13.4Intermediate7 min

AI Policy for Companies: Contents and Template

Blck Alpaca·9 June 2026

Definition

An AI policy is the management-approved, documented directive that governs scope, permitted and prohibited AI use, data protection, approved tools, labelling of AI content, responsibilities, training and the consequences of violations. It is mandatory under ISO/IEC 42001 (Clause 5.2) and forms the framework for all AI objectives.

Key Takeaways

✓Under ISO/IEC 42001 Clause 5.2 and Annex A control A.2.3, the AI policy is a mandatory, management-approved document - without it, certification is not possible.
✓An overly generic policy ('We use AI responsibly') is, according to audit practice 2024-2026, one of the most common weaknesses - it must be concrete, checkable and enforceable.
✓Mandatory components are: scope, principles, roles, permitted/prohibited use, approved tools, data protection, labelling, training, violations and a binding review cadence.
✓The training obligation ties in with EU AI Act Art. 4 (AI literacy), which is mapped via ISO 42001 Clause 7.2 (competence) and 7.3 (awareness).
✓The policy must be reviewed at least annually and upon material changes (new high-risk agent, new regulation, serious incident, change of model provider) - with version control and an approval signature.

An AI policy is the management-approved, documented directive that governs how AI may be used in the company - and how it may not. It defines scope, permitted and prohibited use, data protection and confidentiality, approved tools, the labelling of AI content, responsibilities, training and the consequences of violations. Under ISO/IEC 42001:2023 it is a mandatory document via Clause 5.2 and Annex A control A.2.3, and it forms the framework for all measurable AI objectives.

Mandatory, not optional: Without a documented, management-approved AI policy, ISO 42001 certification is not possible (Clause 5.2 / control A.2.3).
Concrete instead of empty phrases: A generic policy (\"We use AI responsibly\") is, according to audit practice 2024-2026, one of the most common findings - it must be checkable and enforceable.
Embedded, not isolated: It must be aligned with existing policies on information security, data protection, ethics and HR (control A.2.2).

Why an AI policy - and where it is anchored in ISO 42001

Clause 5.2 of ISO/IEC 42001 requires top management to establish a documented AI policy that is appropriate to the purpose of the organisation, provides a framework for AI objectives and contains a self-commitment to meeting applicable requirements as well as to continual improvement. Annex A control A.2.3 reinforces this and calls for a documented direction approved by management. A.2.2 requires alignment with other corporate policies, A.2.4 the regular review.

The logic behind this is a cascade: the policy (5.2) provides the framework for measurable AI objectives (6.2), which in turn are monitored via monitoring (9.1) and the management review (9.3). A policy without subsequent, measurable objectives remains ineffective - and will be flagged in the audit.

Mandatory contents of an AI policy

An AI policy that holds up in the DACH region covers the following building blocks according to ISO 42001 practice. They are directly suitable as a checkable outline.

Section	Content	ISO 42001 reference
Purpose & scope	Which AI systems, which roles (provider/deployer/both), which areas and locations	Clause 4.3, 5.2
Principles	Human oversight, transparency, fairness, data protection, security, robustness, environmental responsibility (oriented towards Annex C.2 / OECD principles)	Clause 5.2, Annex C.2
Roles & responsibilities	Top management, AI Officer/AIMS manager, control owners	Clause 5.3, control A.3.2
Permitted & prohibited use	Autonomy levels, tool-use limits, escalation/HITL rules, prohibited use cases	Control A.2.3, A.9.4
Data protection & confidentiality	Handling of personal and confidential data in prompts and retrieval	Annex A.7, GDPR reference
Approved tools & providers	Approved tools, provider due diligence	Control A.10.3
Labelling of AI content	Transparency towards users, instructions for use	Control A.8.2, AI Act Art. 13
Risk & impact assessment	Self-commitment to risk and impact assessment	Clause 6.1.2, 6.1.4
Training & competence	AI literacy plan, annual training	Clause 7.2/7.3, AI Act Art. 4
Violations & enforcement	Consequences, reporting channel for concerns	Control A.3.3, Clause 10.1
Review & version control	At least annually, immediately upon material change; approval signature	Control A.2.4, Clause 9.3

Permitted and prohibited use

This is the centrepiece for everyday work. For AI agents, the policy should explicitly define the autonomy levels - read-only, advisory, acting with approval, acting autonomously - as well as tool-use limits, escalation and human-in-the-loop rules and the diversity of model providers. Prohibited use cases should be named explicitly, for example no autonomous legal advice or no autonomous personnel decision without human oversight (HITL). Control A.9.4 is decisive here: if an agent is used outside its intended purpose as declared by the provider, this may qualify as a material change under EU AI Act Art. 25 and trigger a new impact assessment.

Data protection and approved tools

The policy must govern which data may flow into prompts, retrieval systems or training data. Approved tools are listed together with their providers; via control A.10.3, documented due diligence on certifications (ISO 27001, SOC 2 Type II, ISO 42001), data protection posture, sub-processors and model deprecation policies is provided for. An outdated tool list or an unmaintained provider register are among the most frequently flagged points.

Labelling of AI content

Transparency is a core principle from Annex C.2. Control A.8.2 requires system documentation and information for users - model cards, instructions for use, statements on capabilities and limitations. This closely aligns with EU AI Act Art. 13 (transparency / information for users). The policy should govern when and how AI-generated or AI-assisted content is labelled.

Training and AI literacy

Clause 7.2 (competence) and 7.3 (awareness) require evidence that employees with active AI roles are trained. This ties in directly with EU AI Act Art. 4 (AI literacy). In agent deployments, this very evidence is a common weak point, because competence beyond the purely technical teams is often not demonstrated.

ISO 42001 and the EU AI Act - the bridge

ISO 42001 is not a harmonised standard and does not create a presumption of conformity with the EU AI Act. It is, however, regarded as the strongest organisational basis for AI Act preparation. Two articles in particular are relevant to the policy: Art. 4 (AI literacy) is mapped via Clauses 7.2/7.3, Art. 13 (transparency/information for users) via controls A.8.2 and A.8.5. The self-commitment to compliance with applicable regulations (GDPR, EU AI Act, sector-specific regulation) belongs explicitly in the text.

Note: This article serves as professional guidance and does not replace legal advice. Specific obligations, article references and deadlines must be reviewed legally on a case-by-case basis.

Template: a checkable outline of an AI policy

```
AI policy [Company] - Version x.y - Approval [Date/Management]

Purpose & scope

AI systems/agents and areas covered
Role: provider / deployer / both

Guiding principles (human oversight, transparency, fairness, data protection, security, robustness)
Roles & responsibilities (management, AI Officer/AIMS manager, control owners)
Permitted use

autonomy levels per use case
tool-use limits, escalation/HITL

Prohibited use (negative list, e.g. autonomous personnel/legal decision)
Data protection & confidentiality (permissible data in prompts/retrieval)
Approved tools & providers (+ provider due diligence A.10.3)
Labelling of AI content (transparency, model cards, instructions for use)
Risk & impact assessment (self-commitment)
Training & AI literacy (plan, cadence)
Violations & enforcement (consequences, reporting channel)
Self-commitment to law (GDPR, EU AI Act) & continual improvement
Review cadence, version control, approval signatures
```

Practical example: measurable objectives and training attestation

A policy only takes effect through measurable objectives under Clause 6.2. A mid-sized DACH company (Blueprint ISO-A, 500-2,000 employees) makes its policy concrete, for example, as follows:

Competence (Clause 7.2 + AI Act Art. 4): \"All employees with an active AI role complete annual AI literacy training; 100% attestation.\"
Transparency: \"100% of high-risk agents have an up-to-date model card and a user-facing instruction sheet by Q3.\"
Coverage: \"100% of productive AI agents are registered in the AI inventory and assigned to a risk class within 14 days of go-live.\"

Such objectives make the policy audit-ready and close the gap between aspiration and evidence - precisely where generic policies fail.

For agencies and B2B

For marketing agencies, an AI policy is doubly relevant: internally as evidence of one's own competence under AI Act Art. 4, externally as a trust signal in pitches and tenders - DAX, SMI and ATX clients are increasingly asking about AI governance in RFPs. For B2B decision-makers, the policy is the first, cost-effective step of an ISO 42001 journey (total budget Blueprint ISO-A: EUR 50,000-150,000, 9-12 months, as of 2026): it can be created in the policy-stack phase within four to eight weeks and lays the foundation for risk, impact and lifecycle processes. We support the creation of a checkable, enforceable AI policy and its linkage to measurable objectives - without empty phrases, with a focus on audit-readiness.

FAQ

Is an AI policy a legal requirement?

A dedicated 'AI policy' is not prescribed by any single law. Within the framework of ISO/IEC 42001, however, it is mandatory for certification via Clause 5.2 and Annex A control A.2.3. The EU AI Act also requires AI literacy of staff via Art. 4, which is demonstrated in practice through a policy and training. This is not legal advice.

How does an AI policy differ from an AI strategy?

The AI strategy describes the 'why' and 'where to' - which business objectives are to be achieved with AI. The AI policy governs the 'how' and 'how not' in day-to-day operations: scope, permitted and prohibited use, approved tools, data protection, responsibilities and violations. Under ISO 42001, the policy (5.2) provides the framework for measurable AI objectives (6.2).

How often must an AI policy be updated?

Under ISO 42001 (control A.2.4), the review takes place at planned intervals or upon material changes. In DACH audit practice, at least annually is the de facto minimum standard. An immediate review is required on a triggered basis: a new high-risk agent, new regulation, a serious incident or a change of foundation-model provider.

Which tools should be listed as approved in an AI policy?

The policy lists the approved AI tools and providers as well as their terms of use. Via ISO 42001 control A.10.3, providers must be reviewed in a documented manner - for example regarding certifications (ISO 27001, SOC 2 Type II, ISO 42001 itself), data protection posture, sub-processors and model deprecation policies. An outdated tool list is a typical weakness in audits.

Does the AI policy relate to the EU AI Act?

Yes, indirectly. ISO 42001 is not a harmonised standard and does not create a presumption of conformity, but it is regarded as the strongest organisational basis for AI Act preparation. The policy should contain a self-commitment to compliance with applicable regulations - in particular Art. 4 (AI literacy) and Art. 13/26 (transparency, deployer obligations). Specific legal questions belong in a legal review.

Want to go deeper?

Get new analyses straight to your inbox – or see how we put this knowledge to work for companies.

Subscribe to newsletter →Our services

Previous← Annex A Controls of ISO 42001 at a Glance NextAI Officer: Role, Responsibilities and Anchoring within the Organisation →