Answer yes if Machine Learning or Generative AI models are used anywhere within your organisation. This includes the use of AI features or capabilities embedded in your supplier’s services or any SaaS tools your people use (e.g. Google Gemini or Microsoft’s Copilot). Unless it has been specifically prohibited and the restriction technically enforced, it is likely that AI is being used somewhere within your organisation and you should answer yes to this question.
An Artificial Intelligence (AI) Policy defines your organisation’s rules and expectations for the responsible use and management of AI tools and technologies.AI introduces new and unique risks, including confidential data leakage, bias, misuse of generative AI tools, and reliance on unverified outputs. An AI Policy outlines your organisation’s objectives for AI use, how sensitive data must be handled within these systems, and the safeguards in place to prevent harm, misuse, or regulatory non-compliance.
An AI Policy provides assurance that AI tools and technologies are fully integrated into your organisation’s governance structure, as with other critical policies. It provides assurance to clients and stakeholders that your organisation is aligning with emerging regulations and industry best practices for AI governance and security, reducing the risks of doing business with you.
It also gives your leadership and board confidence that your own data is being managed securely, avoiding unnecessary legal, regulatory, or reputational exposure. At the same time, it reassures clients that their sensitive data will not be misused, exposed, or leveraged in ways that could cause negative outcomes or reputational damage.
It is important to develop an AI Policy that reflects your organisation’s specific use of AI tools and technologies. Ideally, the policy should align with recognised AI security or governance frameworks, such as the NIST AI Risk Management Framework or the EU AI Act, as well as industry-specific standards relevant to your sector.
You may seek the assistance of specialist consultancies or independent advisors to help craft an AI Policy that meets your business requirements.
If you would like to contribute to this article or provide feedback, please email knowledge@riskledger.com. Contributors will be recognised on our contributors page.