AIAdopt
HomeInsightsAI policy in 2 pages: the template you can fill in today
articleApril 2026· 6 min reading time

AI policy in 2 pages: the template you can fill in today

A practical two-page AI policy template you can fill in today. Seven parts, sample wording, and what it does and does not cover under the EU AI Act.

AI policy in 2 pages: the template you can fill in today

Why most AI policies never get written

In almost every organisation where the question "do we actually have an AI policy?" comes up, the same thing happens. Someone takes it on, opens a blank Word document, googles "AI policy template", lands on a 28-page template full of legal language, and closes the document again. Not out of laziness, but out of common sense: an organisation of forty people does not need a 28-page AI governance framework. And so nothing gets written at all.

That is a shame, because two pages are enough to cover the basic governance points that support EU AI Act compliance, give your employees clarity, and show at an audit that you are taking the issue seriously. This article sets out exactly what belongs in those two pages, in order, with a short explanation of why for each section and a sample wording you can adopt.

What a good AI policy is not

Before we get to the content, three things an AI policy should not be:

It is not a legal document. It is a working instruction for your employees. If they cannot read it on an ordinary Monday morning, it misses its point.

It is not a complete inventory of every AI tool your organisation uses. That inventory sits alongside it and is updated regularly. The policy itself has to stay stable, otherwise it would need rewriting with every new tool.

It is not a list of bans. A policy that only says what is not allowed leads to shadow AI, meaning employees start working under the radar. A good policy makes clear above all what is allowed, and under which conditions.

The seven parts that belong in every AI policy

1. Purpose and scope (3-4 sentences)

Start with why this document exists and who it applies to. Sample wording:

"This policy describes how employees of [organisation] work responsibly with AI tools. It applies to all employees, volunteers and external parties who use AI tools on behalf of [organisation], whether these tools have been made available centrally or installed by the employees themselves."

That last addition is crucial. Without that sentence, all shadow AI use slips through the net.

2. Which AI tools are allowed and which are not (short, concrete)

No long lists, three categories are enough: tools that are centrally approved and provided, tools that are allowed individually provided they are for your own work and without confidential data, and tools that are not allowed without prior permission. Sample wording:

"Approved tools: [Microsoft Copilot, ChatGPT Enterprise]. Conditionally allowed: other public AI tools for your own writing and thinking, provided no confidential information is entered. Prohibited without prior approval: any tools that process personal data, customer data, financial information or strategic documents."

3. What is and is not allowed, the core rules (5-7 bullets)

The heart of the policy. Keep it simple and behaviour-focused. Sample wording:

You may use AI to improve, rephrase or translate your own work.
You may use AI to explain something to yourself or to brainstorm.
You may not enter personal data , customer data, patient data or financial figures into a public AI tool.
You may not use AI output as a final customer-facing result without doing the final check yourself.
You are responsible for what you send out under your name: an AI mistake is your mistake.
When in doubt: ask your manager or the designated person responsible for AI before you type.

4. Responsibility and point of contact (2-3 sentences)

One name, one role. Sample wording:

"The person responsible for the AI policy within [organisation] is [name, role]. For questions, doubts or incidents, contact this person directly at [email address]. For technical questions about the approved tools, you can turn to [IT point of contact]."

5. Mandatory training and certification (2-3 sentences)

This is where you address Article 4 of the EU AI Act; which knowledge each role needs under the EU AI Act is something we explain in a separate insight. Sample wording:

"All employees complete the mandatory AI literacy training before [date]. Employees in higher-risk roles (HR, IT, customer contact) follow an in-depth training. The certificate is valid for one year. New employees complete the training within three months of joining."

6. What to do in the event of an incident (3-4 sentences)

A short, concrete path. Sample wording:

"Do you suspect that confidential information has accidentally been entered into an AI tool, or do you have doubts about the outcome of an AI system? Report this within 24 hours to the person responsible for AI. Minor incidents are logged and evaluated internally, while major incidents (such as data breaches or incorrect customer-facing decisions) are handled in line with the existing procedures for data breaches and quality incidents."

7. Validity and review (1 sentence)

"This policy is reviewed at least once a year by [responsible person] and updated in between whenever there is a significant change in legislation or the AI landscape."

Two pages. Done.

If you fill in the seven parts above with answers that fit your organisation, you have two pages of text that cover the basic governance points supporting EU AI Act compliance, that give your employees concrete guidance, and that you can put on the table at an audit. Not perfect, but real. And that is more than 90 per cent of organisations have at the moment.

What this policy does not replace

A two-page AI policy does not replace three things, and you should know that before you feel proud of it:

It does not replace an inventory of your AI systems. You keep that separately, noting for each system who is responsible for human oversight. For high-risk systems under the EU AI Act, you will need documented control: risk level, provider, intended use, human oversight, logs and registration where applicable.

It does not replace training for your employees. A document on the shared drive is not training. Article 4 asks you to demonstrably support the AI literacy of your people, differentiated by role. Certificates are not legally required, but they are a practical way to evidence what was covered and tested. A policy on its own is not enough.

It does not replace a supplier check of your existing contracts. Who provides your AI tools, what documentation they supply, and whether you can lawfully and safely deploy the system remains part of your responsibility as deployer. The policy mentions that this check exists, but the check itself also has to actually happen.

In closing

An AI policy should not be the final piece of your AI approach, it should be the starting point. Something to write down today, discuss with your team next week, and test against practice in a month. Waiting until you "know everything" before you write anything down is waiting until you never have to start. And the AI literacy obligation of Article 4 applies now, not somewhere in the future.

At AIAdopt we help organisations not only with the training (the base package plus sector extensions), but also with the practical steps around it, including setting up a policy that works for your organisation. Our microtrainings end with an assessed certificate that shows which AI literacy has been built, exactly the evidence with which you can support your Article 4 effort.

👉 View the base package or build your own package tailored to your organisation.

Want to know where your organisation stands?

Download our free EU AI Act Compliance Checklist or view our AI literacy training.

Want to know more?

Get in touch for a no-obligation conversation about what AIAdopt can do for your organisation.