An enterprise AI governance policy is one short, readable document covering seven parts: acceptable use, approved tools and a route to approve new ones, data handling, human-in-the-loop accountability, risk tiers, monitoring and review cadence, and named ownership.
- An enterprise AI governance policy is one short, readable document that answers seven questions: what good use looks like, which tools are approved and how to approve new ones, what data may never enter a public model, where a human stays in the loop, how risk is tiered, how use is monitored and reviewed, and who owns the whole thing by name.
- The policy is the artefact that makes confident adoption possible. IBM found in 2025 that 63% of breached organisations either had no AI governance policy or were still developing one, and breaches involving shadow AI (employees using AI tools the organisation has not sanctioned) cost around 670,000 US dollars more than the average.
- Anchor each section to a recognised framework so it is defensible: the NIST AI Risk Management Framework (Govern, Map, Measure, Manage), ISO/IEC 42001, the first AI management system standard, and the EU AI Act's four risk tiers.
- Most organisations have the easy half and miss the hard half: Pacific AI found 75% have an AI usage policy, yet only 36% have a formal governance framework around it.
- Name an accountable owner. The National Association of Corporate Directors found in 2025 that more than 62% of boards now make full-board time for AI, yet fewer than 25% of companies hold a board-approved AI policy, so attention has outpaced ownership.
"We all agreed we need an AI governance policy, everyone nodded, and now the document sits half-written in a shared drive because none of us actually knows what is meant to go in it." You have probably said a version of that out loud in the past month. The intent was real. The meeting felt productive. Then someone was tasked with the first draft, opened a blank file, typed a heading, and discovered that nobody in the room could define what belonged underneath it.
So here is the artefact, described plainly. An enterprise AI governance policy is a short, readable document, ideally a few pages a busy person will actually finish, organised around seven working parts: acceptable use, approved tools and a route to approve new ones, data handling, human-in-the-loop and accountability, risk tiers, monitoring and review cadence, and named ownership. That is the whole shape. Everything else is appendix. If a line tells a capable employee what they can do today and who to ask when the answer is not obvious, it belongs in the policy. If it reads like legal throat-clearing, it belongs elsewhere.
Why does the policy keep stalling at the blank page?
Because the room conflated two different things: the act of governing, which is behavioural and cultural, and the policy document, which is an artefact with sections. The first is the harder, slower work of trust and visibility, the subject of its own conversation. The second is what you are actually being asked to write, and it stalls because most leaders have never seen a good one. They have seen acceptable-use policies for laptops and they have seen forty-page compliance manuals nobody reads, and neither is the right model.
The cost of leaving it half-written is now measurable, which is the part that should move you from the shared drive to the page. IBM's 2025 Cost of a Data Breach report found that 63% of breached organisations either had no AI governance policy or were still developing one. In the same study, one in five organisations reported a breach linked to shadow AI, and where shadow AI use was high, breach costs ran around 670,000 US dollars above the average. Of organisations compromised through AI, 97% reported they had no AI access controls in place. The half-written document is not a tidy-up task. It is the thing standing between capable people and a defensible answer.
What are the sections an enterprise AI governance policy should contain?
Start with acceptable use, in plain language. One short section that says what good looks like: the kinds of tasks AI is welcomed for, the tone of judgement expected, and the principle that a person remains responsible for anything that carries their name. This is where the policy sets a forward stance rather than a list of prohibitions. People follow a clear yes far more readily than a long no.
Then approved tools, and the route to approve new ones. Name the sanctioned tools, and, just as importantly, give a fast, visible path for someone to propose a new one. A policy that only lists what is allowed today freezes on the day a better tool ships. A policy with a thirty-day approval route stays alive. Next comes data handling, the section that earns its keep: what may never be pasted into a public model, what is fine, and where the line sits between a private enterprise instance and a free public tier. This is the single clause that prevents most of the incidents in IBM's numbers.
Human-in-the-loop and accountability is the section that protects judgement. For any AI-assisted decision that affects a person, a customer, or money, the policy names who reviews it and who is answerable for the outcome. The model assists; a named human decides. Then risk tiers, borrowed in spirit from the EU AI Act, which sorts AI uses into unacceptable, high, limited and minimal risk: a customer-facing pricing model and an internal meeting summariser do not need the same controls, and a policy that treats them identically will be ignored by both. Monitoring and review cadence sets how use is observed and how often the whole policy is revisited, because AI moves faster than your annual review cycle. And named ownership closes it: one accountable person, not a committee, not a vibe.
| Section | The question it answers |
|---|---|
| Acceptable use | What is AI welcomed for, and who stays responsible for the output? |
| Approved tools and approval route | What is sanctioned today, and how does someone get a new tool approved? |
| Data handling | What must never enter a public model, and where is the line? |
| Human-in-the-loop and accountability | Who reviews and is answerable for an AI-assisted decision? |
| Risk tiers | Which uses are high-stakes and need tighter controls? |
| Monitoring and review cadence | How is use observed, and how often is the policy revisited? |
| Named ownership | Who owns this document and the decisions it carries? |
Turn the half-written file into a policy your board will sign
If the document has stalled in a shared drive, we can build the seven sections together in ninety minutes, anchored to how your people already work rather than a template. You will leave with a draft you can actually circulate.
Book your Strategy SessionHow do I make the policy defensible rather than just an opinion?
By anchoring each section to a framework someone else has already stress-tested, so the document carries weight beyond the author's preferences. Three are worth naming, because they are real and they hold their weight. The NIST AI Risk Management Framework, published in early 2023, is voluntary US guidance built around four functions, Govern, Map, Measure and Manage, and it maps cleanly onto your sections. ISO/IEC 42001, released in late 2023, is the first international AI management system standard, the certifiable cousin of the policy: where the policy states your intent, ISO/IEC 42001 describes the management system that keeps the intent honest. And the EU AI Act, which entered into force in August 2024 and becomes broadly applicable in August 2026, gives you the risk-tier language, classifying AI uses as unacceptable, high, limited or minimal risk. You do not have to adopt all three. Citing the one that fits your market turns your policy from an opinion into a position.
The gap most organisations sit in is the gap between having a policy and having a framework around it. Pacific AI's 2025 governance survey of 351 organisations found 75% had an AI usage policy, yet only 36% had adopted a formal governance framework. The policy is the easy half. The framework, the ownership, the review cadence, the monitoring, is the half that makes the policy mean something. And ownership is exactly where it thins out: the National Association of Corporate Directors (the main US body for public-company board members) found in its 2025 board practices survey that more than 62% of directors now set aside full-board agenda time for AI, yet fewer than 25% of companies have a board-approved, structured AI policy in place. Attention has arrived; accountability is the next thing to claim. A policy with no named owner is a wish with formatting.
An AI governance policy is not a brake on adoption. It is the artefact that makes confident adoption possible, because it tells capable people what they can do today and who to ask when the answer is not obvious.
- Write acceptable use as a clear yes. Say what AI is welcomed for and that a named person stays responsible for any output that carries their name.
- List approved tools and the route to add one. A thirty-day approval path keeps the policy alive when a better tool ships.
- Draw the data line. State precisely what may never enter a public model. This single clause prevents most incidents.
- Set human accountability and risk tiers. Name who decides on AI-assisted calls, and sort uses by stakes so controls match risk.
- Fix monitoring, cadence and an owner. Decide how use is watched, when the policy is revisited, and the one person answerable for it.
Do that, and the document stops being a chore and becomes the thing that lets you say yes with confidence. This is the quieter point underneath the whole exercise. The bottleneck is no longer the technology; the models work, and they are already in your building. The open question is whether you have given your people a clear enough line to walk that they bring their AI use into the open rather than around the side. A good governance policy is how a leader does that. It is less a wall than a well-marked path, and the organisations that draw it first will scale with a steadiness the others spend the next two years chasing.
Frequently asked questions
How long should an enterprise AI governance policy be?
Which framework should our AI governance policy reference?
Who should own the AI governance policy?
- IBM, Cost of a Data Breach Report 2025, 2025
- Pacific AI, 2025 AI Governance Survey, 2025
- National Association of Corporate Directors, 2025 Public Company Board Practices and Oversight Survey, 2025
- NIST, AI Risk Management Framework (AI RMF 1.0), 2023
- ISO/IEC 42001:2023, Artificial intelligence management system, 2023
- European Commission, Regulatory framework on AI (EU AI Act), 2024

About the author
British technology futurist, AI keynote speaker and advisor. Thirty years across enterprise technology and AI strategy, helping leaders navigate the future of work. The futurist who died.