Do we really only need five AI policies to start?

Yes, as a working minimum. Acceptable use, data protection standards, vendor evaluation, incident reporting and an AI tool register are the floor. Together they let you answer the questions that actually come up in week one of AI adoption: is this tool allowed, can it touch personal data, who approved it, what do we do if it goes wrong. A larger policy framework is appropriate later, especially if you are pursuing ISO 42001 or operating in a regulated sector, but starting with all seventeen documents at once is how programmes stall before they ship.

How long does it take to put the minimum policy set in place?

A focused four-week effort is enough for most organisations. Weeks one and two are stakeholder workshops to agree scope and ownership. Week three is board or leadership sign-off. From week four onwards, you brief staff, register the tools already in use, and start the ongoing review cycle. The bottleneck is usually not drafting; it is getting the right people in the room to agree what is permitted and who owns each document. Treat that as a project with a sponsor, not a side task.

What happens if we keep using AI without any policy in place?

You accept four risks knowingly: shadow AI deployment, data leaking through unreviewed tools, compliance gaps under UK GDPR, and reputational exposure when something goes publicly wrong. Each of these has a real probability over a twelve-month horizon, and the cost of recovery is higher than the cost of writing the policy. The other consequence is cultural: without a policy, staff make their own decisions, those decisions vary, and the leadership team has no consistent picture of how AI is being used.

Should the AI tool register sit with IT or with the business?

Owned by the business, maintained with IT input. The register has to capture every AI tool in use, including supplier-embedded AI inside platforms IT did not procure as AI products. Each entry needs a business owner who can say what the tool does, what data it touches and when it was last reviewed. IT contributes the technical detail and helps with discovery, but if IT owns the register alone it tends to miss the SaaS and embedded AI. The board sees the register, not the underlying spreadsheet.

Where does this minimum set fit alongside ISO 42001?

It is the logical first step. ISO/IEC 42001 is the international management system standard for AI, and the minimum policy set covers most of the foundational documents the standard expects you to have. Putting the five documents in place gets you a defensible governance baseline now and shortens the gap if you decide to pursue ISO 42001 certification later. Going straight for ISO 42001 without the minimum set in place is usually slower, because the standard assumes you already have working policies to assess.

Do we need separate policies for staff use of public AI tools?

The acceptable use policy should cover it explicitly. Staff use of public tools — ChatGPT, Claude, Gemini, transcription apps, image generators — is where most data leakage incidents start. The policy should name which categories of tool are permitted, what data is never to be entered into a public tool, and what the approval route is for new tools. A separate staff-facing acceptable use document, written in plain English and no longer than two pages, usually does more to reduce risk than a 30-page corporate policy nobody reads.

Governance & Strategy · for leaders & councils

Minimum Policy Set for AI Use

Most UK organisations do not need a 200-page AI policy framework. They need a working minimum: acceptable use policy, data protection standards, vendor evaluation framework, incident reporting procedures, and a living AI tool register. Together these five documents create accountability, protect data, and give staff a clear answer to "are we allowed to use this?" A focused four-week effort is enough to put the minimum set in place. The full policy landscape — covering ISO 42001 readiness, prompt injection prevention, deepfake handling and bias testing — is a second phase, not a precondition.

The problem with doing nothing

Without baseline governance, you have no baseline. You cannot measure risk. You cannot train staff. You cannot respond to incidents. When something goes wrong — and in AI adoption, something always does eventually — you have no framework to fall back on.

The risk of jumping into AI without governance is not theoretical. It includes shadow AI deployment, data leaking through unreviewed tools, compliance gaps under UK GDPR, and reputational exposure when something goes publicly wrong. The minimum policy set is the smallest investment that closes those gaps to a defensible level.

The five documents you need first

These are the floor, not the ceiling. Each one answers a different question and none can be skipped without leaving a known gap.

Acceptable Use Policy: defines what AI tools are permitted, who can use them, and for what purposes. Without it, staff make their own decisions and those decisions are inconsistent.
Data Protection Standards: sets the rules for how personal data flows through AI systems. Which tools can touch personal data, what consent is required, how data is deleted. This connects AI governance to your existing UK GDPR obligations.
Vendor Evaluation Framework: a checklist of questions to ask before buying or trialling any AI tool. Covers data residency, model training clauses, security certifications and exit rights.
Incident Reporting Procedures: defines the escalation path, notification timeline and post-incident review process when an AI system produces a harmful output, leaks data or causes a compliance issue.
AI Tool Register: a living inventory of every AI system in use. Who owns it, what it does, what data it touches, when it was last reviewed. You cannot govern what you cannot see.

What this minimum set gives you

With these five documents in place, three things change. Your team has a clear answer on what is permitted. Your leadership has an audit trail for compliance conversations. And accountability sits at the right level — not with whoever happened to sign up for a free trial.

The documents also stop being theoretical the moment they are used. The first time the acceptable use policy resolves a Slack debate about a new tool, or the AI register prevents a duplicate procurement, the cost of producing them has paid back. From that point the policy set is operational infrastructure, not paperwork.

The full policy landscape

The five documents above are the floor. Organisations taking AI seriously — especially those handling personal data, operating in regulated sectors, or pursuing ISO 42001 — will need a broader set in time. A complete framework also covers privacy, prompt injection prevention, DSAR handling, deepfakes and synthetic media, AI bias testing, and AI incident classification and reporting. It is a longer programme, sequenced after the minimum set is live and being used.

Privacy Policy
Acceptable Use Policy
Vendor Evaluation Policy
ISO 42001 Readiness Checklist
UK GDPR Compliance Policy
Prompt Injection Prevention Policy
Data Protection Standards
Data Subject Access Request (DSAR) Policy
AI Policy
Risk Register
Investigation Procedure Policy
Website Terms and Conditions
AI Governance Policy
AI Tool Approval Register
Deepfakes and Synthetic Media Policy
AI Bias Testing and Fairness Framework
AI Incident Classification and Reporting Policy

Implementation timeline

The minimum set does not take months to produce. A focused four-week effort is enough.

Phase	Activity
Weeks 1–2	Stakeholder workshops to agree scope and ownership
Week 3	Board or leadership sign-off
Week 4 onwards	Staff briefing, tool registration, and ongoing review cycle

Where to start before drafting

Run an AI readiness audit before you draft anything. It tells you which policies are urgent and which can wait — and it stops you over-engineering before you understand your actual risk profile. A council piloting AI in benefits processing has a very different urgency profile to a 70-person manufacturer using AI for marketing copy. The audit lets the policy set match the risk, rather than borrowing a generic template that fits neither.

Take the next step

Want help applying this to your organisation? Use the resource below or book a 30 minute strategy call with Simon — no pitch, just practical advice.

Frequently asked questions

Related resources

Governance & Strategy

Find Out Where AI Can Save or Generate Money in Your Organisation

Book a free 30-minute call with Simon. Bring a real problem — staff time, governance worry, vendor proposal, failing pilot — and leave with a concrete first step you can take next week.

07973 210 895