Most businesses write their AI policy after something goes wrong. A member of staff uses ChatGPT to draft a client proposal and pastes in confidential data. A model produces an incorrect output that gets sent to a customer. A regulator asks to see your AI governance documentation and there is none.

The firms that get AI adoption right treat governance as infrastructure — something you build before you need it, not after. Here is what a defensible AI policy actually needs to cover.

Why most AI policies fail

The most common failure mode is the one-page acceptable use policy that HR sends around and nobody reads. It says something like "employees may use AI tools for productivity purposes but must not share confidential information." That is not a governance framework. It is a disclaimer.

A real AI policy needs to be operational — specific enough that a member of staff knows exactly what they can and cannot do, and that a manager can make a consistent decision when something ambiguous comes up.

The six things a defensible AI policy must cover

1. Scope — which AI tools and which use cases

Name the tools your organisation uses or permits. Do not write a blanket policy that covers "all AI tools" — it will be ignored. Be specific: Microsoft Copilot, ChatGPT, Claude, Grammarly, your CRM's AI features. For each, define what it can be used for and what it cannot.

2. Data classification and what can go in

This is the most critical element. Define clearly what categories of data can and cannot be inputted into AI tools. At minimum: no client personal data, no commercially sensitive information, no legally privileged content. The policy needs to be specific enough that a paralegal or account manager can make the call without asking their manager every time.

3. Output review requirements

AI outputs must not be used without human review. Define what that review looks like for different use cases. A first draft of a marketing email needs less scrutiny than an AI-assisted legal summary. Make the review requirement proportionate and explicit.

4. Disclosure obligations

In some sectors and contexts, you are required to disclose AI involvement. The EU AI Act mandates disclosure for certain AI interactions. Some professional bodies have their own requirements. Your policy needs to define when disclosure is required and how it should be made.

5. Accountability and escalation

Who is responsible for AI governance in your organisation? Who do staff escalate to when something goes wrong or when they are unsure? The policy needs a named owner and a clear escalation path.

6. Review cadence

AI capabilities and regulatory requirements are changing faster than annual policy reviews can keep up with. Build in a quarterly review process at minimum, and a mechanism for urgent updates when a significant new tool is adopted or a regulatory change occurs.

The test of a good AI policy: Give it to a new member of staff on their first day. If they can read it and know what to do in the ten most common AI-related situations they will encounter in their role — it is working. If they would need to ask their manager anyway, rewrite it.

When to build your AI policy

Before you deploy any AI tool in a business context. Not after. The moment a member of staff starts using an AI tool for work purposes — even informally, even on their personal device — you have an AI governance gap.

If you already have AI tools in use without a policy, the priority is not to ban them — it is to catch up quickly. An emergency policy that covers the basics is better than nothing while you build something more comprehensive.