What is AI Policy?

What is AI Policy?

AI Policy refers to the documented rules, guidelines, and procedures that an organisation establishes to govern its use of artificial intelligence. It covers the entire AI lifecycle, from evaluating whether to adopt AI for a particular use case, through development and procurement, to deployment, monitoring, and eventual retirement.

For business leaders, an AI policy is the practical document that translates your organisation's AI governance principles into actionable rules. While governance provides the strategic framework, policy provides the specific instructions that your teams follow day to day.

Why Your Organisation Needs an AI Policy

Without a clear AI policy, AI adoption tends to happen in an uncoordinated fashion. Individual teams adopt AI tools based on their own judgement, without consistent standards for data handling, security, fairness, or vendor evaluation. This creates several problems:

• Inconsistent risk management: Different teams may apply different standards, leaving some AI applications inadequately governed.
• Regulatory exposure: Without clear policies, it is difficult to demonstrate compliance with data protection laws and AI governance requirements across your ASEAN operating markets.
• Shadow AI: Employees may use AI tools, particularly generative AI services, without organisational approval or awareness, creating data security and intellectual property risks.
• Wasted resources: Without policy-level guidance on AI priorities and standards, teams may invest in tools that do not align with organisational strategy or that duplicate existing capabilities.

Core Components of an AI Policy

Acceptable Use Guidelines

Define what AI tools and applications are approved for use within the organisation, what restrictions apply, and what activities are prohibited. This is especially important in the era of generative AI, where employees may use tools like chatbots, image generators, or code assistants without realising the data security implications.

Data Handling Requirements

Specify how data used in AI systems must be collected, stored, processed, and disposed of. This includes consent requirements, data quality standards, retention periods, and compliance with data protection regulations across your operating markets.

Procurement and Vendor Standards

Establish criteria for evaluating and selecting AI vendors, including requirements for model transparency, data handling practices, security standards, and liability provisions. Define the review and approval process for bringing new AI tools into the organisation.

Development Standards

If your organisation builds AI systems internally, specify the standards for model development, including data documentation, bias testing, security review, and approval processes before deployment. Reference established frameworks such as Singapore's AI Verify where applicable.

Risk Classification

Define categories of AI risk and the governance requirements associated with each category. High-risk applications, such as those that make decisions affecting individuals' access to credit, employment, or services, should require more rigorous review and oversight than lower-risk applications like internal analytics.

Roles and Responsibilities

Clearly define who is responsible for AI governance within the organisation. This includes identifying who approves new AI deployments, who monitors ongoing operations, who handles incidents, and who is accountable for policy compliance.

Developing an AI Policy for Southeast Asia

AI policy development must account for the specific regulatory, cultural, and business environments of the markets you operate in.

Regulatory alignment: Your policy should reference and comply with relevant regulations across your ASEAN markets. This includes Singapore's PDPA and Model AI Governance Framework, Indonesia's Personal Data Protection Act, Thailand's PDPA, and any sector-specific regulations that apply to your industry.

Multi-market consistency: If you operate across multiple ASEAN countries, design your policy to meet the strictest applicable requirements while allowing for market-specific adaptations where necessary. This avoids the complexity of maintaining entirely separate policies for each market.

Language accessibility: Ensure your AI policy is available in the languages your employees use. A policy that exists only in English is ineffective for teams in Indonesia, Thailand, or Vietnam.

Cultural sensitivity: AI policy should reflect local norms around data privacy, decision-making authority, and communication. What constitutes appropriate AI use may vary across markets, and your policy should acknowledge these differences.

Implementation and Maintenance

1. Start with what matters most: You do not need a comprehensive AI policy on day one. Start with acceptable use guidelines for generative AI, data handling requirements, and vendor evaluation criteria. Expand from there.
2. Involve stakeholders: Develop your policy with input from legal, compliance, IT, data teams, and business units. A policy written in isolation will miss important perspectives.
3. Communicate broadly: Publish your policy prominently, conduct training sessions, and ensure every employee understands the key requirements. A policy that people do not know about is a policy that does not work.
4. Enforce consistently: Apply your AI policy consistently across the organisation. Selective enforcement undermines the policy's credibility and creates governance gaps.
5. Review regularly: Update your policy at least semi-annually to account for regulatory changes, new AI capabilities, and lessons learned from your organisation's AI operations.
6. Measure compliance: Establish mechanisms to track whether teams across the organisation are adhering to your AI policy. Regular compliance assessments help identify gaps before they become incidents and demonstrate to regulators that your policy is enforced, not just documented.