Free AI Policy Template (ISO 42001) + Customization Tips
As AI use grows and the EU AI Act takes effect, organizations increasingly need a written AI policy. This free template is aligned to ISO/IEC 42001 — the first AI management system standard — and sets out how your organization develops and uses AI responsibly. Copy it, tailor the [Customize] points, and you have a credible governance foundation.
Use this if your organization builds, integrates or uses AI (including third-party tools) and wants to demonstrate responsible governance to customers, regulators or partners.
Template
AI Policy
ISO/IEC 42001:2023
1. Purpose, Scope & Context
This policy sets out how ✎ Company Name governs the responsible development, provision and use of artificial intelligence. It applies to all employees and contractors and to all AI systems the organization builds, integrates or uses, including ✎ list key AI systems or use cases, e.g. customer support assistant, internal analytics.
2. Responsible-AI Commitments
The organization commits to:
- developing and using AI that is lawful, ethical and robust;
- assessing and managing AI risks and impacts on individuals and society;
- maintaining human oversight of AI decisions that affect people;
- ensuring transparency about where and how AI is used;
- protecting the privacy, security and quality of data used by AI; and
- complying with applicable requirements, including the EU AI Act where relevant.
3. Roles & Responsibilities
✎ an AI governance owner / committee is accountable for this policy and for overseeing significant AI decisions and risks. System owners are responsible for the AI systems in their area. All personnel must use AI in line with this policy and report concerns.
4. AI Risk & Impact Assessment
Before deploying an AI system, the organization assesses its risks and its impact on affected parties (fairness, safety, rights and wellbeing). Higher-risk systems receive deeper review and ✎ state who approves high-risk AI. Assessments are recorded and reviewed.
5. Lifecycle Controls & Human Oversight
AI systems are governed across their lifecycle — design, data, development, testing, deployment and monitoring. Human oversight is maintained proportionate to risk, and significant decisions affecting individuals are not fully automated without ✎ state your oversight requirement.
6. Data Governance
Data used to train or operate AI is managed for quality, provenance and bias, and handled in line with the organization's privacy and security policies. ✎ note any restrictions, e.g. no customer personal data in third-party AI tools without approval.
7. Transparency & Use of Third-Party AI
Where AI materially affects users, the organization discloses its use and its limitations. Third-party AI tools are assessed before adoption and used within approved guidelines.
8. Compliance, Monitoring & Review
Compliance with this policy is mandatory. AI use is monitored, incidents are managed and improvements made. This policy is classified Internal, communicated to staff, and reviewed at least annually and when AI use or regulation changes significantly.
✎ Highlighted items are placeholders — replace them with your organization's details.
Generate a tailored AI Policy instantly with CompliWiseAI
Skip the placeholders — get a version written for your company's industry, size, country and risk level, ready to review and export.
How to customize this template
- List your actual AI systems and use cases — a generic AI policy convinces no one.
- Name who owns AI governance and who approves high-risk AI before deployment.
- Set a clear rule on putting personal or confidential data into third-party AI tools.
- State your human-oversight requirement for AI decisions that affect people.
- Map the policy to the EU AI Act risk tiers if any of your AI is in scope.
What an auditor looks for
- •Does the policy cover responsible-AI principles, risk/impact, oversight, data and transparency?
- •Is there a named owner and an approval step for higher-risk AI?
- •Are AI risk and impact assessments performed and recorded?
- •Is human oversight defined proportionate to risk?
Frequently asked questions
Do I legally need an AI policy?+
Not universally yet, but the EU AI Act and customer due-diligence increasingly expect documented AI governance, and ISO 42001 makes it a formal requirement. A policy is the foundation.
Does this cover the EU AI Act?+
It aligns with the AI Act's governance expectations, but the Act imposes specific obligations by risk tier. Use this policy as your governance base and map high-risk systems to the Act's requirements.
We only use third-party AI tools — do we still need this?+
Yes. Using AI (even someone else's) still creates risk and obligations. The policy covers responsible use and third-party tool governance.