Creating an AI policy: A comprehensive guide including a template

An AI policy is a set of internal rules that defines how artificial intelligence may be used within a company. It specifies responsibilities, risks, and compliance requirements and protects against legal and security issues.

Important: An AI policy is not a substitute for the AI Act itself. While the AI Act is a legally binding law that applies to all companies in the EU, the AI policy is an internal company regulation.

The AI Act itself takes a risk-based approach and divides AI systems into risk classes – including high-risk AI systems (e.g., in human resources management or medicine) and prohibited practices. Companies must implement transparency, documentation, and security measures depending on the category. The AI policy helps to translate legal requirements into everyday business practice and ensure that employees understand and comply with AI compliance in the best possible way.

An AI policy not only provides clear guidelines for the legally compliant use of artificial intelligence in your company, but also helps you to meet compliance obligations and minimize risks. In view of important legal regulations, in particular the AI Act and the GDPR, an AI policy creates a clear framework that is understandable for everyone in the company. An AI policy also ensures that employees make a binding commitment to comply with legal requirements. It also helps protect against potential data breaches or the use of unauthorized AI applications.

With a clearly defined AI policy, management can control the use of AI in the company in a transparent and compliant way. This enables the company to demonstrate that it complies with the requirements of the AI Act and actively implements measures to minimize risk. This helps to counteract possible legal consequences for the company and to systematically meet compliance requirements.

Another focus is the protection of confidential data and trade secrets. Without well-formulated guidelines, there is a risk that employees in your company will unknowingly enter sensitive information into external AI tools. For example, customer lists, source codes, or other internal data could end up in publicly accessible AI systems – which is legally considered disclosure to third parties and jeopardizes the protection of trade secrets. An AI policy ensures that this sensitive information remains protected by raising awareness among employees and formulating clear prohibitions on the handling of confidential data in AI applications.

The AI policy also plays a crucial role in risk management. AI systems can make erroneous or discriminatory decisions, especially when used without human control. A classic example is the use of AI in recruiting: if an AI-supported applicant selection process uncontrollably reproduces previous patterns, it could unconsciously disadvantage certain groups of people – a potential violation of the EU-wide or country-specific equal treatment regulations. An AI policy helps minimize such risks by requiring bias testing, quality controls, and clear approval processes for AI-supported decisions. It also ensures that critical decisions are not made by AI alone, but always involve a human being (the "human-in-the-loop" principle).

In addition to these compliance and security aspects, an AI policy also offers operational advantages. It creates transparent and uniform rules for the use of AI in the company and makes it easier for employees to use new technologies responsibly and productively. At the same time, it strengthens trust among customers, partners, and regulatory authorities by demonstrating that the company is introducing AI in a structured and controlled manner. Such a policy is also helpful for promoting internal innovation: when clear framework conditions are in place, companies can develop AI in a targeted manner and ensure that new applications comply with defined standards.

You should not forego an AI policy if you want to exploit the opportunities offered by AI in a safe and controlled manner without taking unnecessary risks. At the same time, you will strengthen data responsibility in your company and ensure that data is handled responsibly.

An AI policy should cover all important aspects of AI use in the company. Make sure to include the following topics in your AI policy:

• Purpose and scope
  Define the purpose of your AI policy – for example, the safe, legally compliant, and ethical use of AI. Also define the scope: Which departments, processes, and AI systems are affected? Create an inventory of existing and planned AI applications to avoid potential gray areas or shadow AI.
• Clear definitions
  Define what constitutes an AI system in your company. Terms such as high-risk AI, generative AI, machine learning, and training data should be clearly explained. This will ensure that all employees understand the policy uniformly and apply it correctly.
• Roles and responsibilities
  Determine who is responsible for the safe use and monitoring of AI. Is there an AI compliance officer, does it fall under the responsibility of the data protection officer, or is there an interdisciplinary AI committee? Who approves of new AI tools? Each department should document the AI policy.
• Ethical principles
  Formulate guidelines for the responsible use of AI. Important principles include fairness, transparency, security, and non-discrimination. Ensure that AI does not make unfair or unethical decisions and that humans always retain a controlling role (human-in-the-loop principle).
• Compliance with legal requirements
  Your policy must ensure compliance with the AI Act and other relevant laws. Define legal dos and don'ts, such as the use of personal data or transparency requirements for AI-generated content. Conduct a risk assessment before deploying new AI systems to identify high-risk applications at
• Consideration of data protection
  Determine which data may be used for AI applications and how it will be protected. Does data need to be anonymized or pseudonymized? What security measures prevent unauthorized access or data leaks? Clear regulations help to prevent data protection violations.
• Protection of trade secrets and confidentiality
  Define what information is considered confidential (e.g., customer lists, development plans) and how it will be protected. Make it clear that no sensitive data may be entered into external AI tools. If necessary, add a confidentiality agreement for employees and define the consequences of
• Dealing with AI-generated content
  Who owns the rights to AI-generated text, images, or code? Specify that employees must check AI outputs for legal risks and flag them if necessary. If your company develops its own AI models, define measures to protect intellectual property.
• Training and awarenessTrain your employees regularly on AI risks and compliance rules. Workshops, webinars, or e-learning modules help raise awareness of the safe use of AI. New employees should be informed about the AI policy during onboarding.
• Implementation, monitoring, and updating of the AI policy
  Determine how and when your AI policy will be reviewed and updated. Integrate it into existing compliance processes, e.g., with regular audits and internal reporting systems for new AI applications. Define clear consequences for violations to ensure compliance.

Introducing an AI policy in your company requires a well-structured, systematic approach. With our best practices, explained in 6 easy-to-implement steps, you will achieve this goal:

1. Inventory and risk analysis

   First, you need to obtain an overview of all AI applications used and planned in your company. AI tools are often used in individual departments without IT or compliance knowing about it. Analyze potential risks: Is personal data being processed? Is there high-risk AI according to the AI Act? This inventory will help you develop a customized AI policy.

2. Involve stakeholders and develop an AI policy

   Compile an interdisciplinary team that brings legal, technical, and organizational expertise to the development and rollout of the AI policy. In joint workshops, you define clear, understandable rules and incorporate existing company policies. This will help you create a practical policy that fits into everyday work.

3. Obtain management buy-in

   Have the policy reviewed from a legal perspective in light of the AI Act to ensure that it meets all legal requirements. At the same time, you should involve management at an early stage, since a policy is only effective if company management clearly communicates its importance and actively supports it.

4. Communication and training

   Inform your employees thoroughly about the new guideline. Use workshops, e-learning, or interactive training to ensure that everyone not only knows the requirements but also understands them. Have them confirm their acknowledgment to ensure compliance.

5. Integration into company processes

   Embed the policy firmly in your workflows. Implement approval processes for new AI tools, compliance checkpoints, or automated review mechanisms so that AI compliance is considered from the outset. Ensure that managers actively support implementation in their teams.

6. Monitoring & continuous improvement

   An AI policy is not a static document. Regular audits, employee feedback, and updates in line with new legal requirements are important to ensure its effectiveness. Schedule fixed review cycles so that you can respond quickly to technological and regulatory developments.

The rapid development of AI and new legal requirements make a company-wide AI policy indispensable. This ensures clear rules for the responsible and legally compliant use of AI – from defining permissible applications and data protection measures to training employees. A well-thought-out AI policy not only minimizes risks, but also strengthens overall confidence in the company's AI strategy.

With our practical template developed by legal experts, you can get started with ease. Adapt the sample policy to your individual business processes and set the course for secure AI use today.