AI Governance Policy Template
A practical, editable AI governance policy for UK organisations. Adapt this template to your specific context, sector, and regulatory obligations.
This is a template document. It must be reviewed by your legal counsel or data protection officer before formal adoption. It does not constitute legal advice.
1. Policy Purpose & Scope
An AI Governance Policy is a formal organisational document that establishes the principles, rules, accountability structures, and compliance requirements governing the use of artificial intelligence tools and systems across the organisation.
This policy applies to: all employees, contractors, and third-party suppliers who use, develop, procure, or oversee AI systems on behalf of [Organisation Name]. It covers all AI tools, whether commercially purchased, open-source, internally developed, or accessed as a service.
In Scope
All AI tools used for business purposes. Automated decision-making systems. Machine learning models. AI-powered software (writing, analysis, customer service, HR). Third-party AI services accessed via API.
Out of Scope
Basic automation (macros, scheduled tasks) that does not use machine learning. Standard rule-based software that follows explicit programmed logic without learning capability.
2. Core Governance Principles
[Organisation Name] commits to using AI in accordance with the following governance principles:
Accountability
All AI use is traceable to a named individual or team. Automated decisions that affect individuals have a designated human accountable party.
Transparency
Staff are informed when AI tools are used in processes that affect them. Clients and customers are informed when AI is used to make or inform decisions about them.
Data Minimisation
Only the minimum data necessary for a defined AI purpose is used. Personal data is not shared with AI tools beyond what is required for the stated purpose.
Human Oversight
Significant decisions affecting individuals, finances, or safety are reviewed by a human before action is taken. AI recommendations are treated as inputs, not conclusions.
Fairness
AI systems used in HR, customer-facing, or public-sector contexts are assessed for algorithmic bias. Adverse outcomes are investigated and corrected promptly.
Security
AI tools are subject to the same information security standards as other organisational systems. Confidential data is never entered into unsanctioned AI tools.
3. Approved AI Tools & Authorisation Process
Only AI tools that have completed the organisational approval process may be used for business purposes. The use of unapproved AI tools constitutes a policy breach.
| Tool Category | Examples | Approval Level Required | Data Classification Restriction |
|---|---|---|---|
| General AI Assistants | ChatGPT, Microsoft Copilot, Claude | IT Manager + DPO | Public or Internal data only — no personal, confidential, or commercially sensitive data |
| HR & Recruitment AI | CV screening tools, interview scoring | HR Director + DPO + Legal | Strict data minimisation. Bias assessment required before deployment. |
| Customer-Facing AI | Chatbots, automated email, recommendation engines | Operations Director + DPO + Board | GDPR Article 22 compliance required. Human escalation path mandatory. |
| Financial AI | Fraud detection, forecasting, expense automation | Finance Director + IT + DPO | Financial data only. Audit trail required for all AI-informed decisions. |
| Content Creation AI | Copywriting, image generation, translation | Department Head | No client or confidential information. IP ownership clarified before use. |
To request approval for a new AI tool, submit the AI Tool Approval Request to [IT/Operations]. New tools must complete a security assessment and data protection impact assessment (DPIA) if processing personal data at scale.
4. Data Protection & GDPR Compliance
All AI use must comply with UK GDPR and the Data Protection Act 2018. The following requirements apply to all AI deployments involving personal data:
5. Governance Structure & Accountability
| Role | Responsibilities | Escalation Path |
|---|---|---|
| AI Steering Committee | Strategic oversight of AI programme. Approves high-risk AI deployments. Reviews AI performance quarterly. | Reports to Board |
| Data Protection Officer | GDPR compliance for all AI data processing. Reviews DPIAs. Responds to data subject requests related to AI. | Regulatory authority (ICO) |
| IT / Information Security | AI tool security assessment. Access control. Incident response for AI-related security events. | CTO / Operations Director |
| AI Champions | Departmental AI liaison. Supports staff with AI tool use. Reports issues and best practices to Steering Committee. | Department Head |
| Line Managers | Ensure team members use only approved AI tools. Report policy breaches. Support AI literacy and training. | Department Head |
| All Staff | Use only approved AI tools. Report concerns or incidents. Complete mandatory AI awareness training. | Line Manager / AI Champion |
6. AI Incident Response
An AI incident is any event where an AI system causes harm, produces a significant error, is used outside policy boundaries, or raises a data protection concern. All AI incidents must be reported within 24 hours of discovery.
Severity 1 — Critical
AI-caused financial loss, data breach, unlawful automated decision, or reputational damage. Immediate escalation to DPO, senior management, and legal counsel.
Severity 2 — Significant
AI output caused incorrect business decision. Unapproved AI tool used with client data. Suspected bias in AI output. Report to AI Champion and IT within 24 hours.
Severity 3 — Minor
AI produced inaccurate output that was caught before use. Policy clarification required. Log in incident register and report to line manager within 48 hours.
7. Policy Compliance & Consequences
Adherence to this policy is mandatory for all individuals within scope. Breaches of this policy may result in the following consequences, depending on severity:
Using unapproved AI tools with confidential, personal, or commercially sensitive data constitutes a serious breach of this policy and may result in disciplinary action up to and including dismissal, in addition to any regulatory consequences under UK GDPR.
| Breach Type | Example | Consequence |
|---|---|---|
| Minor breach | Using an approved tool outside its permitted data scope | Training, written guidance, additional oversight |
| Significant breach | Using an unapproved AI tool for work purposes | Formal written warning, mandatory retraining |
| Serious breach | Entering client personal data into a non-approved AI service | Disciplinary action. Potential regulatory notification. |
| Critical breach | Deliberate misuse of AI to circumvent controls | Termination of employment. Legal action where applicable. |
8. Policy Review & Document Control
This policy is reviewed at minimum annually, or upon material changes to the regulatory environment, AI technology landscape, or organisational AI programme. The following events trigger an immediate review:
Regulatory Trigger
New ICO guidance, EU AI Act updates affecting UK organisations, or sector-specific regulatory changes related to AI use.
Incident Trigger
Any Severity 1 or Severity 2 AI incident that reveals policy gaps or ambiguities requiring immediate clarification.
Technology Trigger
Deployment of a new class of AI system, significant capability change in an approved tool, or introduction of AI into a new business function.
| Version | Date | Changes |
|---|---|---|
| 1.0 | January 2024 | Initial policy published |
| 1.2 | August 2024 | Added EU AI Act references; updated DPIA trigger thresholds; added AI Champions role |
| 1.3 | February 2026 | Updated approved tools categories; revised incident severity definitions; added content creation AI section |
Need Help Implementing AI Governance?
AI-Si can adapt this policy template for your organisation and implement the full governance framework — from policy drafting through to staff training and audit trail setup.
BOOK YOUR FREE AI STRATEGY DISCUSSION NOW