Most AI policy documents you find online share the same problem: they are written to be legally watertight, not to be read. The result is a document that disappears into a folder after approval, while staff on the work floor simply do whatever seems most convenient.
This article describes a different approach. It is based on real-world practice: the founder of AI Skill Pass wrote the AI policy for a large educational institution — an environment with hundreds of staff, sensitive student data and widely varying levels of digital skill. The lessons from that project apply just as well to an SME, a healthcare organisation or a local government department.
First: why have an AI policy at all?
Two reasons, one practical and one legal.
Practical: your staff already use AI, with or without a policy. Without agreements, everyone decides for themselves what seems sensible, with all the risks that brings — see our article on shadow AI. A policy replaces a hundred individual judgement calls with one considered line.
Legal: Article 4 of the European AI Act (Regulation (EU) 2024/1689) has required organisations, since 2 February 2025, to ensure a sufficient level of AI literacy among staff dealing with AI. A policy is not literally prescribed, but it is the logical place to record how your organisation meets that obligation. And as soon as personal data is involved, the GDPR applies on top.
The key design choice: short and alive beats long and dead
The lesson that hits hardest in practice: a five-page policy everyone knows protects your organisation better than a watertight thirty-page document nobody reads. Write for the employee who has to follow it, not for the lawyer who has to approve it. Concretely: plain language, examples from your own practice, and the reason attached to every rule. People follow rules whose logic they understand.
The five components of a workable AI policy
1. Scope: what does this cover, and what not?
Define what you mean by AI and who the policy applies to. Only generative AI (chatbots, image generators), or also AI baked into existing software? Permanent staff only, or also contractors, interns and volunteers? In an education context: does it cover students, or do they get their own arrangement?
Practical lesson: choose a narrow, clear scope over a broad, vague one. A policy that tries to cover “all algorithmic systems” becomes unmanageable. Start with the generative AI tools staff pick and use themselves — that is where the acute risk and the acute need sit — and expand later.
2. Approved tools: a list, not principles
The heart of the policy is surprisingly mundane: a concrete list. Which AI tools are approved, in which variant (business account, not personal), and for what kinds of tasks. Plus an equally concrete answer to the follow-up question: how do I get a new tool onto that list? Who assesses it, against which criteria, and how long does it take?
That route matters enormously. If requesting a tool takes months or disappears into a black hole, people will have found their own solution within a week. A light-touch assessment with a fast answer beats a thorough one that gets bypassed.
3. Data rules: what must never go in?
Phrase these as a short, firm list anyone can remember. For example:
- No personal data of customers, students, patients or colleagues in AI tools, unless the tool is approved by the organisation and a data processing agreement is in place.
- Never special-category data (health, religious beliefs, ethnicity) — not even in approved tools, unless explicitly arranged.
- No confidential business information (quotes, contracts, source code, non-public decisions) in tools outside the approved list.
- When in doubt: ask first, paste later.
Point to a separate explainer for the background (such as our article on GDPR and AI at work), but keep the rules themselves short. In the education project, one memorable rule of thumb — “would you write it on a postcard?” — proved more effective than three pages of definitions.
4. Human oversight: who checks what, and who is accountable?
The most important sentence in any AI policy: AI advises, a human decides — and remains accountable. Work that out per situation:
- Which output only needs a quick self-check (internal drafts)?
- What requires review by a second person (anything published externally, advice to clients)?
- Where may AI support but never be decisive? Think of decisions about people: performance reviews, job applications, grades, referrals. That is exactly where legislation sets the strictest requirements too.
Also record that staff never need to hide their AI use. A culture where people simply say “this draft came from AI, I checked it” is a safety mechanism no technical measure can replace.
5. Review cycle: build in the ageing
AI tools change faster than any policy. A policy without a review date is fiction within a year. So arrange from day one:
- A fixed owner of the policy (a role, not a person).
- A review moment — every six or twelve months, say — plus interim updates when something big changes.
- A low-threshold channel where staff can ask questions and flag new tools or problems. Those reports are your best input for the next version.
- A version number and date on the document, so everyone can see whether they are looking at the current version.
Workable AI policy checklist: (1) scope in one paragraph, (2) list of approved tools plus a request route, (3) data rules that fit on one page, (4) clear agreements on human review and accountability, (5) owner, reporting channel and review date. If the whole thing does not fit in roughly five pages, it is too long.
A policy without training stays paper
The final lesson from practice may be the most important: rollout is not an email. A policy only comes alive when staff understand where the rules come from and have practised the situations it is about. That connects directly to the literacy obligation in Article 4 of the AI Act: the goal is not the document, but employees who handle AI sensibly.
So plan the training together with the policy rollout, not as an afterthought. The AI literacy course covers exactly the topics an AI policy touches on; for a team-wide approach with per-employee licences, see the page for employers, and the free quiz tells you where your people stand today.