AIG-001 AI Policy
Description
A documented AI policy exists that states the organisation's principles, risk appetite, and governance structure for developing and using AI systems. The policy addresses prohibited uses, accountability, and alignment with applicable laws. It is reviewed and approved at defined intervals (at minimum annually) and communicated to all relevant personnel.
Rationale
Establishes the foundational direction and accountability structure for all AI activity in the organisation.
Framework Mappings (7)
| EU-AI-Art.17.1 | Quality Management System — Establishment and Documentation | partial |
| A.2.2 | AI policy | full |
| A.2.3 | Alignment with other organizational policies | partial |
| A.2.4 | Review of the AI policy | full |
| GOVERN 1.1 | Legal and Regulatory AI Requirements | full |
| GOVERN 1.2 | Trustworthy AI Characteristics Integration | full |
| GOVERN 1.4 | Transparent Risk Management Policies | full |
Evidence (2)
AI governance policy or charter defining the organisation's principles, accountability structure, prohibited uses, and risk appetite for AI systems, reviewed and approved within the last 12 months.
Example: AI Governance Policy v2.1 (Confluence), approved by CTO on 2025-10-01, covering prohibited use cases, executive accountability matrix, and annual review obligation
Test: Request the AI governance policy. Verify: (1) a named executive is designated as sponsor, (2) prohibited AI use cases are enumerated, (3) accountability for AI risk decisions is assigned to specific roles, (4) a review cadence is stated, (5) the most recent approval date is within the last 12 months, (6) policy has been formally communicated to relevant personnel (distribution record or training completion report).
Annual AI policy review record demonstrating the policy was assessed against current AI activity, applicable law, and organisational changes, with sign-off by the accountable executive.
Example: AI Policy Annual Review Record 2025 (SharePoint), signed by CTO, confirming no material changes required with rationale documented
Test: Request the most recent AI policy review record. Verify: (1) review date is within the last 12 months, (2) the review considered changes to AI systems in production, (3) any required amendments were actioned, (4) sign-off by the named executive sponsor is present.
Questions (2)
Does your organisation have a documented AI governance policy or charter?
The policy should be formally approved by an executive sponsor, enumerate prohibited AI use cases, assign accountability for AI risk decisions, and specify a review cadence. Absence of a policy is a foundational gap that downstream controls cannot compensate for.
Which of the following topics does your AI governance policy cover?
A mature policy covers all six areas. Policies limited to high-level principles without accountability assignments or prohibited use lists provide weak governance foundations for enterprise buyers.