AI Policy Drafter
Overview
Create comprehensive AI governance policies that enable innovation while managing risk. Draft acceptable use policies, development guidelines, and operational guardrails.
Core principle: Policies should enable responsible AI adoption, not block it. Clear guidelines reduce risk and accelerate good decisions.
When to Use
- •Launching AI program
- •Responding to regulatory requirements
- •After AI incidents
- •Annual policy review
- •New AI capability deployment
Output Format
yaml
ai_policy:
title: "[Policy title]"
version: "[X.Y]"
effective_date: "[YYYY-MM-DD]"
owner: "[Policy owner]"
metadata:
scope: "[Who/what this applies to]"
related_policies: ["[Related policy]"]
review_schedule: "[Frequency]"
next_review: "[Date]"
sections:
- section: "[Section title]"
content: "[Policy content]"
requirements:
- requirement: "[Requirement statement]"
mandatory: [true | false]
applies_to: "[Who must follow]"
exceptions:
process: "[How to request exception]"
authority: "[Who can approve]"
definitions:
- term: "[Term]"
definition: "[Definition]"
compliance:
enforcement: "[How enforced]"
violations: "[Consequences]"
reporting: "[How to report issues]"
approvals:
- approver: "[Name/Role]"
date: "[Date]"
Policy Types
Acceptable Use Policy
yaml
au_policy_sections:
purpose:
- "Define appropriate use of AI tools"
- "Protect organization and individuals"
- "Enable responsible innovation"
scope:
- "All employees using AI tools"
- "All AI-generated content"
- "Both approved and shadow AI"
permitted_uses:
- "Internal productivity (drafting, research)"
- "Customer-facing with human review"
- "Development and testing"
prohibited_uses:
- "Processing restricted data without approval"
- "Automated decisions affecting individuals"
- "Generating harmful or misleading content"
- "Circumventing security controls"
requirements:
- "Human review of customer-facing output"
- "No confidential data in public AI tools"
- "Disclose AI-generated content when required"
- "Report security incidents immediately"
Development Standards
yaml
dev_standards_sections:
model_development:
- "Document training data sources"
- "Test for bias before deployment"
- "Version control all artifacts"
- "Peer review all production models"
llm_applications:
- "Implement prompt injection protections"
- "Log all generations for audit"
- "Set appropriate content filters"
- "Test adversarial scenarios"
deployment:
- "Security review required"
- "Performance baseline documented"
- "Rollback capability tested"
- "Monitoring configured"
Ethical AI Principles
yaml
principles:
transparency:
- "Disclose when AI is used in decisions"
- "Provide explanations when requested"
- "Document model limitations"
fairness:
- "Test for disparate impact"
- "Monitor for bias in production"
- "Enable human appeal of decisions"
accountability:
- "Assign human owner for each AI system"
- "Maintain audit trail"
- "Report incidents promptly"
safety:
- "Assess potential harms before deployment"
- "Implement appropriate safeguards"
- "Monitor for unexpected behavior"
Key Policy Elements
Data Handling for AI
yaml
data_policy:
classification:
- level: "Restricted"
ai_use: "Prohibited without specific approval"
examples: ["PII", "Financial data", "Trade secrets"]
- level: "Confidential"
ai_use: "Approved internal tools only"
examples: ["Internal docs", "Customer communications"]
- level: "Public"
ai_use: "Generally permitted"
examples: ["Published content", "Public data"]
external_ai_tools:
prohibited: ["Restricted data"]
requires_approval: ["Confidential data"]
permitted: ["Public data", "Synthetic data"]
Human Oversight Requirements
yaml
human_oversight:
high_risk_decisions:
definition: "Decisions affecting rights, safety, or significant outcomes"
requirement: "Human makes final decision"
examples: ["Hiring", "Credit", "Medical", "Safety-critical"]
medium_risk:
definition: "Significant business impact"
requirement: "Human review before action"
examples: ["Customer communications", "Financial reports"]
low_risk:
definition: "Limited impact, reversible"
requirement: "Spot-check and monitoring"
examples: ["Internal drafts", "Research assistance"]
Third-Party AI
yaml
third_party_policy:
approval_required:
- "New AI vendor or tool"
- "Significant change in use"
- "Processing of sensitive data"
assessment_checklist:
- "Security questionnaire completed"
- "Data processing agreement in place"
- "Privacy impact assessed"
- "Business continuity considered"
ongoing_requirements:
- "Annual vendor review"
- "Monitor for incidents"
- "Track usage and cost"
Policy Development Process
Stakeholder Input
yaml
stakeholders:
must_consult:
- "Legal/Compliance"
- "Security/Privacy"
- "HR (if employee-facing)"
- "Business unit leaders"
should_consult:
- "AI practitioners"
- "End users"
- "Risk management"
Review and Approval
yaml
approval_workflow: draft: "Policy owner creates draft" legal_review: "Legal validates compliance" stakeholder_review: "Key stakeholders comment" revision: "Incorporate feedback" executive_approval: "Sponsor approves" communication: "Announce and train" effective: "Policy in force"
Communication Templates
Policy Announcement
markdown
**New AI Policy: [Policy Name]** **What:** [Brief description] **Why:** [Rationale] **Key Requirements:** - [Requirement 1] - [Requirement 2] **Effective:** [Date] **Questions:** [Contact] **Full Policy:** [Link]
Quick Reference Card
markdown
## AI Use Quick Reference **DO:** ✓ Use approved tools for productivity ✓ Review AI outputs before sharing ✓ Report security concerns **DON'T:** ✗ Put confidential data in public AI ✗ Automate decisions about people ✗ Present AI content as your analysis **Questions?** [Contact]
Checklist
- • Policy purpose clear
- • Scope defined
- • Requirements specific and actionable
- • Exceptions process documented
- • Legal review completed
- • Stakeholders consulted
- • Approval obtained
- • Communication plan ready
- • Training identified
- • Review schedule set