Executive Summary
- An AI governance policy establishes the rules, processes, and accountability structures for AI use in your organization
- This template provides a complete, customizable framework you can adapt to your context
- Key sections include: purpose, scope, principles, roles, acceptable use, risk management, and compliance
- Customize the template based on your industry, size, and AI maturity
- Review and update your policy at least annually, or when significant changes occur
- A policy without implementation is useless—plan for training and enforcement
- This template aligns with Singapore's Model AI Governance Framework and general best practices
Why This Matters Now
Every organization using AI needs a governance policy. Without one:
- Employees don't know what's acceptable
- Risks go unmanaged and ownership unclear
- Compliance requirements can't be demonstrated
- Incidents have no playbook for response
- AI expansion happens without oversight
A good policy isn't bureaucratic filler—it's the operating manual for responsible AI use. It protects your organization while enabling appropriate AI adoption.
How to Use This Template
- Read through the complete template to understand all sections
- Customize the bracketed text [like this] with your organization's specifics
- Add or remove sections based on your needs (simpler for smaller orgs, more detailed for regulated industries)
- Review with legal counsel to ensure alignment with your jurisdiction
- Obtain executive approval before publishing
- Communicate widely and train staff on requirements
- Review annually and update as needed
AI Governance Policy Template
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[ORGANIZATION NAME]
AI GOVERNANCE POLICY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Document Information
--------------------
Version: [1.0]
Effective Date: [Date]
Owner: [Title/Name]
Approved By: [Title/Name]
Review Date: [Annual review date]
Classification: [Internal / Confidential]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. PURPOSE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1.1 This policy establishes the governance framework for the
development, procurement, deployment, and use of artificial
intelligence (AI) systems at [Organization Name].
1.2 The objectives of this policy are to:
a) Enable responsible AI adoption that creates business value
b) Manage risks associated with AI systems
c) Ensure compliance with applicable laws and regulations
d) Protect stakeholders from potential AI-related harms
e) Establish clear accountability for AI decisions
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
2. SCOPE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
2.1 This policy applies to:
a) All employees, contractors, and third parties acting on
behalf of [Organization Name]
b) All AI systems developed internally
c) All AI systems procured from third-party vendors
d) All AI features embedded in existing software
e) All use of generative AI tools (including ChatGPT, Claude,
Copilot, and similar services)
2.2 Definitions
"AI System" means any software that uses machine learning,
deep learning, natural language processing, or other
techniques to perform tasks that typically require human
intelligence.
"Generative AI" means AI systems that create new content
including text, images, code, audio, or video.
"AI Risk" means potential negative outcomes resulting from
AI system behavior, including errors, bias, security
vulnerabilities, or unintended consequences.
"High-Risk AI" means AI applications that significantly
affect individual rights, safety, or have substantial
business impact.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
3. AI GOVERNANCE PRINCIPLES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
3.1 Human-Centered AI
AI systems shall augment human capabilities, not replace
human judgment on consequential decisions. Humans remain
accountable for AI-influenced outcomes.
3.2 Transparency
We shall be clear with employees, customers, and partners
about when and how AI is used. We shall provide explanations
of AI decisions when they significantly affect individuals.
3.3 Fairness
We shall design and monitor AI systems to prevent unfair
bias and discrimination. We shall assess AI outcomes for
disparate impact on different groups.
3.4 Security and Privacy
We shall protect AI systems and the data they use from
unauthorized access. We shall respect individual privacy
and comply with data protection regulations.
3.5 Reliability
We shall ensure AI systems perform as intended and implement
safeguards against harmful outputs. We shall test thoroughly
before deployment and monitor continuously.
3.6 Accountability
We shall maintain clear ownership and accountability for all
AI systems. We shall document AI decisions and maintain audit
trails for compliance and review.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
4. ROLES AND RESPONSIBILITIES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
4.1 Executive Leadership
a) Sets strategic direction for AI adoption
b) Ensures adequate resources for AI governance
c) Reviews AI governance effectiveness annually
d) Approves high-risk AI deployments
4.2 AI Governance Committee
a) Oversees implementation of this policy
b) Reviews and approves AI risk assessments
c) Monitors AI incidents and remediation
d) Recommends policy updates
e) Reports to executive leadership quarterly
4.3 AI Governance Lead / Officer
a) Coordinates day-to-day governance activities
b) Maintains AI inventory and [risk register](/insights/ai-risk-register-template)
c) Facilitates governance committee meetings
d) Manages AI governance communications and training
e) Serves as primary contact for AI governance questions
4.4 Business Unit Leaders
a) Ensure compliance with this policy in their units
b) Identify and escalate AI risks
c) Designate AI owners for systems in their domain
d) Participate in AI risk assessments
4.5 AI System Owners
a) Accountable for specific AI systems
b) Ensure systems comply with this policy
c) Conduct or coordinate risk assessments
d) Monitor system performance and incidents
e) Maintain documentation
4.6 All Employees
a) Use AI systems in accordance with this policy
b) Report AI-related concerns or incidents
c) Complete required AI training
d) Protect confidential information when using AI
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
5. ACCEPTABLE USE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
5.1 Approved AI Systems
Only AI systems that have been approved through the AI
approval process (Section 6) may be used for business
purposes. Approved systems are listed in the AI Inventory.
5.2 Generative AI Guidelines
When using approved generative AI tools:
PERMITTED:
a) Drafting content for human review and editing
b) Research and information gathering (verify accuracy)
c) Code assistance and debugging
d) Brainstorming and ideation
e) Administrative task automation
PROHIBITED:
a) Inputting confidential or sensitive information
b) Inputting personal data without authorization
c) Generating content without human review before use
d) Making consequential decisions based solely on AI output
e) Creating deceptive or misleading content
f) Bypassing security or compliance controls
5.3 Data Protection
a) Do not input confidential information into external AI
b) Do not input personal data without appropriate consent
c) Anonymize data before AI processing when possible
d) Follow data classification guidelines
5.4 Intellectual Property
a) Do not input proprietary code, designs, or trade secrets
b) Review AI-generated content for potential IP issues
c) Retain rights to AI-generated content per vendor terms
d) Attribute AI-generated content as required
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
6. AI APPROVAL PROCESS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
6.1 All new AI systems require approval before deployment.
6.2 Approval Process
Step 1: Request Submission
Complete AI System Request Form including:
- Business purpose and use case
- Data requirements
- Vendor information (if applicable)
- Preliminary [risk assessment](/insights/ai-risk-assessment-framework-templates)
Step 2: Review
AI Governance Lead reviews request and conducts:
- Security assessment
- Privacy assessment
- Vendor due diligence (if applicable)
- Risk classification
Step 3: Approval
- Low-risk: AI Governance Lead approval
- Medium-risk: AI Governance Committee approval
- High-risk: Executive approval required
Step 4: Documentation
- Add to AI Inventory
- Document in risk register
- Assign system owner
6.3 Risk Classification
LOW RISK
- Internal productivity tools
- No personal data processing
- No customer-facing application
- No significant business impact if failure
MEDIUM RISK
- Customer-facing applications
- Personal data processing (non-sensitive)
- Business process automation
- Moderate impact if failure
HIGH RISK
- Decisions affecting individual rights
- Sensitive personal data processing
- Regulated activities
- Significant financial or reputational impact
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
7. RISK MANAGEMENT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
7.1 Risk Assessment
All AI systems shall undergo risk assessment:
- Before initial deployment
- When significant changes occur
- Annually for ongoing systems
- Following incidents
7.2 Risk Register
The AI Governance Lead shall maintain a risk register
documenting:
- Identified risks for each AI system
- Risk ratings (likelihood and impact)
- Mitigation measures
- Risk owners
- Status of mitigation actions
7.3 Monitoring
AI systems shall be monitored for:
- Performance against expected outcomes
- Bias and fairness metrics
- Security events
- User complaints or concerns
- Regulatory compliance
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
8. VENDOR MANAGEMENT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
8.1 AI Vendor Due Diligence
Before procuring third-party AI systems:
a) Assess vendor security practices
b) Review data handling and privacy terms
c) Verify compliance certifications
d) Evaluate AI model transparency
e) Confirm support and SLA commitments
8.2 Contractual Requirements
AI vendor contracts shall address:
a) Data protection obligations
b) Security requirements
c) AI model training data restrictions
d) Audit rights
e) Incident notification obligations
f) Liability allocation
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
9. INCIDENT MANAGEMENT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
9.1 AI incidents include:
a) AI system producing harmful or inappropriate outputs
b) Bias or discrimination identified in AI decisions
c) Security breach involving AI systems
d) Data leakage through AI tools
e) Regulatory inquiry related to AI
9.2 Incident Response
a) Report incidents immediately to AI Governance Lead
b) AI Governance Lead assesses severity
c) Escalate to Governance Committee as needed
d) Implement containment measures
e) Conduct root cause analysis
f) Document lessons learned
g) Update controls and processes
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
10. COMPLIANCE AND AUDIT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
10.1 Regulatory Compliance
AI systems shall comply with:
a) Personal Data Protection Act (PDPA) [or applicable law]
b) Sector-specific regulations
c) Applicable AI governance frameworks
d) Contractual obligations
10.2 Internal Audit
AI governance shall be included in internal audit scope
covering:
a) Policy compliance
b) Risk management effectiveness
c) Approval process adherence
d) Documentation completeness
10.3 Documentation Requirements
Maintain documentation for:
a) AI system inventory
b) Risk assessments
c) Approval decisions
d) Monitoring results
e) Incidents and resolutions
f) Training records
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
11. TRAINING AND AWARENESS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
11.1 Training Requirements
a) All employees: AI Awareness training (annual)
b) AI users: Tool-specific training (as needed)
c) AI system owners: Governance responsibilities
d) Leadership: AI risk briefings (quarterly)
11.2 Communication
a) Policy published on internal portal
b) Updates communicated via [channels]
c) Governance contact available for questions
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
12. POLICY ADMINISTRATION
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
12.1 Policy Owner
This policy is owned by [Title] who is responsible for
its maintenance and review.
12.2 Review Cycle
This policy shall be reviewed:
a) Annually at minimum
b) Following significant AI incidents
c) When regulations change
d) When AI strategy changes materially
12.3 Exceptions
Exceptions to this policy require:
a) Written request with business justification
b) Risk assessment of exception
c) Approval from [authority level]
d) Time-limited scope with review date
12.4 Non-Compliance
Violations of this policy may result in:
a) Revocation of AI access
b) Disciplinary action per HR policies
c) Contractual consequences for third parties
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
APPENDICES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Appendix A: AI System Request Form
Appendix B: AI Risk Assessment Template
Appendix C: AI Vendor Due Diligence Checklist
Appendix D: AI Incident Report Template
Appendix E: AI System Inventory Template
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
DOCUMENT HISTORY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
| Version | Date | Author | Changes |
|---------|------|--------|---------|
| 1.0 | [Date] | [Name] | Initial release |
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Implementation Tips
1. Don't Just Publish—Communicate
A policy in a folder is useless. Launch with:
- All-hands announcement
- Team briefings by managers
- FAQ document
- Clear contact for questions
2. Start with Training
Train before enforcement. People can't follow rules they don't understand.
3. Make Compliance Easy
Provide templates, checklists, and clear processes. If compliance is hard, people will work around it.
4. Enforce Consistently
Selective enforcement undermines policy credibility. Apply rules consistently across all levels.
5. Iterate Based on Feedback
Collect feedback during the first 90 days. Adjust policy where it creates unnecessary friction without improving risk management.
Frequently Asked Questions
Can I use this template as-is?
The template is designed to be customized. Review each section for relevance to your organization and adjust the bracketed text to your specifics.
Should I have legal review this?
Yes. Have legal counsel review the customized policy before approval, especially sections related to liability, compliance, and employment matters.
How long should the policy be?
As long as necessary to be clear, and no longer. For smaller organizations, you might streamline to 3-4 pages. For complex, regulated organizations, 10+ pages may be appropriate.
What if we're just starting with AI?
Even early-stage organizations need a basic policy. Start with a simpler version covering acceptable use and data protection, then expand as AI usage grows.
Next Steps
Download the template, customize it for your organization, and begin the approval process. Remember: a policy is just the beginning. Implementation, training, and consistent enforcement make it meaningful.
Book an AI Readiness Audit with Pertama Partners for help customizing governance frameworks to your specific needs.
Related Reading
- AI Governance 101: What It Is and Why It Matters
- How to Set Up an AI Governance Committee
- AI Governance for Small Business: A No-Bureaucracy Approach
Frequently Asked Questions
A comprehensive AI governance policy should include principles, scope definitions, risk classification frameworks, approval workflows, acceptable use guidelines, roles and responsibilities, monitoring mechanisms, and compliance reporting requirements.
Start with the template framework and adapt it to your organization's size, industry, risk appetite, and existing governance structures. Ensure alignment with your enterprise risk management framework and regulatory requirements.
Typically, a Chief AI Officer, Chief Data Officer, or Chief Risk Officer owns the policy, with input from legal, compliance, IT, and business units. The board should provide oversight and approval.
