← Back to insights

Governance · 5 min read

YOUR ORGANISATION NEEDS AN AI POLICY. HERE'S HOW TO WRITE ONE.

Mark Horton

Right now, across your organisation, people are using AI tools. Some are using them well. Some are feeding confidential data into public models without realising the implications. Some are using AI-generated content in client-facing work without disclosure. Some are making decisions informed by AI outputs they don't fully understand.

Most of them are doing all of this without any guidance from the organisation. Because the organisation hasn't provided any.

WHY MOST AI POLICIES FAIL

The instinct, when organisations do get around to writing an AI policy, is usually to produce something comprehensive and cautious. A long document that covers every conceivable scenario, written in legal language, approved by the risk team, distributed once and never read again.

That document does not change behaviour. What changes behaviour is a policy that is short enough to remember, specific enough to act on, and embedded into the workflows where the decisions actually happen.

A good AI policy doesn't restrict your team. It gives them the confidence to act.

THE FIVE THINGS AN AI POLICY MUST COVER

What AI can be used for. Specific, positive permission — not just a list of restrictions. People need to know what's encouraged, not just what's prohibited.

What data can go into AI tools. A clear line between information that can be shared with external AI models and information that cannot. This single issue is responsible for the majority of AI-related risk incidents.

How AI outputs should be treated. AI-generated content requires human review before use. The policy should specify what that review looks like and who is responsible for it.

Disclosure requirements. When does AI use need to be disclosed — to clients, in published content, in regulated contexts? The answer varies by sector but every organisation needs a clear position.

How the policy will be updated. AI is moving faster than any policy document can keep up with. Building in a review cadence — quarterly, at minimum — is not optional.

THE GOVERNANCE STAGE

Writing the policy is Stage 03 of the Production-First AI System™ — and it's the stage most organisations skip when they try to implement AI without external support. They go from discovery to tools and wonder why adoption is inconsistent and risk is unmanaged.

Governance isn't the boring part of AI strategy. It's the part that makes everything else sustainable.

See the framework

Get in touch

Found this useful? Mark works with organisations to turn AI thinking into operational capability — through the Production-First AI System™.

MARK HORTON

Strategic AI Advisor · Organisational AI Capability

Consultancy

Speaking

about

Get in touch

terms