# AI Governance Policy

| Field | Detail |
|---|---|
| **Organisation** | [Organisation Name] |
| **Document type** | Policy — approved, mandatory |
| **Framework basis** | ISO/IEC 42001 · EU AI Act · NIST AI RMF (GOVERN) · OECD AI Principles |
| **Owner** | [Policy owner — e.g. AI Governance Lead] |
| **Approved by** | [Accountable executive / Board] |
| **Version / status** | v1.0 — DRAFT for adoption |
| **Effective date** | [Date] |
| **Next review** | [Date — at least annually] |
| **Classification** | Internal |
| **Prepared with** | autogovern.io — AI governance & risk templates |


## 1. Purpose

This policy establishes how **[Organisation Name]** governs the responsible development, procurement, deployment and use of artificial intelligence (AI). It sets the principles, accountabilities, structures and controls that ensure every AI system is **lawful, ethical, safe, fair, transparent and under meaningful human control** throughout its lifecycle. It is the top-level policy of the organisation’s AI Management System (AIMS) and all other AI standards, procedures and registers sit beneath it.

## 2. Objectives

- Enable [Organisation Name] to adopt AI confidently while managing legal, ethical and operational risk.
- Establish clear ownership and accountability for every AI system.
- Ensure compliance with applicable AI laws and alignment to recognised frameworks.
- Build and maintain the trust of customers, employees, regulators and the public.
- Make governance repeatable and auditable, not ad hoc.

## 3. Scope

This policy applies to:

- **All AI systems** built in-house, procured, embedded in third-party products, or accessed as a service (including generative AI and AI agents).
- **The full lifecycle** — ideation, design, data sourcing, development, validation, deployment, operation, monitoring and decommissioning.
- **Everyone** who designs, builds, buys, deploys, operates, oversees or uses AI on behalf of [Organisation Name], including employees, contractors and third parties acting for the organisation.

## 4. Definitions

| Term | Meaning |
|---|---|
| AI system | A machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs such as predictions, content, recommendations or decisions. |
| Generative AI (GenAI) | AI that produces content — text, image, audio, video, code — from prompts. |
| AI agent | An AI system that can take actions (call tools, transact, change state) with some autonomy, not just produce outputs. |
| Provider / Deployer | The party that develops/places an AI system on the market (provider) vs. the party that uses it under its authority (deployer). |
| Risk tier | The classification of a system’s risk (e.g. EU AI Act: prohibited / high / limited / minimal). |
| AIMS | AI Management System — the governance framework, roles and processes that manage AI (ISO/IEC 42001). |
| System / Model owner | The named individual accountable for a specific AI system meeting this policy. |

## 5. Governing principles

Every AI system at [Organisation Name] shall uphold these principles:

1. **Accountability** — every system has a named owner and a clear chain of responsibility to an accountable executive.
2. **Lawfulness & compliance** — systems are mapped to, and meet, all applicable legal obligations.
3. **Fairness & non-discrimination** — systems are tested for unfair bias and do not produce discriminatory outcomes.
4. **Transparency & explainability** — the use of AI is disclosed; decisions can be explained to an appropriate degree; documentation is maintained.
5. **Safety & robustness** — systems are tested, monitored and resilient to error, misuse and adversarial conditions.
6. **Human oversight** — a person can understand, oversee, intervene in and stop each system; humans remain responsible for outcomes.
7. **Privacy & data protection** — personal data is used lawfully, minimally and securely.
8. **Security** — systems, models and data are protected against unauthorised access, manipulation and exfiltration.
9. **Accuracy & reliability** — systems meet defined performance targets appropriate to their use.
10. **Sustainability & proportionality** — AI is used where it adds value, proportionate to the risk it creates.

## 6. Governance structure & roles

| Body / role | Responsibility |
|---|---|
| **Board / accountable executive** | Owns the organisation’s AI risk appetite; approves this policy; receives regular assurance; accountable for material AI decisions. |
| **AI Governance Committee** | Cross-functional forum (Risk, Legal/DPO, Security, Product, Data/ML, HR) that reviews high-risk systems, exceptions and incidents; meets at a defined cadence. |
| **AI Governance Lead** | Runs the AIMS day-to-day; maintains the AI inventory; chairs the Committee; reports to the accountable executive. |
| **System / Model owners** | Accountable for their AI system meeting this policy across its lifecycle, including risk assessment, controls and monitoring. |
| **Risk & Compliance** | Advises on obligations; maintains regulatory mapping; assures controls. |
| **Legal / DPO** | Confirms lawful basis, data-protection and regulatory obligations; owns automated-decision safeguards. |
| **Security** | Owns AI/ML security controls, threat modelling and monitoring. |
| **Data / ML teams** | Implement data governance, testing, documentation and monitoring. |
| **All staff** | Use AI within the acceptable-use rules; complete required training; report concerns and incidents. |

### RACI (adapt to your organisation)

| Activity | Board | Gov. Lead | System owner | Risk/Legal |
|---|---|---|---|---|
| Approve AI policy & appetite | A | R | C | C |
| Maintain AI inventory | I | A | R | C |
| Classify & risk-assess a system | I | C | R | A |
| Approve high-risk go-live | A | C | R | C |
| Monitor systems in production | I | C | R | I |
| Handle AI incidents | I | A | R | C |

_R = Responsible · A = Accountable · C = Consulted · I = Informed._

## 7. The AI Management System (AIMS)

[Organisation Name] operates a management system for AI aligned to ISO/IEC 42001:

1. **Inventory** — maintain a register of every AI system: purpose, owner, data used, risk tier and status (see Appendix A).
2. **Classification & risk assessment** — classify every system by risk tier and complete an AI risk assessment (per the AI Risk Management Policy) before deployment.
3. **Controls** — apply a control set proportionate to the tier (data governance, documentation, logging, transparency, human oversight, testing, security).
4. **Impact assessment** — complete an AI system impact assessment (and a DPIA / FRIA where applicable) for higher-risk systems.
5. **Monitoring & audit** — monitor systems in production and audit the AIMS at least annually.
6. **Improvement** — record nonconformities, incidents and lessons learned, and act on them.

## 8. AI system lifecycle & stage gates

Every AI system passes through governed stages, each with a gate that must be cleared before proceeding:

| Stage | Key governance activity | Gate to pass |
|---|---|---|
| Ideate / propose | Define purpose, value and affected people; screen against prohibited uses | Use case approved & logged in inventory |
| Design | Risk classification; design controls; privacy-by-design | Risk tier assigned; control plan agreed |
| Data | Source, document and quality-check data; bias examination; lawful basis | Data governance sign-off |
| Build / train | Develop with security and documentation; model card started | Technical documentation in progress |
| Validate | Accuracy, robustness, security and fairness testing | Test results meet targets; fairness gate passed |
| Approve / deploy | Impact assessment; human-oversight design; owner sign-off | Go-live approval (executive sign-off for high-risk) |
| Operate / monitor | Monitoring, logging, drift & fairness tracking, incident readiness | Monitoring live; runbook in place |
| Retire | Decommission safely; retain records; notify affected parties | Decommission approved & recorded |

## 9. Acceptable use & prohibited practices

[Organisation Name] shall not develop, deploy or use AI for practices that are prohibited by law or by this policy, including:

- Social scoring, manipulative or subliminal techniques, or exploitation of vulnerabilities (per EU AI Act Art. 5).
- Untargeted scraping of facial images or unlawful biometric categorisation.
- Any use that unlawfully discriminates against people or groups.
- Using AI to make solely-automated decisions with legal or significant effects on people **without** the required safeguards (human review, explanation, contestability).
- Entering confidential, personal or regulated data into unapproved third-party AI tools.

Employees must use only **approved** AI tools for work and follow the acceptable-use standard.

## 10. Third-party & procurement governance

Before adopting third-party or embedded AI, [Organisation Name] shall:

- Perform vendor due diligence (security, data handling, model provenance, compliance posture).
- Require contractual commitments on data use, IP, transparency, incident notification and audit rights.
- Classify the third-party system’s risk and apply proportionate controls.
- Record the vendor and system in the AI inventory with a named internal owner.

## 11. Data protection, transparency & human oversight

- **Data protection** — where personal data is used, confirm a lawful basis, minimise data, and complete a DPIA where required.
- **Transparency** — tell people when they are interacting with AI; label AI-generated content where required; keep documentation current.
- **Human oversight** — design meaningful oversight for consequential systems: defined decision points, information to the reviewer, authority to override, and a tested stop/rollback mechanism.

## 12. Training & awareness

All staff receive AI awareness training appropriate to their role. People who build, procure or oversee AI receive deeper training on this policy, risk assessment and their obligations. Training is refreshed at least annually and on material regulatory change.

## Regulatory & framework mapping

This policy is designed to help the organisation align with the following instruments. Confirm which apply to your systems and jurisdictions.

| Framework / law | Jurisdiction | What this policy supports |
|---|---|---|
| EU AI Act (Reg. 2024/1689) | EU / EEA | Risk-management (Art. 9), data governance (Art. 10), documentation (Art. 11), logging (Art. 12), transparency (Art. 13), human oversight (Art. 14), accuracy/robustness (Art. 15), prohibited practices (Art. 5), transparency to users (Art. 50) |
| NIST AI RMF 1.0 | US / global | GOVERN, MAP, MEASURE and MANAGE functions |
| ISO/IEC 42001 | Global | AI management system (AIMS) — leadership, planning, operation, evaluation, improvement |
| ISO/IEC 23894 / ISO 31000 | Global | AI risk management guidance and principles |
| GDPR (incl. Art. 22) | EU / UK | Lawful basis, DPIAs, safeguards for solely-automated decisions |
| PIPEDA + OPC gen-AI principles | Canada (federal) | Valid consent for training data, transparency, accountability |
| Quebec Law 25 (s. 12.1) | Canada — Quebec | Notice, disclosure of factors, and human review of exclusively-automated decisions |
| OSFI Guideline E-23 (eff. 2027) | Canada (financial) | Model risk management across the lifecycle, incl. AI/ML |
| TBS Directive on ADM + AIA | Canada (federal gov) | Algorithmic Impact Assessment, notice, explanation, human intervention |

## 14. Monitoring, metrics & assurance

[Organisation Name] tracks the health of its AI governance through metrics such as: % of AI systems in the inventory, % with a current risk assessment, % of high-risk systems with an impact assessment, open AI risks by severity, and AI incidents and time-to-resolution. The AI Governance Lead reports these to the Committee and, at a summary level, to the Board.

## 15. Non-compliance

Breaches of this policy may result in a system being paused or withdrawn and, for individuals, in disciplinary action. Exceptions require a documented risk acceptance approved by the accountable executive.

## 16. Review

The AI Governance Lead reviews this policy at least annually and after any material regulatory change or serious incident, and submits changes to the accountable executive for approval.

## Appendix A — AI system inventory (maintain this register)

| System | Purpose | Owner | Data used | Risk tier | Last risk assessment | Status |
|---|---|---|---|---|---|---|
| [system] | [purpose] | [owner] | [data] | [tier] | [date] | [in dev / live / retired] |
|   |   |   |   |   |   |   |

## Appendix B — Linked documents

This policy is supported by: the **AI Risk Management Policy**, AI Data Governance Standard, Model Card / Technical Documentation, Logging & Record-Keeping Standard, Human Oversight Procedure, Bias & Fairness Audit Procedure, Incident Response Plan, and (where applicable) DPIA and Fundamental Rights Impact Assessment templates.


---

## Document control & approval

| Version | Date | Author | Approved by | Summary of change |
|---|---|---|---|---|
| 1.0 | [Date] | [Author] | [Approver] | Initial adoption |
|   |   |   |   |   |

**Sign-off**

- Policy owner: __________________________  Signature: ______________  Date: __________
- Accountable executive: __________________________  Signature: ______________  Date: __________
- Next review due: __________

> _This template was generated by **autogovern.io** as a professional starting point. Review and adapt it to your organisation, systems, sector and legal advice before adoption. It is an educational aid, not legal advice._