この記事は現在英語でのみご利用いただけます。
How to Write an AI Policy: Template, Structure, and What to Include
Every organisation using AI needs a written AI policy. This is the practical guide — what to include, how to structure it, common mistakes to avoid, and a section-by-section template you can adapt for your organisation.
Key Takeaways
An AI policy needs to answer five questions: what AI can we use, what data can go into AI tools, who approves new AI, what happens when something goes wrong, and who is accountable for what.
The most common AI policy failure: it reads as a values statement ('we will use AI ethically') rather than an operational guide ('employees must obtain approval from [role] before using any AI tool with customer data').
Length is not quality — a two-page AI policy that employees can actually follow is more valuable than a 20-page document that nobody reads. Start short and specific.
Data classification is the most important section: employees need clear, unambiguous guidance on what information they can and cannot put into AI tools. Ambiguity here creates the most common AI policy violations.
Review your AI policy every six months — the AI landscape changes too fast for annual review cycles. When a major new AI tool is released or a significant regulatory development occurs, the policy needs a targeted update.
"情報提供のみを目的としています。この記事は法律、規制、財務または専門的なアドバイスを構成するものではありません。具体的なアドバイスについては、資格を持つ専門家にご相談ください。"
Why most AI policies fail
The AI policy failure mode is consistent across organisations of every size: the policy is written to satisfy a governance requirement rather than to guide employee behaviour. It contains extensive language about responsible AI principles, references to regulatory frameworks, and commitments to ethical AI — and almost nothing about what employees should actually do when they want to use an AI tool for a specific task. An employee who reads such a policy leaves it no better informed about whether they can use ChatGPT to draft a client email than they were before they read it.
The test of an AI policy is not whether it satisfies a regulatory checklist but whether a new employee can read it and know what to do in the most common AI use situations they will encounter. If the answer is no, the policy needs to be rewritten regardless of how comprehensive it appears.
The five sections every AI policy needs
Section 1: Scope and purpose. Who does this policy apply to? What AI tools and activities does it cover? What is the policy trying to achieve? This section should be one paragraph — clear and direct. A scope section that needs to be read twice to understand has failed.
Section 2: Approved and prohibited tools. What AI tools has the organisation approved for use? For what purposes? What tools are prohibited? What tools require specific approval before use? This is often the most operationally useful section — employees want to know whether they can use specific tools for specific purposes, and the policy should tell them. Avoid vague guidance like 'exercise judgment about AI tools' — this transfers the governance burden to employees who cannot reasonably discharge it.
Section 3: Data classification and AI. What data can employees put into AI tools? This section must be specific: public information (information already publicly available) can generally go into commercial AI tools. Internal business information requires approved enterprise tools. Customer data, patient data, financial data, and legally privileged information require specifically approved tools with verified data handling. The data classification must be simple enough to apply quickly in daily work — a complex matrix that employees cannot recall without referring to the document provides no governance.
Section 4: Approval and escalation. Who approves new AI tool adoption? What information must be provided for approval? What is the escalation path if an employee has concerns about an AI tool they have been asked to use? Who is responsible for AI governance in each business unit? These questions must have named answers — 'the appropriate manager' is not an answer.
Section 5: Accountability and review. Who owns this policy? When is it reviewed? What happens when the policy is breached? How are incidents related to AI use reported? The accountability structure must be genuine — a policy with no enforcement mechanism and no review schedule is not an operating policy.