Governance & Strategy · for leaders & councils
Minimum Policy Set for AI Use
Most UK organisations do not need a 200-page AI policy framework. They need a working minimum: acceptable use policy, data protection standards, vendor evaluation framework, incident reporting procedures, and a living AI tool register. Together these five documents create accountability, protect data, and give staff a clear answer to "are we allowed to use this?" A focused four-week effort is enough to put the minimum set in place. The full policy landscape - covering ISO 42001 readiness, prompt injection prevention, deepfake handling and bias testing - is a second phase, not a precondition.
The problem with doing nothing
Without baseline governance, you have no baseline. You cannot measure risk. You cannot train staff. You cannot respond to incidents. When something goes wrong - and in AI adoption, something always does eventually - you have no framework to fall back on.
The risk of jumping into AI without governance is not theoretical. It includes shadow AI deployment, data leaking through unreviewed tools, compliance gaps under UK GDPR, and reputational exposure when something goes publicly wrong. The minimum policy set is the smallest investment that closes those gaps to a defensible level.
The five documents you need first
These are the floor, not the ceiling. Each one answers a different question and none can be skipped without leaving a known gap.
- Acceptable Use Policy: defines what AI tools are permitted, who can use them, and for what purposes. Without it, staff make their own decisions and those decisions are inconsistent.
- Data Protection Standards: sets the rules for how personal data flows through AI systems. Which tools can touch personal data, what consent is required, how data is deleted. This connects AI governance to your existing UK GDPR obligations.
- Vendor Evaluation Framework: a checklist of questions to ask before buying or trialling any AI tool. Covers data residency, model training clauses, security certifications and exit rights.
- Incident Reporting Procedures: defines the escalation path, notification timeline and post-incident review process when an AI system produces a harmful output, leaks data or causes a compliance issue.
- AI Tool Register: a living inventory of every AI system in use. Who owns it, what it does, what data it touches, when it was last reviewed. You cannot govern what you cannot see.
What this minimum set gives you
With these five documents in place, three things change. Your team has a clear answer on what is permitted. Your leadership has an audit trail for compliance conversations. And accountability sits at the right level - not with whoever happened to sign up for a free trial.
The documents also stop being theoretical the moment they are used. The first time the acceptable use policy resolves a Slack debate about a new tool, or the AI register prevents a duplicate procurement, the cost of producing them has paid back. From that point the policy set is operational infrastructure, not paperwork.
The full policy landscape
The five documents above are the floor. Organisations taking AI seriously - especially those handling personal data, operating in regulated sectors, or pursuing ISO 42001 - will need a broader set in time. A complete framework also covers privacy, prompt injection prevention, DSAR handling, deepfakes and synthetic media, AI bias testing, and AI incident classification and reporting. It is a longer programme, sequenced after the minimum set is live and being used.
- Privacy Policy
- Acceptable Use Policy
- Vendor Evaluation Policy
- ISO 42001 Readiness Checklist
- UK GDPR Compliance Policy
- Prompt Injection Prevention Policy
- Data Protection Standards
- Data Subject Access Request (DSAR) Policy
- AI Policy
- Risk Register
- Investigation Procedure Policy
- Website Terms and Conditions
- AI Governance Policy
- AI Tool Approval Register
- Deepfakes and Synthetic Media Policy
- AI Bias Testing and Fairness Framework
- AI Incident Classification and Reporting Policy
Implementation timeline
The minimum set does not take months to produce. A focused four-week effort is enough.
| Phase | Activity |
|---|---|
| Weeks 1–2 | Stakeholder workshops to agree scope and ownership |
| Week 3 | Board or leadership sign-off |
| Week 4 onwards | Staff briefing, tool registration, and ongoing review cycle |
Where to start before drafting
Run an AI readiness audit before you draft anything. It tells you which policies are urgent and which can wait - and it stops you over-engineering before you understand your actual risk profile. A council piloting AI in benefits processing has a very different urgency profile to a 70-person manufacturer using AI for marketing copy. The audit lets the policy set match the risk, rather than borrowing a generic template that fits neither.
Take the next step
Want help applying this to your organisation? Use the resource below or book a 30 minute strategy call with Simon — no pitch, just practical advice.
Frequently asked questions
Yes, as a working minimum. Acceptable use, data protection standards, vendor evaluation, incident reporting and an AI tool register are the floor. Together they let you answer the questions that actually come up in week one of AI adoption: is this tool allowed, can it touch personal data, who approved it, what do we do if it goes wrong. A larger policy framework is appropriate later, especially if you are pursuing ISO 42001 or operating in a regulated sector, but starting with all seventeen documents at once is how programmes stall before they ship.
A focused four-week effort is enough for most organisations. Weeks one and two are stakeholder workshops to agree scope and ownership. Week three is board or leadership sign-off. From week four onwards, you brief staff, register the tools already in use, and start the ongoing review cycle. The bottleneck is usually not drafting; it is getting the right people in the room to agree what is permitted and who owns each document. Treat that as a project with a sponsor, not a side task.
You accept four risks knowingly: shadow AI deployment, data leaking through unreviewed tools, compliance gaps under UK GDPR, and reputational exposure when something goes publicly wrong. Each of these has a real probability over a twelve-month horizon, and the cost of recovery is higher than the cost of writing the policy. The other consequence is cultural: without a policy, staff make their own decisions, those decisions vary, and the leadership team has no consistent picture of how AI is being used.
Owned by the business, maintained with IT input. The register has to capture every AI tool in use, including supplier-embedded AI inside platforms IT did not procure as AI products. Each entry needs a business owner who can say what the tool does, what data it touches and when it was last reviewed. IT contributes the technical detail and helps with discovery, but if IT owns the register alone it tends to miss the SaaS and embedded AI. The board sees the register, not the underlying spreadsheet.
It is the logical first step. ISO/IEC 42001 is the international management system standard for AI, and the minimum policy set covers most of the foundational documents the standard expects you to have. Putting the five documents in place gets you a defensible governance baseline now and shortens the gap if you decide to pursue ISO 42001 certification later. Going straight for ISO 42001 without the minimum set in place is usually slower, because the standard assumes you already have working policies to assess.
The acceptable use policy should cover it explicitly. Staff use of public tools - ChatGPT, Claude, Gemini, transcription apps, image generators - is where most data leakage incidents start. The policy should name which categories of tool are permitted, what data is never to be entered into a public tool, and what the approval route is for new tools. A separate staff-facing acceptable use document, written in plain English and no longer than two pages, usually does more to reduce risk than a 30-page corporate policy nobody reads.
Related resources
Governance & Strategy
AI Governance Policy Template
Without a written policy, you can't tell an auditor what's allowed, demonstrate Article 22 oversight, or fairly discipline staff who paste client data into a public chatbot. This template gives UK organisations eight core sections to adapt.
Governance & Strategy
Staff AI Use Policy
A practical UK Staff AI Acceptable Use Policy template covering permitted uses, prohibited actions, data classifications, verification and reporting.
Governance & Strategy
AI Risk Register Structure
A practical AI risk register structure UK leaders can maintain: six categories, seven fields and a minimum viable register that survives audit.
Governance & Strategy
AI Safety Report 2026 Summary
The 2026 International AI Safety Report in plain English: jagged performance, commoditised cyber-attack tools, the evidence dilemma - board actions.
Governance & Strategy
Prompt Injection Risk
Prompt injection is an active attack on enterprise AI. Learn where your organisation is exposed and the technical and governance controls that contain it.
Governance & Strategy
Shadow AI Risk
68% of UK organisations have staff using unauthorised AI. The GDPR exposure, why blanket bans fail, and three actions you can take this week.
Governance & Strategy
Board-Level AI Policy Contents
The six elements a board-level AI policy must contain: scope, accountability, permitted use, risk classification, incident response and a real review cycle.
Find Out Where AI Can Save or Generate Money in Your Organisation
Book a free 30-minute call with Simon. Bring a real problem - staff time, governance worry, vendor proposal, failing pilot - and leave with a concrete first step you can take next week.
