What an AI policy needs to actually cover
Most AI policies I read are a paragraph about responsible use and a list of approved tools. That is not an AI policy. Here is what actually belongs in one.
Most of the AI policies I have reviewed in the last year are short on the same things. They identify approved tools, gesture at responsible use, and leave the operational decisions to whoever happens to be using the model that day. That is a document, but it is not a policy. A real AI policy covers four things, in enough specificity that a manager can apply it without calling legal.
The first is the data layer. AI systems run on data, and the data your models touch is governed by the same regimes that govern every other place data lives in your business. The California Consumer Privacy Act, the Florida Digital Bill of Rights, the EU AI Act, and the sectoral regimes like HIPAA and GLBA all apply to AI processing in the same way they apply to other processing. The policy needs to specify which categories of data can be entered into which categories of tools. Public ChatGPT is not the same as an enterprise instance with a no-training contract clause; both of those are different from a self-hosted model running inside your firewall. If the policy does not distinguish between them, employees will conflate them, and personal information will end up in places it should not be. The corollary obligation is data minimization. AI tools encourage maximalist prompting because more context usually means better output. The policy needs to push back on that instinct for any prompt involving personal data, customer information, or anything protected.
The second is the intellectual property layer. The policy has to take a position on three questions. Who owns the output? When AI-generated content sits inside a deliverable, what marking or documentation establishes the human authorship needed to claim copyright? When a model is trained or fine-tuned on the company’s data, what rights does the vendor have to that training data and its derivatives? Most AI vendor contracts default to terms favorable to the vendor on each of these. The policy should specify what your contract review needs to confirm before any new AI tool is approved, and it should specify the documentation employees need to keep when they produce AI-assisted work that may need to be enforceable later.
The third is the accountability layer. AI systems make decisions, and decisions create liability. The policy needs to say who is responsible when an AI-driven decision goes wrong. In high-stakes settings (hiring, credit decisions, medical or legal advice, customer-facing claims), the policy should require human review before any AI output reaches a person who will act on it. The policy should also identify which categories of decisions cannot be delegated to AI at all, regardless of how good the model gets. The “human in the loop” language has become a cliche, but the substance of it (specifying the loop, the human, and what the human is supposed to do) is what differentiates a real policy from boilerplate.
The fourth is the workforce layer. AI changes how work gets done, which means it changes job descriptions, performance metrics, and sometimes headcount. The policy should address how AI productivity gains will be measured and credited, and how employees displaced or restructured by AI deployments will be handled. Florida is an at-will state, but federal employment law, the WARN Act, and union obligations still apply, and AI-driven workforce changes have started showing up in enforcement actions.
Around all of that, three operational pieces make a policy actually function. A documentation requirement that creates a trail for every AI-assisted decision of consequence. An incident response procedure for AI-related issues (model drift, biased output, IP infringement, data exposure) that runs alongside the existing cybersecurity incident plan. A governance committee with members from legal, IT, and the business units that owns the policy, reviews it on a defined cadence, and approves new tools.
The legal environment around AI is changing fast enough that any policy is going to be obsolete within twelve months. That is fine, as long as the policy is structured to be updated. What does not work is a one-time document, written in 2024, that nobody has touched since. The companies that get AI compliance right are not the ones that write the perfect policy. They are the ones that treat the policy as a living instrument and assign someone to keep it alive.