Most AI policy documents you find online share the same problem: they are written to be legally watertight, not to be read. The result is a document that disappears into a folder after approval, while staff on the work floor simply do whatever seems most convenient.

This article describes a different approach. It is based on real-world practice: the founder of AI Skill Pass wrote the AI policy for a large educational institution — an environment with hundreds of staff, sensitive student data and widely varying levels of digital skill. The lessons from that project apply just as well to an SME, a healthcare organisation or a local government department.

First: why have an AI policy at all?

Two reasons, one practical and one legal.

Practical: your staff already use AI, with or without a policy. Without agreements, everyone decides for themselves what seems sensible, with all the risks that brings — see our article on shadow AI. A policy replaces a hundred individual judgement calls with one considered line.

Legal: Article 4 of the European AI Act (Regulation (EU) 2024/1689) has required organisations, since 2 February 2025, to ensure a sufficient level of AI literacy among staff dealing with AI. A policy is not literally prescribed, but it is the logical place to record how your organisation meets that obligation. And as soon as personal data is involved, the GDPR applies on top.

The key design choice: short and alive beats long and dead

The lesson that hits hardest in practice: a five-page policy everyone knows protects your organisation better than a watertight thirty-page document nobody reads. Write for the employee who has to follow it, not for the lawyer who has to approve it. Concretely: plain language, examples from your own practice, and the reason attached to every rule. People follow rules whose logic they understand.

The five components of a workable AI policy

1. Scope: what does this cover, and what not?

Define what you mean by AI and who the policy applies to. Only generative AI (chatbots, image generators), or also AI baked into existing software? Permanent staff only, or also contractors, interns and volunteers? In an education context: does it cover students, or do they get their own arrangement?

Practical lesson: choose a narrow, clear scope over a broad, vague one. A policy that tries to cover “all algorithmic systems” becomes unmanageable. Start with the generative AI tools staff pick and use themselves — that is where the acute risk and the acute need sit — and expand later.

2. Approved tools: a list, not principles

The heart of the policy is surprisingly mundane: a concrete list. Which AI tools are approved, in which variant (business account, not personal), and for what kinds of tasks. Plus an equally concrete answer to the follow-up question: how do I get a new tool onto that list? Who assesses it, against which criteria, and how long does it take?

That route matters enormously. If requesting a tool takes months or disappears into a black hole, people will have found their own solution within a week. A light-touch assessment with a fast answer beats a thorough one that gets bypassed.

3. Data rules: what must never go in?

Phrase these as a short, firm list anyone can remember. For example:

Point to a separate explainer for the background (such as our article on GDPR and AI at work), but keep the rules themselves short. In the education project, one memorable rule of thumb — “would you write it on a postcard?” — proved more effective than three pages of definitions.

4. Human oversight: who checks what, and who is accountable?

The most important sentence in any AI policy: AI advises, a human decides — and remains accountable. Work that out per situation:

Also record that staff never need to hide their AI use. A culture where people simply say “this draft came from AI, I checked it” is a safety mechanism no technical measure can replace.

5. Review cycle: build in the ageing

AI tools change faster than any policy. A policy without a review date is fiction within a year. So arrange from day one:

Workable AI policy checklist: (1) scope in one paragraph, (2) list of approved tools plus a request route, (3) data rules that fit on one page, (4) clear agreements on human review and accountability, (5) owner, reporting channel and review date. If the whole thing does not fit in roughly five pages, it is too long.

A policy without training stays paper

The final lesson from practice may be the most important: rollout is not an email. A policy only comes alive when staff understand where the rules come from and have practised the situations it is about. That connects directly to the literacy obligation in Article 4 of the AI Act: the goal is not the document, but employees who handle AI sensibly.

So plan the training together with the policy rollout, not as an afterthought. The AI literacy course covers exactly the topics an AI policy touches on; for a team-wide approach with per-employee licences, see the page for employers, and the free quiz tells you where your people stand today.