What to Include in Your Organisation's AI Policy: A Board-Level Guide

Define what the policy covers. This means every AI system used by your organisation — including AI embedded in third-party platforms, AI used by contractors working on your behalf, and AI used by employees in their personal tools where organisational data is involved. A policy that covers only internally built AI systems misses the majority of your actual AI estate.

Define what you mean by AI. A working definition prevents disputes later. The EU AI Act's definition — a machine-based system that, given a set of objectives, generates outputs such as predictions, recommendations, decisions, or content that influence real or virtual environments — is a defensible starting point.

Name the roles. Who owns AI governance at board level? Who is responsible for maintaining the AI register? Who approves new AI systems before deployment? Who handles complaints about AI-assisted decisions? Without named accountability, the policy has no teeth.

For UK SMEs, this does not require a dedicated AI function. It requires existing roles to have AI governance added to their remit with the training and authority to carry it out. For larger organisations and councils, a named AI lead with board reporting is the appropriate standard.

State clearly what AI may and may not be used for within your organisation. Prohibited uses should include: generating content that could be mistaken for official organisational output without human review; using AI to make final decisions on employment, credit, or benefits without documented human oversight; inputting personal data into AI tools that process data outside your agreed data processing agreements.

Permitted uses should be specific rather than open-ended. "AI may be used to draft internal communications subject to human review before sending" is a governance statement. "AI may be used for productivity purposes" is not.

Every AI system your organisation uses or plans to use should be classified by risk before deployment. High-risk systems — those affecting decisions about people or operating in regulated domains — require formal approval, documented oversight mechanisms, and scheduled review.

Build an approval gate into your procurement process. No AI system should be deployed without completing a risk assessment and receiving sign-off from the named AI governance owner.

Define what constitutes an AI incident — an output that caused harm, a system that behaved unexpectedly, a data breach involving AI-processed data — and specify the response process. Who is notified? Within what timeframe? How is the incident logged and reviewed? What triggers escalation to the board?

Without this, incidents get managed ad hoc, lessons are not captured, and the same failure occurs again.

The policy must include a mandatory review date — at least annually — and a trigger for unscheduled review when regulation changes, a significant incident occurs, or the organisation's AI estate materially changes. A policy last reviewed in 2023 is not fit for 2026.

Building this policy properly takes time and requires input from legal, operations, IT, and the board. If your organisation does not have the internal expertise to do it well, the cost of getting it wrong will be higher than the cost of getting specialist help.

Simon Steggles is a Fractional AI Director who builds board-level AI governance frameworks for UK SMEs and councils. Royal Navy 1984–90 (Cat 3 PV at the time, now superseded by DV); current NPPV3 Police vetting for public-sector engagements; ISACA AI Governance certified. Fractional AI Director engagements start from £3,500 per month.