Skip to main content
AI Standard of Care
  1. AI Legal Resources/

AI Governance Policy Template

·16 mins
Resources AI Governance Policy Template AI Ethics Risk Management Compliance Organizational Policy
Table of Contents

Why AI Governance Policies Matter
#

Every organization using AI needs a governance framework. Without one, AI deployment decisions happen ad hoc, different teams use different standards, risks go unassessed, and accountability is unclear.

The consequences of ungoverned AI are increasingly severe:

  • Legal liability from discriminatory or harmful AI decisions
  • Regulatory penalties under emerging AI laws
  • Reputational damage from AI failures
  • Inconsistent practices across the organization
  • Inability to demonstrate due diligence when challenged

This template provides a comprehensive framework for organizational AI governance. Adapt it to your organization’s size, industry, and risk profile.

How to Use This Template
#

This template is designed to be adapted, not adopted verbatim. Every organization is different. A 50-person startup has different needs than a Fortune 500 company.

Customization guidance:

  • Sections in [brackets] need organization-specific information
  • Optional sections are marked, include based on your needs
  • Scaling notes indicate how to adjust for organization size
  • Industry-specific considerations highlight sector variations

Implementation approach:

  1. Review the entire template
  2. Identify sections relevant to your organization
  3. Customize language and requirements
  4. Obtain legal review
  5. Get executive and board approval
  6. Communicate and train
  7. Implement monitoring and enforcement

Policy Framework Structure
#

Document Hierarchy
#

A complete AI governance framework typically includes multiple documents:

AI Governance Document Hierarchy

Level 1: AI Governance Policy (This document)

  • Board/executive approved
  • Sets principles, scope, and high-level requirements
  • Changes require senior approval

Level 2: AI Standards and Procedures

  • Detailed technical and process requirements
  • Owned by AI governance function
  • More frequent updates allowed

Level 3: AI Guidelines and Playbooks

  • Practical guidance for specific use cases
  • Owned by functional teams
  • Updated as practices evolve

Level 4: AI Tools and Templates

  • Checklists, forms, assessment tools
  • Operational documents
  • Updated frequently

This template focuses on Level 1, the master policy. Reference the AI Vendor Due Diligence Checklist and AI Incident Response Playbook for Level 2-3 materials.

AI Governance Policy
#

1. Purpose and Scope
#

1.1 Purpose
#

This policy establishes [ORGANIZATION NAME]’s framework for the responsible development, deployment, and use of artificial intelligence and machine learning systems. It ensures that AI is used in ways that:

  • Align with our organizational values and ethical principles
  • Comply with applicable laws and regulations
  • Protect individuals from harm and discrimination
  • Maintain appropriate human oversight
  • Support accountability and transparency

1.2 Scope
#

This policy applies to:

  • All AI and machine learning systems developed by [ORGANIZATION NAME]
  • All AI systems procured from third-party vendors
  • All AI systems integrated into [ORGANIZATION NAME] products, services, or operations
  • All employees, contractors, and third parties who develop, deploy, or use AI systems on behalf of [ORGANIZATION NAME]

Definition of AI Systems: For purposes of this policy, “AI systems” include:

  • Machine learning models (supervised, unsupervised, reinforcement learning)
  • Deep learning and neural networks
  • Natural language processing systems
  • Computer vision systems
  • Automated decision-making systems
  • Robotic process automation with adaptive capabilities
  • Generative AI systems (large language models, image generators)
  • Any system that learns from data to make predictions, recommendations, or decisions

1.3 Exclusions
#

This policy does not apply to:

  • Simple rule-based automation without learning capabilities
  • Basic statistical analysis and reporting
  • Standard business intelligence tools
  • [Other organization-specific exclusions]

2. Guiding Principles
#

All AI activities at [ORGANIZATION NAME] shall be guided by these principles:

AI Governance Principles

Human-Centered: AI systems augment human capabilities and serve human interests. Humans retain meaningful control over significant decisions.

Fair and Non-Discriminatory: AI systems do not discriminate based on protected characteristics and are designed and tested to minimize unfair bias.

Transparent and Explainable: AI decisions can be understood and explained at a level appropriate for the context and audience.

Accountable: Clear accountability exists for AI outcomes. Humans are responsible for AI system behavior.

Safe and Secure: AI systems are robust, secure, and designed to minimize potential harms.

Privacy-Respecting: AI systems protect personal information and are developed and used in compliance with privacy laws and our privacy commitments.

Compliant: AI systems comply with all applicable laws, regulations, and industry standards.

3. AI Governance Structure
#

3.1 Board of Directors Oversight
#

The Board of Directors (or designated committee) is responsible for:

  • Approving this AI Governance Policy
  • Receiving regular reports on AI risks and governance
  • Overseeing significant AI initiatives and risks
  • Ensuring adequate resources for AI governance

Reporting frequency: [Quarterly/Semi-annually]

3.2 Executive Accountability
#

[TITLE - e.g., Chief AI Officer, CTO, or Chief Risk Officer] has executive accountability for AI governance, including:

  • Implementing this policy
  • Reporting to the Board on AI governance
  • Allocating resources for AI governance activities
  • Escalating significant AI risks and incidents

3.3 AI Governance Committee
#

Purpose: The AI Governance Committee provides cross-functional oversight of AI activities.

Composition:

  • Chair: [Title - typically AI Ethics Officer or Chief AI Officer]
  • Members:
    • Chief Information Security Officer (or designee)
    • Chief Privacy Officer (or designee)
    • General Counsel (or designee)
    • Chief Technology Officer (or designee)
    • Chief Risk Officer (or designee)
    • HR representative (for employment AI)
    • Business unit representatives (rotating based on agenda)

Responsibilities:

  • Reviewing and approving high-risk AI deployments
  • Establishing AI standards and procedures
  • Monitoring AI risk metrics and incidents
  • Overseeing AI ethics issues and escalations
  • Recommending policy updates

Meeting frequency: [Monthly/Quarterly]

Scaling note: Smaller organizations may combine this function with existing risk or technology committees.

4. Roles and Responsibilities
#

4.1 AI Ethics Officer
#

AI Ethics Officer Role

Reports to: [Executive sponsor]

Key Responsibilities:

  • Chairing the AI Governance Committee
  • Developing and maintaining AI ethics frameworks
  • Providing ethics guidance to AI projects
  • Reviewing high-risk AI deployments
  • Investigating AI ethics concerns
  • Training the organization on responsible AI
  • Monitoring emerging AI ethics issues and regulations
  • Serving as point of contact for external AI ethics inquiries

Authority:

  • May pause AI deployments pending ethics review
  • Direct access to executive leadership and Board
  • Authority to commission independent audits

Required Qualifications:

  • Understanding of AI/ML technologies
  • Background in ethics, law, or risk management
  • Strong communication and facilitation skills

Scaling note: Smaller organizations may assign AI Ethics Officer responsibilities to an existing role (Legal, Compliance, or CTO) rather than creating a dedicated position.

4.2 AI Project Owners
#

Definition: The business owner responsible for an AI system’s outcomes.

Responsibilities:

  • Completing AI risk assessments for their systems
  • Ensuring compliance with this policy
  • Maintaining documentation required by this policy
  • Reporting AI incidents promptly
  • Ensuring ongoing monitoring of AI systems
  • Obtaining required approvals before deployment
  • Budget accountability for governance activities

4.3 AI Development Teams
#

Responsibilities:

  • Implementing technical requirements of this policy
  • Conducting required testing and validation
  • Documenting AI systems as required
  • Participating in AI risk assessments
  • Implementing bias mitigation measures
  • Maintaining model performance monitoring
  • Reporting concerns about AI systems

4.4 All Employees
#

Responsibilities:

  • Reporting concerns about AI systems through appropriate channels
  • Using AI systems in accordance with guidelines and training
  • Completing required AI training
  • Not circumventing AI governance controls

5. AI Risk Classification
#

5.1 Risk Levels
#

All AI systems shall be classified according to risk level before deployment:

High-Risk AI Systems

AI systems are classified as high-risk if they:

  • Make or significantly influence decisions about individuals in:
    • Employment (hiring, promotion, termination)
    • Credit and lending
    • Insurance underwriting or claims
    • Healthcare treatment or diagnosis
    • Housing allocation
    • Education admissions or grading
    • Criminal justice or law enforcement
    • Benefits eligibility
  • Process sensitive personal data at scale
  • Could cause physical harm (autonomous systems, medical devices)
  • Face heightened regulatory requirements
  • Could significantly impact organizational reputation

Requirements: Full AI risk assessment, AI Governance Committee approval, bias audit, ongoing monitoring, human oversight mechanisms

Medium-Risk AI Systems

AI systems are classified as medium-risk if they:

  • Make recommendations that humans typically follow
  • Process personal data but don’t make consequential decisions
  • Could cause moderate business or reputational impact
  • Interact directly with customers
  • Influence pricing, marketing, or product decisions

Requirements: AI risk assessment, AI Ethics Officer review, documented testing, ongoing monitoring

Low-Risk AI Systems

AI systems are classified as low-risk if they:

  • Support internal operations only
  • Make recommendations that are frequently overridden
  • Do not process personal data
  • Have limited business or reputational impact

Requirements: Documented risk classification, basic testing, standard change management

5.2 Risk Classification Process
#

  1. AI Project Owner completes AI Risk Classification Form
  2. AI Ethics Officer (or designee) reviews classification
  3. Disagreements escalate to AI Governance Committee
  4. Classification is documented and reviewed annually

6. AI Lifecycle Requirements
#

6.1 Planning and Design
#

Planning Phase Checklist

Before beginning AI development or procurement:

  • Identify business problem and why AI is appropriate
  • Complete initial risk classification
  • Identify applicable regulations and requirements
  • Assess data availability and quality
  • Evaluate privacy implications
  • Define success metrics and performance thresholds
  • Document intended use cases and limitations
  • Identify stakeholders and affected populations
  • Obtain required planning approvals

6.2 Development and Training
#

Data Requirements:

  • Document data sources, provenance, and licensing
  • Assess data quality and representativeness
  • Evaluate training data for potential bias
  • Ensure compliance with data protection requirements
  • Maintain data lineage documentation

Development Requirements:

  • Follow secure development practices
  • Version control for models, data, and code
  • Document model architecture and design decisions
  • Conduct bias testing throughout development
  • Perform security assessment

6.3 Testing and Validation
#

Pre-Deployment Testing Requirements

All AI Systems:

  • Functional testing against requirements
  • Performance testing (accuracy, latency, scalability)
  • Security testing
  • Edge case and failure mode testing
  • Documentation review

Medium and High-Risk Systems (additional):

  • Bias and fairness testing across protected groups
  • Explainability assessment
  • Human oversight mechanism testing
  • Adversarial robustness testing
  • Privacy impact assessment

High-Risk Systems (additional):

  • Independent third-party audit
  • Pilot deployment with monitoring
  • Stakeholder review

6.4 Deployment Approval
#

Low-Risk Systems:

  • AI Project Owner approval
  • Standard change management process

Medium-Risk Systems:

  • AI Project Owner approval
  • AI Ethics Officer review and approval
  • Documented testing results

High-Risk Systems:

  • AI Project Owner approval
  • AI Ethics Officer approval
  • AI Governance Committee approval
  • Executive sponsor notification
  • Board notification (for significant initiatives)

6.5 Operations and Monitoring
#

Ongoing Monitoring Requirements:

Risk LevelPerformance MonitoringBias MonitoringAudit Frequency
HighContinuousMonthlyAnnual (independent)
MediumWeeklyQuarterlyBiennial
LowMonthlyAnnualAs needed

Monitoring Elements:

  • Accuracy and performance metrics vs. thresholds
  • Fairness metrics across demographic groups
  • Model drift indicators
  • User feedback and complaints
  • Incident tracking

6.6 Model Updates and Changes
#

Model updates follow the same approval requirements as initial deployment, with these modifications:

  • Minor updates (bug fixes, same training data): AI Project Owner approval
  • Moderate updates (new training data, architecture changes): Original approval level minus one
  • Major updates (new use cases, significant changes): Full original approval process

All updates must be documented in the model version registry.

6.7 Retirement and Decommissioning
#

Before retiring an AI system:

  • Notify affected stakeholders
  • Archive model, data, and documentation per retention requirements
  • Ensure alternative processes are in place
  • Document lessons learned
  • Confirm data deletion requirements are met

7. Vendor AI Requirements
#

7.1 Vendor Selection
#

AI systems procured from vendors must meet the same risk-appropriate requirements as internally developed systems. See AI Vendor Due Diligence Checklist for detailed guidance.

Minimum vendor requirements:

  • Documented AI governance practices
  • Willingness to provide audit information
  • Contractual liability allocation
  • Incident notification commitments
  • Data protection compliance

7.2 Vendor Contracts
#

AI vendor contracts must include:

  • Description of AI functionality and limitations
  • Liability and indemnification provisions
  • Audit rights
  • Incident notification requirements
  • Data handling and protection terms
  • Model update notification requirements
  • Termination and transition rights

7.3 Ongoing Vendor Oversight
#

  • Annual vendor assessments for high-risk systems
  • Monitoring of vendor-provided performance metrics
  • Review of vendor audit reports
  • Incident tracking and vendor responsiveness

8. Documentation and Records
#

8.1 Required Documentation
#

AI Documentation Requirements

All AI Systems:

  • Risk classification assessment
  • System description and intended use
  • Testing and validation results
  • Deployment approval records
  • Incident reports

Medium and High-Risk Systems (additional):

  • Data documentation (sources, preparation, representativeness)
  • Model documentation (architecture, training, parameters)
  • Bias assessment results
  • Explainability documentation
  • Human oversight procedures
  • Performance monitoring results

High-Risk Systems (additional):

  • Full model cards/datasheets
  • Independent audit reports
  • Stakeholder impact assessments
  • Regulatory compliance documentation

8.2 Retention Requirements
#

AI documentation shall be retained for:

  • Active systems: Duration of use plus [7 years]
  • Retired systems: [7 years] from retirement
  • Incident documentation: [10 years] or as required by litigation hold

9. Training and Awareness
#

9.1 Required Training
#

RoleTraining RequirementFrequency
All employeesAI AwarenessAnnual
AI Project OwnersAI GovernanceAnnual
AI DevelopersResponsible AI DevelopmentAnnual
AI Governance CommitteeAI Risk and EthicsAnnual
ExecutivesAI Board OversightAnnual

9.2 Training Content
#

AI Awareness (All Employees):

  • What AI systems the organization uses
  • How to report AI concerns
  • Responsible use of AI tools
  • Privacy and security considerations

AI Governance (Project Owners):

  • This policy and related procedures
  • Risk classification process
  • Approval requirements
  • Monitoring obligations
  • Incident reporting

Responsible AI Development (Developers):

  • Bias in AI systems and mitigation
  • Explainability techniques
  • Security and privacy by design
  • Testing and validation requirements
  • Documentation requirements

10. Incident Response
#

AI incidents shall be managed according to the AI Incident Response Playbook.

Key requirements:

  • Report AI incidents immediately through [REPORTING CHANNEL]
  • Follow severity classification and escalation procedures
  • Preserve evidence as required
  • Complete post-incident reviews
  • Implement remediation and prevention measures

11. Exceptions
#

Exceptions to this policy require:

  • Documented business justification
  • Risk mitigation measures
  • Approval from AI Ethics Officer and [Executive Sponsor]
  • Time-limited duration (maximum [1 year])
  • Documented monitoring of exception

Exceptions must be reported to the AI Governance Committee.

12. Enforcement
#

Violations of this policy may result in:

  • Suspension of AI system deployment
  • Required remediation actions
  • Disciplinary action up to termination
  • Contractual consequences for third parties

Concerns about AI systems or this policy may be reported to:

  • AI Ethics Officer
  • Compliance hotline
  • [Other reporting channels]

Reports may be made anonymously and will not result in retaliation.

13. Policy Review
#

This policy shall be reviewed:

  • Annually at minimum
  • Upon significant regulatory changes
  • Following significant AI incidents
  • Upon major changes to AI strategy

Policy Owner: [Title] Last Review Date: [Date] Next Review Date: [Date]

Appendix A: AI Risk Classification Form
#

AI RISK CLASSIFICATION FORM

System Name: _______________________
Project Owner: _______________________
Date: _______________________

1. SYSTEM DESCRIPTION
Describe the AI system and its intended use:


2. DECISION IMPACT
What decisions does this system make or influence?
□ Employment (hiring, promotion, termination)
□ Credit/lending
□ Insurance
□ Healthcare
□ Housing
□ Education
□ Criminal justice/law enforcement
□ Benefits eligibility
□ Other consequential decisions (describe): _______
□ Recommendations only (human makes final decision)
□ Internal operations only

3. DATA SENSITIVITY
What types of data does the system process?
□ No personal data
□ Non-sensitive personal data
□ Sensitive personal data (health, financial, biometric)
□ Protected class information
□ Data about minors

4. SCALE AND REACH
□ Affects <100 individuals/decisions annually
□ Affects 100-10,000 individuals/decisions annually
□ Affects >10,000 individuals/decisions annually

5. POTENTIAL FOR HARM
What harm could result from system errors?
□ Physical harm
□ Financial harm
□ Discrimination
□ Privacy violation
□ Reputational harm (individual)
□ Reputational harm (organizational)
□ Other: _______

6. REGULATORY REQUIREMENTS
□ [EU AI Act](/resources/eu-ai-act-liability/) applies
□ State AI laws apply (specify): _______
□ Industry-specific regulations apply (specify): _______
□ No specific AI regulations identified

7. PRELIMINARY CLASSIFICATION
Based on above factors:
□ High Risk
□ Medium Risk
□ Low Risk

Justification:


Submitted by: _______________  Date: _______
Reviewed by: _______________  Date: _______
Classification Approved: □ Agree □ Modify to: _______

Appendix B: AI Deployment Approval Checklist
#

AI DEPLOYMENT APPROVAL CHECKLIST

System Name: _______________________
Risk Classification: □ High □ Medium □ Low
Deployment Date: _______________________

DOCUMENTATION COMPLETE:
□ Risk classification form
□ System description and intended use
□ Data documentation
□ Model documentation (medium/high risk)
□ Testing results
□ Bias assessment (medium/high risk)
□ Privacy impact assessment (if applicable)

TESTING COMPLETE:
□ Functional testing
□ Performance testing
□ Security testing
□ Bias/fairness testing (medium/high risk)
□ Explainability assessment (medium/high risk)
□ Human oversight testing (high risk)
□ Third-party audit (high risk)

APPROVALS OBTAINED:
□ AI Project Owner
□ AI Ethics Officer (medium/high risk)
□ AI Governance Committee (high risk)
□ Legal review (if required)
□ Security review (if required)
□ Privacy review (if required)

MONITORING ESTABLISHED:
□ Performance monitoring configured
□ Bias monitoring configured (medium/high risk)
□ Alert thresholds defined
□ Incident reporting procedures confirmed

READY FOR DEPLOYMENT:
□ All requirements met
□ Deployment approved

Approver: _______________  Date: _______

Appendix C: Glossary
#

Algorithmic Bias: Systematic errors in AI system outputs that create unfair outcomes for certain groups.

Artificial Intelligence (AI): Systems that can perform tasks typically requiring human intelligence, including learning, reasoning, and problem-solving.

Bias Audit: Systematic evaluation of an AI system for discriminatory impacts across protected groups.

Explainability: The ability to describe AI system behavior in human-understandable terms.

Fairness Metrics: Quantitative measures of equitable AI system performance across different groups.

Human Oversight: Mechanisms ensuring humans can understand, intervene in, and override AI decisions.

Machine Learning: AI techniques where systems learn from data rather than explicit programming.

Model Drift: Degradation in AI model performance over time as real-world conditions change.

Training Data: Data used to develop and calibrate AI/ML models.

Frequently Asked Questions
#

How do we know if something is an “AI system” covered by this policy?
#

The key question: Does the system learn from data to make predictions, recommendations, or decisions? If yes, it’s likely covered. If you’re unsure, err on the side of inclusion and consult the AI Ethics Officer.

Common gray areas:

  • Covered: ML-powered recommendation engines, chatbots, predictive analytics, automated screening tools
  • Not covered: Simple if/then rules, standard SQL queries, basic statistics, RPA with fixed rules

What if we need to deploy quickly and can’t complete the full process?
#

Emergency deployments may use expedited approval with these conditions:

  1. Document the urgency
  2. Obtain AI Ethics Officer verbal approval (with written follow-up within 48 hours)
  3. Implement enhanced monitoring
  4. Complete full process within 30 days

This exception should be rare. Most “urgencies” reflect poor planning.

How does this policy apply to employees using ChatGPT or similar tools?
#

External AI tools used for work purposes are within scope. Establish guidelines covering:

  • What tools are approved for use
  • What data can be shared with AI tools
  • Required review of AI outputs
  • Prohibited uses (e.g., making final decisions, confidential data)

Many organizations create separate “Generative AI Acceptable Use” guidelines under this policy framework.

Who decides what’s “high risk” vs. “medium risk”?
#

The AI Project Owner makes the initial classification using the Risk Classification Form. The AI Ethics Officer reviews all classifications. Disagreements escalate to the AI Governance Committee.

When in doubt, classify higher rather than lower. The consequences of under-classifying a risky system are worse than over-classifying a safe one.

What if a vendor won’t provide required information?
#

This is valuable information about the vendor. Options:

  1. Escalate within the vendor organization
  2. Document refusal in vendor assessment
  3. Require contractual commitments even if details unavailable
  4. Choose a different vendor
  5. If proceeding, document risk acceptance at appropriate level

How do we handle AI systems already in production?
#

Existing systems should be inventoried and classified within [6 months] of policy adoption. High-risk systems should complete the full governance process within [12 months]. Medium-risk systems within [18 months].

Truly problematic systems may need to be suspended until they can meet requirements.

Conclusion
#

Effective AI governance requires more than a policy document, it requires organizational commitment, adequate resources, and consistent implementation. This template provides the framework; your organization provides the will.

Implementation success factors:

  1. Executive sponsorship: Without visible leadership support, policies become shelfware
  2. Adequate resources: The AI Ethics Officer and governance functions need time and budget
  3. Clear accountability: Every AI system needs an owner who feels responsible
  4. Practical procedures: If the process is too burdensome, people will work around it
  5. Consistent enforcement: Policies without consequences are suggestions

The AI standard of care is evolving. Organizations with strong governance frameworks will be better positioned to demonstrate due diligence, comply with emerging regulations, and, most importantly, deploy AI responsibly.

Start with this template. Adapt it to your organization. Implement it seriously. Improve it continuously.

Related

International AI Regulation: A Global Comparison

··10 mins
Resources EU AI Act UK AI Regulation China AI Canada AIDA International AI Bletchley Declaration AI Governance AI Compliance
As AI systems become integral to commerce, healthcare, and daily life, jurisdictions worldwide are racing to establish regulatory frameworks. The approaches vary dramatically, from the EU’s comprehensive risk-based legislation to the UK’s sector-specific principles, from China’s content-focused rules to Canada’s failed attempt at comprehensive AI law. Understanding these frameworks is essential for any organization deploying AI across borders.

AI Contract Provisions: Key Terms for Licensing, Procurement, and Development Agreements

·21 mins
Resources AI Contracts Liability Allocation Indemnification Warranties Audit Rights Data Rights AI Procurement
Introduction: Why AI Contracts Are Different # Artificial intelligence systems challenge traditional contract frameworks in fundamental ways. A standard software license assumes the software will behave predictably and consistently, the same inputs will produce the same outputs. AI systems, by contrast, may behave unpredictably, evolve over time, produce different results from identical inputs, and cause harms that neither party anticipated.

AI Discovery and E-Discovery: Preserving and Obtaining Evidence in AI Litigation

·16 mins
Resources E-Discovery AI Evidence Discovery Requests Litigation Hold Proprietary Algorithms AI Preservation
Introduction: Discovery in the Age of AI # Discovery in AI litigation presents challenges unlike any the legal system has previously faced. Traditional e-discovery concerns, email preservation, document production, metadata integrity, seem quaint compared to the complexities of preserving a machine learning model, obtaining training data that may encompass billions of data points, or compelling production of algorithms that companies claim as their most valuable trade secrets.

AI Expert Witness Guide: Finding, Qualifying, and Working with AI Experts

·14 mins
Resources Expert Witness AI Litigation Daubert Expert Testimony Technical Experts Deposition
Introduction: The Critical Role of AI Experts # As artificial intelligence systems proliferate across industries, from healthcare diagnostics to autonomous vehicles to financial underwriting, litigation involving AI has exploded. In virtually every AI-related case, expert testimony is not just helpful but essential. Judges and juries lack the technical background to evaluate whether an AI system was properly designed, tested, deployed, or monitored. Expert witnesses bridge that knowledge gap.