5 signs your organisation needs an AI policy
Does your organisation need an AI policy? Five signs it does, from invisible AI use to audit gaps, and what the EU AI Act already expects of you today.

AI tools have quietly become part of everyday work in almost every organisation. Often without leadership knowing, without a policy, and without clear agreements. This is not a criticism, it is simply the way technology always progresses: faster than policy can keep up.
But the EU AI Act is here now. And not "soon": the obligation around AI literacy (Article 4) has applied since 2 February 2025. What the AI literacy obligation under Article 4 involves, we explain separately. Many organisations think they still have time until August 2026. That picture no longer holds: the stricter high-risk AI requirements have moved with the Digital Omnibus on AI to 2 December 2027 (and 2 August 2028 for AI in regulated products). But the basic obligation around AI literacy already applies, and most transparency obligations under Article 50 follow on 2 August 2026, with extra time until 2 December 2026 for certain technical marking obligations for systems already on the market. Postponing the heaviest requirements is therefore no reason to sit still. The question remains: does your organisation have things in order? Here are five signs that the answer is probably "no".
1. You do not know which AI tools your staff use
This is the most common problem. Ask ten employees whether they use AI at work, and at least half will say "no". Then ask whether they have ever used ChatGPT to draft an email, had Copilot help write a document, or used an AI summary tool for meeting notes. Then a very different picture emerges.
AI use is often invisible because it is woven into existing tools. The spellchecker that rewrites sentences? AI. The search function in your CRM that makes "smart suggestions"? AI. The recruitment tool that ranks CVs? AI.
If you as an organisation do not know which AI tools are in use, you also cannot assess whether that use is responsible and compliant.
2. There is no distinction between "allowed" and "not allowed"
In most organisations without an AI policy, an unspoken rule applies: if it works, it is allowed. But the EU AI Act draws a clear distinction between what is and is not permitted.
Emotion recognition in the workplace? A prohibited AI practice. Social scoring of employees? Equally prohibited. Using AI in recruitment without human oversight? High-risk AI with strict requirements. A chatbot on your website where visitors are not clearly informed that they are interacting with AI? A transparency problem under Article 50.
Without a policy, no one knows where the line is. And if no one knows the line, it will inevitably be crossed.
3. Staff share sensitive information with public AI tools
This is the risk that escalates fastest. An employee pastes customer data into ChatGPT to draft a reply. An HR employee enters application data to have an assessment email written. An IT person shares code with a public AI assistant.
All this data leaves your organisation at that moment. It is processed on servers outside your control, possibly outside the EU, and, depending on the tool, account type, settings and contract, possibly used to improve AI models. That is not only an AI Act problem, it is also a GDPR problem.
A good AI policy starts with a simple rule: which data may and may not be entered into which tools? That does not have to be a thick document. Two pages of clear guidelines already make a world of difference.
4. No one is responsible for AI in your organisation
At most SMEs and local authorities, there is no person responsible for AI. IT manages the systems, but does not feel responsible for how staff use AI tools. HR sees it as an IT matter. Leadership has not yet thought about it.
The result: no one keeps an overview, no one spots risks, and no one takes action when something goes wrong.
The EU AI Act does not require every organisation to create an AI department, but organisations that deploy AI need a way to assign responsibility, support AI literacy, manage transparency duties and document what they do. That does not have to be a department. It can be one person with the mandate to inventory AI use, propose policy, and act as the point of contact. But that person has to exist.
5. You cannot demonstrate at an audit what you have done
Suppose something goes wrong. A job applicant complains about discrimination by an AI selection tool. A citizen argues that an AI system decided unfairly about their benefit. A supervisory authority asks questions about the AI use in your organisation.
The first question is then: what have you done to prevent this? Have you trained your staff? Do you have a policy? Have you assessed risks?
If the answer is "we have not really thought about it", you face a serious risk, both legally and reputationally. And in Belgium, the Data Protection Authority (GBA) plays an ever more active role, certainly when data breaches through public AI tools come to light.
A certificate per employee, a documented policy, an inventory of AI systems, that is the evidence that you are taking it seriously. It does not have to be perfect. It has to be demonstrable.
What now?
If you recognise yourself in one or more of these signs, that is no reason to panic. It is a reason to start. Most organisations are at this point, you are not the only one.
Start by inventorying your AI use. Appoint a responsible person. Have your staff follow a basic training. And document what you do.
The EU AI Act is not a final destination. It is a starting point for responsible AI use. And the nice thing is: organisations that start early not only have their compliance in order, they also have staff who use AI better, more safely and more effectively.
A policy becomes much more defensible when your staff are demonstrably trained, ideally with certificates that show the learning outcomes covered. That is the difference between an intention and evidence.
Want to know where your organisation stands?
Download our free EU AI Act Compliance Checklist or view our AI literacy training.