Free Consultation

AI Governance Policy

A ready-to-use template — fill in the bracketed placeholders and adopt it in your organisation.

AI Governance Policy

Field Detail
Organisation [Organisation Name]
Document type Policy — approved, mandatory
Framework basis ISO/IEC 42001 · EU AI Act · NIST AI RMF (GOVERN) · OECD AI Principles
Owner [Policy owner — e.g. AI Governance Lead]
Approved by [Accountable executive / Board]
Version / status v1.0 — DRAFT for adoption
Effective date [Date]
Next review [Date — at least annually]
Classification Internal
Prepared with autogovern.io — AI governance & risk templates

1. Purpose

This policy establishes how [Organisation Name] governs the responsible development, procurement, deployment and use of artificial intelligence (AI). It sets the principles, accountabilities, structures and controls that ensure every AI system is lawful, ethical, safe, fair, transparent and under meaningful human control throughout its lifecycle. It is the top-level policy of the organisation’s AI Management System (AIMS) and all other AI standards, procedures and registers sit beneath it.

2. Objectives

  • Enable [Organisation Name] to adopt AI confidently while managing legal, ethical and operational risk.
  • Establish clear ownership and accountability for every AI system.
  • Ensure compliance with applicable AI laws and alignment to recognised frameworks.
  • Build and maintain the trust of customers, employees, regulators and the public.
  • Make governance repeatable and auditable, not ad hoc.

3. Scope

This policy applies to:

  • All AI systems built in-house, procured, embedded in third-party products, or accessed as a service (including generative AI and AI agents).
  • The full lifecycle — ideation, design, data sourcing, development, validation, deployment, operation, monitoring and decommissioning.
  • Everyone who designs, builds, buys, deploys, operates, oversees or uses AI on behalf of [Organisation Name], including employees, contractors and third parties acting for the organisation.

4. Definitions

Term Meaning
AI system A machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs such as predictions, content, recommendations or decisions.
Generative AI (GenAI) AI that produces content — text, image, audio, video, code — from prompts.
AI agent An AI system that can take actions (call tools, transact, change state) with some autonomy, not just produce outputs.
Provider / Deployer The party that develops/places an AI system on the market (provider) vs. the party that uses it under its authority (deployer).
Risk tier The classification of a system’s risk (e.g. EU AI Act: prohibited / high / limited / minimal).
AIMS AI Management System — the governance framework, roles and processes that manage AI (ISO/IEC 42001).
System / Model owner The named individual accountable for a specific AI system meeting this policy.

5. Governing principles

Every AI system at [Organisation Name] shall uphold these principles:

  1. Accountability — every system has a named owner and a clear chain of responsibility to an accountable executive.
  2. Lawfulness & compliance — systems are mapped to, and meet, all applicable legal obligations.
  3. Fairness & non-discrimination — systems are tested for unfair bias and do not produce discriminatory outcomes.
  4. Transparency & explainability — the use of AI is disclosed; decisions can be explained to an appropriate degree; documentation is maintained.
  5. Safety & robustness — systems are tested, monitored and resilient to error, misuse and adversarial conditions.
  6. Human oversight — a person can understand, oversee, intervene in and stop each system; humans remain responsible for outcomes.
  7. Privacy & data protection — personal data is used lawfully, minimally and securely.
  8. Security — systems, models and data are protected against unauthorised access, manipulation and exfiltration.
  9. Accuracy & reliability — systems meet defined performance targets appropriate to their use.
  10. Sustainability & proportionality — AI is used where it adds value, proportionate to the risk it creates.

6. Governance structure & roles

Body / role Responsibility
Board / accountable executive Owns the organisation’s AI risk appetite; approves this policy; receives regular assurance; accountable for material AI decisions.
AI Governance Committee Cross-functional forum (Risk, Legal/DPO, Security, Product, Data/ML, HR) that reviews high-risk systems, exceptions and incidents; meets at a defined cadence.
AI Governance Lead Runs the AIMS day-to-day; maintains the AI inventory; chairs the Committee; reports to the accountable executive.
System / Model owners Accountable for their AI system meeting this policy across its lifecycle, including risk assessment, controls and monitoring.
Risk & Compliance Advises on obligations; maintains regulatory mapping; assures controls.
Legal / DPO Confirms lawful basis, data-protection and regulatory obligations; owns automated-decision safeguards.
Security Owns AI/ML security controls, threat modelling and monitoring.
Data / ML teams Implement data governance, testing, documentation and monitoring.
All staff Use AI within the acceptable-use rules; complete required training; report concerns and incidents.

RACI (adapt to your organisation)

Activity Board Gov. Lead System owner Risk/Legal
Approve AI policy & appetite A R C C
Maintain AI inventory I A R C
Classify & risk-assess a system I C R A
Approve high-risk go-live A C R C
Monitor systems in production I C R I
Handle AI incidents I A R C

R = Responsible · A = Accountable · C = Consulted · I = Informed.

7. The AI Management System (AIMS)

[Organisation Name] operates a management system for AI aligned to ISO/IEC 42001:

  1. Inventory — maintain a register of every AI system: purpose, owner, data used, risk tier and status (see Appendix A).
  2. Classification & risk assessment — classify every system by risk tier and complete an AI risk assessment (per the AI Risk Management Policy) before deployment.
  3. Controls — apply a control set proportionate to the tier (data governance, documentation, logging, transparency, human oversight, testing, security).
  4. Impact assessment — complete an AI system impact assessment (and a DPIA / FRIA where applicable) for higher-risk systems.
  5. Monitoring & audit — monitor systems in production and audit the AIMS at least annually.
  6. Improvement — record nonconformities, incidents and lessons learned, and act on them.

8. AI system lifecycle & stage gates

Every AI system passes through governed stages, each with a gate that must be cleared before proceeding:

Stage Key governance activity Gate to pass
Ideate / propose Define purpose, value and affected people; screen against prohibited uses Use case approved & logged in inventory
Design Risk classification; design controls; privacy-by-design Risk tier assigned; control plan agreed
Data Source, document and quality-check data; bias examination; lawful basis Data governance sign-off
Build / train Develop with security and documentation; model card started Technical documentation in progress
Validate Accuracy, robustness, security and fairness testing Test results meet targets; fairness gate passed
Approve / deploy Impact assessment; human-oversight design; owner sign-off Go-live approval (executive sign-off for high-risk)
Operate / monitor Monitoring, logging, drift & fairness tracking, incident readiness Monitoring live; runbook in place
Retire Decommission safely; retain records; notify affected parties Decommission approved & recorded

9. Acceptable use & prohibited practices

[Organisation Name] shall not develop, deploy or use AI for practices that are prohibited by law or by this policy, including:

  • Social scoring, manipulative or subliminal techniques, or exploitation of vulnerabilities (per EU AI Act Art. 5).
  • Untargeted scraping of facial images or unlawful biometric categorisation.
  • Any use that unlawfully discriminates against people or groups.
  • Using AI to make solely-automated decisions with legal or significant effects on people without the required safeguards (human review, explanation, contestability).
  • Entering confidential, personal or regulated data into unapproved third-party AI tools.

Employees must use only approved AI tools for work and follow the acceptable-use standard.

10. Third-party & procurement governance

Before adopting third-party or embedded AI, [Organisation Name] shall:

  • Perform vendor due diligence (security, data handling, model provenance, compliance posture).
  • Require contractual commitments on data use, IP, transparency, incident notification and audit rights.
  • Classify the third-party system’s risk and apply proportionate controls.
  • Record the vendor and system in the AI inventory with a named internal owner.

11. Data protection, transparency & human oversight

  • Data protection — where personal data is used, confirm a lawful basis, minimise data, and complete a DPIA where required.
  • Transparency — tell people when they are interacting with AI; label AI-generated content where required; keep documentation current.
  • Human oversight — design meaningful oversight for consequential systems: defined decision points, information to the reviewer, authority to override, and a tested stop/rollback mechanism.

12. Training & awareness

All staff receive AI awareness training appropriate to their role. People who build, procure or oversee AI receive deeper training on this policy, risk assessment and their obligations. Training is refreshed at least annually and on material regulatory change.

Regulatory & framework mapping

This policy is designed to help the organisation align with the following instruments. Confirm which apply to your systems and jurisdictions.

Framework / law Jurisdiction What this policy supports
EU AI Act (Reg. 2024/1689) EU / EEA Risk-management (Art. 9), data governance (Art. 10), documentation (Art. 11), logging (Art. 12), transparency (Art. 13), human oversight (Art. 14), accuracy/robustness (Art. 15), prohibited practices (Art. 5), transparency to users (Art. 50)
NIST AI RMF 1.0 US / global GOVERN, MAP, MEASURE and MANAGE functions
ISO/IEC 42001 Global AI management system (AIMS) — leadership, planning, operation, evaluation, improvement
ISO/IEC 23894 / ISO 31000 Global AI risk management guidance and principles
GDPR (incl. Art. 22) EU / UK Lawful basis, DPIAs, safeguards for solely-automated decisions
PIPEDA + OPC gen-AI principles Canada (federal) Valid consent for training data, transparency, accountability
Quebec Law 25 (s. 12.1) Canada — Quebec Notice, disclosure of factors, and human review of exclusively-automated decisions
OSFI Guideline E-23 (eff. 2027) Canada (financial) Model risk management across the lifecycle, incl. AI/ML
TBS Directive on ADM + AIA Canada (federal gov) Algorithmic Impact Assessment, notice, explanation, human intervention

14. Monitoring, metrics & assurance

[Organisation Name] tracks the health of its AI governance through metrics such as: % of AI systems in the inventory, % with a current risk assessment, % of high-risk systems with an impact assessment, open AI risks by severity, and AI incidents and time-to-resolution. The AI Governance Lead reports these to the Committee and, at a summary level, to the Board.

15. Non-compliance

Breaches of this policy may result in a system being paused or withdrawn and, for individuals, in disciplinary action. Exceptions require a documented risk acceptance approved by the accountable executive.

16. Review

The AI Governance Lead reviews this policy at least annually and after any material regulatory change or serious incident, and submits changes to the accountable executive for approval.

Appendix A — AI system inventory (maintain this register)

System Purpose Owner Data used Risk tier Last risk assessment Status
[system] [purpose] [owner] [data] [tier] [date] [in dev / live / retired]

Appendix B — Linked documents

This policy is supported by: the AI Risk Management Policy, AI Data Governance Standard, Model Card / Technical Documentation, Logging & Record-Keeping Standard, Human Oversight Procedure, Bias & Fairness Audit Procedure, Incident Response Plan, and (where applicable) DPIA and Fundamental Rights Impact Assessment templates.


Document control & approval

Version Date Author Approved by Summary of change
1.0 [Date] [Author] [Approver] Initial adoption

Sign-off

  • Policy owner: __________________________ Signature: ______________ Date: __________
  • Accountable executive: __________________________ Signature: ______________ Date: __________
  • Next review due: __________

This template was generated by autogovern.io as a professional starting point. Review and adapt it to your organisation, systems, sector and legal advice before adoption. It is an educational aid, not legal advice.