AI policy and clear frameworks for AI use in the organisation

Artificial intelligence is already part of everyday working life in most organisations. Employees use tools such as ChatGPT, Microsoft Copilot and other AI solutions for everything from content production and analysis to customer service and decision support.

At the same time, new questions are arising:

• Which AI tools can employees use?

• Which data can be shared with AI services?

• How do we quality-assure content generated by AI?

• Who is accountable if AI contributes to incorrect decisions?

An AI policy is often the first step organisations take towards creating clear frameworks for the use of artificial intelligence.

An AI policy is a governing document that describes how artificial intelligence should be used within the organisation.

Its purpose is to give employees and leaders clear guidelines for the safe, responsible and effective use of AI tools. The policy helps to reduce risk whilst making it easier to adopt the technology in a controlled manner.

A good AI policy should not hinder innovation. It should make it safer to use AI.

Many organisations already have employees using AI on a daily basis, often without the organisation having decided how the technology should be used.

This can lead to challenges relating to:

• Sharing of confidential information
• Data protection and the handling of personal data
• Incorrect or misleading content generated by AI
• Lack of documentation of how decisions were made
• Inconsistent practice across departments and employees

An AI policy provides a shared framework that reduces uncertainty and makes it easier to adopt AI in a responsible manner.

There is no universal template that suits every organisation, but most AI policies cover the following areas.

The policy should describe why the organisation uses AI and who the guidelines apply to. This typically includes employees, leaders, consultants and contractors.

The organisation should define which AI solutions are approved for use. This makes it easier to control security, data processing and compliance with internal requirements.

A central point is which types of information may be shared with AI tools.

Many organisations prohibit the sharing of, for example:

• Personal data
• Customer data
• Trade secrets
• Confidential information

AI can produce incorrect, incomplete or fabricated information. The policy should therefore make clear that employees are always responsible for checking and quality-assuring results before they are used further.

It should be clear that AI is a tool, not a decision-maker. Responsibility for decisions and actions remains with people.

The policy should describe how the organisation relates to relevant regulation, including the General Data Protection Regulation (GDPR), sector-specific requirements and any requirements linked to the AI Act.

For many organisations, an AI policy is a good place to start.

But as the use of artificial intelligence grows, the need for more structured governance will often increase.

Leaders will then need to be able to answer questions such as:

• Where is AI being used in the organisation?
• Which risks have we identified?
• How do we follow up on AI-related incidents?
• How do we document decisions that are influenced by AI?
• How do we ensure compliance with new regulatory requirements?

These are areas that are normally addressed through AI governance or an AI management system.

An AI policy describes which rules apply.

AI governance is about how the organisation manages, follows up and improves its use of artificial intelligence over time.

In the same way that organisations work systematically with quality, information security and data protection, many will eventually establish structures for governing AI.

For organisations that want to work more systematically in this area, ISO 42001 has established an international framework for the governance of artificial intelligence.

An AI policy is often the first and most important step towards the responsible use of artificial intelligence. It gives employees clear guidelines, reduces risk and makes it easier to adopt AI in a safe manner.

At the same time, leaders should be aware that a policy alone is rarely sufficient when AI becomes a significant part of the organisation’s processes and decision-making. Over time, many organisations will need more structured AI governance and a comprehensive AI management system.

We help organisations with advisory services, establishment and further development of AI management systems. Get in touch to find out how we can help you!