An AI usage policy is an internal document that defines which artificial intelligence tools employees may use, for which tasks, on what data and under whose oversight. Alongside the AI system register it is the second foundation of EU AI Act compliance - and the first document an auditor, a client or a supervisory authority will ask about.

Below is a full checklist of what the policy should contain, and the most common mistakes that make the document exist but not work.

Why is an AI policy needed?

Employees already use AI - with or without a policy. The difference is whether they do it according to rules the company has consciously set, or at their own discretion, on private accounts and without the organisation's knowledge.

The AI Act does not contain a provision saying „every company must have an AI policy". But it requires things from organisations that cannot be done without one: ensuring an adequate level of AI competence among staff (Article 4), preventing prohibited practices (Article 5), transparency towards people (Article 50) and human oversight of high-risk systems (Article 26). The policy is where those requirements turn into concrete, everyday rules.

On top of that comes everything that does not follow directly from the AI Act but can hurt much sooner: a leak of client data pasted into a free chatbot, a GDPR breach, loss of trade secrets, vulnerable code deployed without review, content that misleads customers.

Checklist: the 10 elements of a good AI policy

1. Scope and definitions. What the policy covers (external tools, AI features in software, in-house systems) and who it binds (employees, contractors, subcontractors).

2. A list of approved and forbidden tools. Explicit, with names - linked to the AI system register. An employee should not have to guess whether „this particular tool" is OK.

3. Data rules. What may and may not be entered into AI tools: personal data, client data, trade secrets, source code, financial data. This is the single most important point of the whole document.

4. Verification of outputs. When the result of AI work requires a human check - and who is accountable for the final outcome (the rule: the human is accountable, not the tool).

5. Transparency. When content created with AI has to be labelled - towards clients, contractors and internally (consistent with Article 50 of the AI Act).

6. Forbidden uses. A catalogue of red lines: decisions about people without human oversight, analysing employees' emotions, uses contrary to Article 5 of the AI Act, circumventing tools' safeguards.

7. A process for proposing new tools. The path: who can propose, who assesses, who approves. Without it, the policy either freezes the company or gets bypassed.

8. Incidents. What to do when something goes wrong (a data leak, wrong content sent to a client, a suspected breach) - who to report to and how fast.

9. Training and acknowledgements. The obligation to complete AI literacy training and a written (or system-based) confirmation of having read the policy. No acknowledgements means no evidence.

10. An owner and a review cycle. Who is responsible for the policy and how often it is updated. The AI market changes monthly - a year-old policy with no review is fiction.

The most common implementation mistakes

The ban-everything policy. A document that forbids everything does not eliminate AI from the company - it only eliminates the company's knowledge of how AI is used. Employees switch to private phones and accounts, and the firm loses what control it had. We wrote about the scale of this in our article on shadow AI.

The essay policy. Fifteen pages of generalities about „responsible use of innovation" with no answer to whether you may paste a client's contract into a chatbot. A good policy is specific and short.

The policy without training. A document on the intranet that nobody has read protects neither employees nor the company. Rules work when they come with competence - which is why the AI Act puts AI literacy first (see our article AI literacy is a company's first line of defence).

The policy without evidence. In an inspection or dispute, what counts is not whether the policy exists, but whether the company can show: who approved it, when, who read it and who completed the training. No evidence = no policy.

The AI policy and the other elements of compliance

The policy does not work in a vacuum. The minimum complete compliance set looks like this: an AI system register (what we use and where) → the policy (on what terms) → certified training (do people know how) → evidence and review (can we prove it). That set is then verified the way an inspector would - we describe it in An EU AI Act compliance audit step by step.

The deadlines and sanctions that make this set urgent are collected on our EU AI Act compliance page and in the guide to AI Act fines.

How does AI TrustCERT help?

In the AI TrustCERT platform, the AI usage policy is a ready, editable element of the system: a document template, distribution to employees, collection of acknowledgements, links to the tool register and training, and an evidence report. Instead of writing the document from scratch and chasing signatures over e-mail - the organisation gets a working workflow in 1-7 days. You can see our own rules on the AI usage terms page.

Not sure the policy is your first step? Check in 3 minutes - the free AI Ready Check.

Summary

An AI usage policy answers four questions: what may be used, on what data, who checks the results and what to do when something goes wrong. The ten checklist elements above are enough for the document to be complete.

Most important, though, is that the policy is alive: known to employees, confirmed by signatures, backed by training and reviewed regularly. Such a document protects the company twice - first it prevents incidents, and if they happen anyway, it constitutes evidence of diligence that directly affects the authority's assessment and the size of any penalty.

Sources

  1. Regulation (EU) 2024/1689 (AI Act) - Article 4 (AI literacy), Article 5 (prohibited practices), Article 26 (human oversight for deployers of high-risk systems), Article 50 (transparency): eur-lex.europa.eu
  2. European Commission - AI Literacy - Questions & Answers: the obligation to ensure AI competence (Article 4) for providers and deployers: digital-strategy.ec.europa.eu