AI Policy — Organizational Governance Document for AI Use

Definition

An AI policy is a formal organizational document that establishes the principles, requirements, boundaries, and accountability structures governing how AI is used within the organization. It defines acceptable and unacceptable uses of AI, establishes decision-making authority over AI deployments, sets requirements for AI system evaluation and approval, addresses data governance for AI, and communicates the organization’s ethical commitments regarding AI to employees, partners, and stakeholders.

An AI policy operates at the intersection of governance and operations: it translates board-level risk appetite and ethical commitments into operational requirements for the teams developing, procuring, and deploying AI systems. Effective AI policies include: scope (which AI systems and uses are covered); principles and values guiding AI use; acceptable use requirements and prohibited uses; approval and review processes for AI deployments; data governance requirements for AI; accountability and roles; compliance monitoring mechanisms; and employee obligations and training requirements.

ISO/IEC 42001 requires that organizations establish an AI policy as a documented governance artifact that is approved by top management, communicated within the organization, and available to interested parties. The policy is a foundational document of the AI Management System.

Why it matters operationally

AI policy matters because it is the organizational artifact that translates abstract AI governance principles into operational requirements. Without an AI policy, employees making day-to-day decisions about AI use — which tools to use, what data to process, how to deploy a model — have no documented organizational guidance. Each decision is made individually, inconsistently, and without the accountability trail that governance requires.

The distinction between an effective and an ineffective AI policy is operationalization. A policy that is approved and published but unknown to the employees it covers, not integrated into procurement and deployment processes, and not referenced in accountability reviews is a communications artifact, not a governance instrument. ISO/IEC 42001 certification evaluates whether the AI policy is genuine governance infrastructure — known, applied, and auditable.

Regulatory framework

Framework AI Policy requirements
ISO/IEC 42001 — Clause 5.2 Requires top management to establish an AI policy that is appropriate to the organization’s purpose, includes compliance commitments, provides a framework for setting AIMS objectives, and is communicated and implemented.
EU AI Act For high-risk systems, responsible AI use policies are part of the governance documentation that regulators and notified bodies expect to see.
NIST AI RMF — Govern The Govern function requires AI risk management policies expressing the organization’s risk appetite and values.

How Zertia evaluates it

Zertia evaluates AI policy as a foundational element of ISO/IEC 42001 certification. The audit assesses whether the policy meets Clause 5.2 requirements: top management approval, appropriate scope, inclusion of commitment to compliance and continual improvement, communication to relevant parties, and integration into operational processes. For organizations building AI governance from scratch, TTGI (The Tech Governance Institute) offers practical AI governance training for executives and teams building the policy and governance infrastructure.

[ISO 42001 Certification] · TTGI AI Governance Training — [ttgi.tech]

Definitions that hold up under audit.

Does this term apply to your certification project? Let's talk 30 minutes, no commercial pressure.