproved AI tool for work is treated as a policy breach. To request approval for a new AI tool, staff submit an AI Tool Approval Request to the nominated governance owner. A DPIA is required where personal data is processed at scale or where the use case creates material risk to individuals.

Tool categoryExamplesApproval level requiredData classification restriction
General AI assistantsChatGPT, Microsoft Copilot, ClaudeIT Manager + DPOPublic or internal data only. No personal, confidential or commercially sensitive data unless explicitly approved.
HR and recruitment AICV screening tools, interview scoringHR Director + DPO + LegalStrict minimisation. Bias assessment required before deployment.
Customer-facing AIChatbots, automated email, recommendation enginesOperations Director + DPO + BoardHuman escalation path mandatory. Article 22 and transparency review required.
Financial AIFraud detection, forecasting, expense automationFinance Director + IT + DPOAudit trail required for all AI-informed decisions.
Content creation AICopywriting, image generation, translationDepartment HeadNo client, confidential or commercially sensitive information unless formally approved.

Section 4: Data protection and GDPR compliance

All AI use must comply with UK GDPR and the Data Protection Act 2018. Where AI processes personal data, lawful basis, data subject rights, DPIA triggers and processor obligations must be addressed before deployment.

Practically that means four checks before any tool with personal data goes live.

  • Lawful basis: identify and document the basis before personal data enters the system; legitimate interests assessments are required where consent is not used.
  • Data subject rights: individuals can request review, explanation and human intervention where AI-informed processing affects them.
  • DPIA requirement: complete a DPIA before deploying systems that process personal data at scale, involve profiling or support significant decisions.
  • Third-party processors: AI vendors handling personal data must sign a DPA, and any non-UK transfer position must be reviewed and documented.

Section 5: Governance structure and accountability

Roles and escalation routes are written into the policy so that nobody is left guessing who owns a question. Replace the role names with your own structure before adoption.

RoleResponsibilitiesEscalation path
AI Steering CommitteeStrategic oversight, approval of high-risk AI deployments, quarterly performance and risk review.Reports to Board
Data Protection OfficerGDPR compliance, DPIAs, data rights and regulatory liaison.ICO where required
IT / Information SecuritySecurity assessment, access control, vendor review and AI-related incident response.CTO / Operations Director
AI ChampionsDepartment liaison, staff support, issue reporting and practical AI feedback.Department Head
Line ManagersEnsure staff use approved AI tools and follow policy.Department Head
All StaffUse approved tools only, report incidents, complete training and follow data rules.Line Manager / AI Champion

Section 6: AI incident response

An AI incident is any event where an AI system causes harm, creates a significant error, is used outside policy boundaries or creates a data protection concern. Every incident must be reported within 24 hours of discovery. Three severity levels are defined so that staff know what to do without waiting for a meeting.

  • Severity 1, Critical: financial loss, data breach, unlawful automated decision or major reputational damage. Immediate escalation to DPO, senior leadership and legal.
  • Severity 2, Significant: incorrect business decision, unapproved tool used with client data or suspected bias issue. Report to AI Champion and IT within 24 hours.
  • Severity 3, Minor: inaccurate output caught before use, near-miss or policy clarification issue. Log and report within 48 hours.

Section 7: Compliance and consequences

Compliance is mandatory. Response depends on the seriousness of the breach, the data involved and whether the action was deliberate. The policy spells out the consequence for each category so that HR can apply it consistently.

Breach typeExampleConsequence
MinorUsing an approved tool outside its permitted data scopeGuidance, retraining, added oversight
SignificantUsing an unapproved AI tool for work purposesFormal warning, mandatory retraining
SeriousEntering personal or client data into a non-approved toolDisciplinary action and possible regulatory review
CriticalDeliberate misuse to bypass controlsTermination and legal escalation where applicable

Section 8: Policy review and document control

The policy is reviewed at least annually, or sooner where regulation, organisational AI use or technology changes materially. Three trigger types prompt an immediate review: a regulatory trigger such as new ICO guidance or EU AI Act changes, an incident trigger from any Severity 1 or 2 event that reveals a policy gap, and a technology trigger such as a new AI capability, vendor class or AI moving into a new business function.

Version control is part of the document. The current template is Version 1.3 (February 2026), updating earlier versions that added EU AI Act references, DPIA triggers and the AI Champions role.

What you usually need to adapt before adoption

This template works best when adapted with your real internal roles, approval routes, approved tools and disciplinary framework. It should sit alongside staff training, an AI tool approval workflow, incident logging and a board-approved governance structure.

  • Roles and names: replace placeholders with your actual governance roles, named owners and escalation routes.
  • Approved tools: insert your real AI tool list, data classifications and usage boundaries.
  • HR linkage: align consequences with your HR policy, acceptable use policy and security policy.

Take the next step

Want help applying this to your organisation? Use the resource below or book a 30 minute strategy call with Simon — no pitch, just practical advice.

Frequently asked questions

No. The template is a starting point that gives you a defensible structure, but it has to be adapted to your organisation, signed off by your legal adviser or DPO, and supported by training, an approval workflow and an incident log. A document on a shared drive that nobody has read is not a control. Treat the template as the skeleton of your governance: real compliance comes from the named owners, the live tool list, the DPIA process and the board sign-off that surrounds it.

If staff use those tools with personal or commercially sensitive data at any scale, yes. A DPIA is required before deploying AI that processes personal data at scale, involves profiling or supports significant decisions about people. For general assistants the practical answer is to restrict the tools to public or internal data only by policy, and require a DPIA the moment anyone wants to extend that scope. That keeps the burden proportionate while still satisfying UK GDPR.

The policy needs a single named owner at senior level, supported by an AI Steering Committee that reports to the board. The Data Protection Officer covers GDPR and DPIAs, IT covers security and vendor review, and AI Champions in each department handle practical issues. Line managers enforce day-to-day compliance. Avoid leaving ownership with a committee alone; a committee can review, but only an individual can be called when something goes wrong at half past six on a Friday.

Every AI incident must be reported within 24 hours of discovery. Critical incidents involving financial loss, data breach or an unlawful automated decision go straight to the DPO, senior leadership and legal on the same day. Significant incidents such as an unapproved tool being used with client data go to the AI Champion and IT within 24 hours. Minor near-misses are logged and reported within 48 hours. Reporting timelines are written into the policy so staff do not have to invent a route under pressure.

At least annually, and sooner if a regulatory, incident or technology trigger fires. New ICO guidance or EU AI Act changes count as regulatory triggers. Any Severity 1 or 2 incident that reveals a policy gap counts as an incident trigger. A new AI capability, a new vendor class, or AI moving into a new business function counts as a technology trigger. Most UK organisations should expect at least one trigger event per quarter in the current regulatory cycle, so plan capacity for it.

Related resources

Governance & Strategy

AI Governance & Risk

Your staff are using AI tools today whether a governance policy exists or not. Without one, you have no visibility of what data enters those systems, no legal protection by default, and nothing to hand an ICO investigator. This page covers what a framework actually requires.

Governance & Strategy

Staff AI Use Policy

A practical UK Staff AI Acceptable Use Policy template covering permitted uses, prohibited actions, data classifications, verification and reporting.

Governance & Strategy

Minimum AI Policy Set

The five governance documents every UK SME and council needs before scaling AI: acceptable use, data protection, vendor evaluation, incidents, register.

Executive Resources

Quarterly AI Board Report

Simon writes these for UK clients every quarter. Most boards have been receiving AI updates without being asked to decide anything. The distinguishing feature of this format is the board ask that closes every report - something the board is being asked to approve, direct, or formally note. This guide explains the structure.

Governance & Strategy

Council AI Governance Now

What UK council leaders need in place before any AI deployment: register, policy, accountability, training. Practical guidance from a Fractional AI Director.

Governance & Strategy

AI Risk Register Structure

A practical AI risk register structure UK leaders can maintain: six categories, seven fields and a minimum viable register that survives audit.

Governance & Strategy

EU AI Act: Board Action Now

UK boards often assume they fall outside EU AI Act scope. That assumption is frequently wrong. If you use AI in hiring, credit scoring, or public-sector decisions, you're likely operating a high-risk system - with fines up to 7% of global turnover.

Governance & Strategy

Audit Your AI Suppliers

A board-level checklist for auditing AI inside the platforms you already buy. Six questions every UK SME and council should put to suppliers in writing.

Executive Resources

AI Strategy Framework

The gap Simon finds most often at the start of a new engagement isn't budget or technology. It's the absence of a written strategy - a document the board has approved and that says what AI is supposed to achieve commercially. This is the framework he uses to produce that document, and it starts with the commercial case.

Governance & Strategy

Shadow AI Risk

68% of UK organisations have staff using unauthorised AI. The GDPR exposure, why blanket bans fail, and three actions you can take this week.

Governance & Strategy

UK AI Security Institute (AISI)

What the UK AI Security Institute does, who runs it, the £66m budget, and the practical implications for any UK organisation now deploying AI.

Governance & Strategy

Board-Level AI Policy Contents

The six elements a board-level AI policy must contain: scope, accountability, permitted use, risk classification, incident response and a real review cycle.

Find Out Where AI Can Save or Generate Money in Your Organisation

Book a free 30-minute call with Simon. Bring a real problem - staff time, governance worry, vendor proposal, failing pilot - and leave with a concrete first step you can take next week.

Call