Why most AI policies fail

Most organisations that have AI policies have policies that don't work. The most common failure mode is writing a policy that is all principles and no specifics, a document that says things like "employees should use AI responsibly and ethically" without defining what responsible and ethical use means in practice.

An AI policy that doesn't name specific tools, specific prohibited actions, and specific consequences is an aspiration document, not a governance instrument. Employees encountering ambiguous situations will make their own interpretations, and the interpretations that create risk are rarely the ones that get escalated.

The second failure mode is writing a policy and not maintaining it. AI tools change fast. A policy written eighteen months ago that still names the same approved tools is probably out of date, and an out-of-date policy that employees know is out of date is worse than no policy.

Before you start writing

You need three things before you can write a useful AI policy:

  1. An AI system inventory, a list of every AI tool currently used in the organisation, in any department
  2. A decision on which tools you are approving, which you are prohibiting, and which you are allowing under specific conditions
  3. Input from legal, IT, and at least one business unit, the policy will fail if it isn't grounded in operational reality

Section 1: Purpose and Scope

State what the policy covers and who it applies to. Be explicit: this policy applies to all employees, contractors, and agents when using AI tools in connection with their work: including tools accessed through personal accounts.

Cover in this section:

  • Purpose and objectives
  • Scope (who is covered, including contractors)
  • Definitions of "AI tool" for policy purposes
  • Effective date and review date

Section 2: Approved and Prohibited AI Tools

Name the specific tools that are approved, the contexts in which they are approved, and any tools that are explicitly prohibited. This section must be kept current.

Cover in this section:

  • Approved tools: name each tool, approved uses, conditions (enterprise vs consumer versions)
  • Prohibited tools: tools that may not be used for work purposes
  • Process for requesting approval of new tools
  • Consequences of using unapproved tools with work data

Section 3: Data Handling Rules

This is the highest-risk section and requires the most specificity. Employees need to understand exactly what they may and may not enter into AI tools, not a general warning to "be careful."

Data that must never be entered into consumer AI tools:

  • Customer names, email addresses, or contact information
  • Client financial information, contracts, or commercially sensitive data
  • Employee personal information (salaries, health information, performance reviews)
  • Internal passwords, API keys, or credentials
  • Proprietary business information, unreleased product details
  • Confidential legal advice or litigation strategy

Section 4: Disclosure Requirements

Where AI has played a significant role in producing work, employees need to know whether and how to disclose this. Cover:

  • When disclosure is required (client deliverables, published content, regulatory submissions)
  • When disclosure is at the employee's discretion (internal documents, first drafts)
  • When disclosure is not required (grammar correction, formatting assistance)
  • How to make disclosure, suggested language

Section 5: Human Review Requirements

Define the categories of AI use that require human review before the output is relied upon or acted upon. This section should specifically address high-stakes uses.

Cover in this section:

  • Decisions requiring human review before implementation (employment decisions, legal advice, financial projections in client materials)
  • Content requiring fact-checking before use (statistics, citations, regulatory references)
  • Prohibition on delegating final decision-making to AI for high-stakes outcomes

Section 6: Intellectual Property and Copyright

Address the IP ownership questions that arise from AI-generated content. This area is evolving rapidly, legal advice is important here.

Cover:

  • Uncertainty regarding copyright of AI-generated content
  • Obligation not to reproduce third-party copyrighted content via AI tools
  • Requirement to check AI outputs for copyright issues before publication

Section 7: Accountability and Incident Reporting

Every policy needs an owner and a way for employees to raise concerns. Shadow AI thrives in organisations where employees don't feel they can ask questions.

Cover:

  • Named owner: the individual responsible for maintaining this policy
  • How to request an exception or ask a question
  • How to report a potential incident or breach
  • Non-retaliation: employees will not be penalised for good-faith reporting
  • Consequences of breach

Section 8: Review and Updates

AI tools and regulatory requirements change rapidly. A policy that isn't reviewed regularly becomes a liability.

Cover:

  • Review frequency: minimum annually; recommended every six months
  • Trigger reviews: new AI tool adoption; material regulatory change; following any incident
  • How employees will be notified of policy changes
  • Training requirements

After you publish: making the policy work

Publication is not implementation. Three things make the difference between a policy that exists and a policy that works:

Communication: Announce the policy with a clear explanation of what's changing and why. A Q&A session or live briefing gives employees the opportunity to raise questions.

Training: Include AI policy training in onboarding for new employees. Include a policy refresher in annual compliance training.

Enforcement and consistency: The first breach of the AI policy sets the tone for all subsequent ones. Enforcement must be consistent, proportionate, and based on the policy's own stated consequences.