Published 11 June 2026
Employees use AI, with or without permission. Study after study shows that a large share of workplace AI use happens out of the organisation’s sight. An AI policy turns that shadow use into an agreement: this is allowed, this is not, and here is where you go with questions.
Why now
Two reasons. Practical: the longer you wait, the more habits you have to unwind. Legal: the EU AI Act has required demonstrable AI literacy since February 2025, and Dutch enforcement starts 2 August 2026. The policy is the document that shows you have it arranged.
The template structure
A workable AI policy fits on two pages and answers six questions:
- Which tools are allowed? A concrete list: for example ChatGPT Team, Copilot via the company account, and the AI features in your own software. Plus the agreement on how a new tool gets added.
- Which data may go in? The most important article. Rule of thumb: no personal data and no confidential company information in tools without a data processing agreement. Name what counts as confidential, with examples.
- How do we check output? AI output is a draft, not a final product. Agree who reviews before anything goes to a client, into a contract or into a publication.
- How are we transparent? When do we tell customers they are dealing with AI (chatbots, generated content)? The AI Act sets requirements here.
- Who is responsible? One owner for the policy, one point of contact for questions and incidents.
- How do we stay literate? How new employees get trained and how often the policy is reviewed. This is your Article 4 paragraph.
The step-by-step plan
1. Inventory actual use
Ask teams what they already use, without consequences. The goal is a policy that matches reality, not a paper world.
2. Write the first version short
Use the six questions above. Write prohibitions as concretely as possible (“no client names in public chatbots”) rather than abstractly (“handle data carefully”).
3. Test it with the users
Put the draft in front of the people who work with AI daily. Any rule that proves unworkable will simply be ignored later; better to adjust now.
4. Pair it with training
A policy without training is a document; together they are compliance. An AI literacy training introduces the policy and covers the legal literacy obligation at the same time, with certificates and documentation.
5. Review every six months
AI tools and regulation change fast. Put a six-monthly review in the calendar and keep a change log; that log is gold when a regulator asks questions.
Need help?
We draft AI policies together with organisations, usually as part of an AI readiness assessment or paired with a literacy training. One session with the right people at the table is often enough for a supported first version.
Frequently asked questions
Is an AI policy legally required?
The AI Act does not prescribe a separate policy document, but it does require demonstrable AI literacy (Article 4) and transparency. Without documented agreements you cannot demonstrate either. That makes an AI policy practically indispensable, even though the word is not in the law.
How long should an AI policy be?
Two pages is enough for most organisations. A policy nobody reads does not work; choose short, concrete and findable over legally exhaustive.
Who should write the AI policy?
Make one person the owner, usually whoever covers IT or compliance, but draft it with the people who use AI daily. Policy imposed from above without practical knowledge gets worked around.