Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
AI Governance & Secure AI for Business · Download

AI Governance Policy Template

A structured template for documenting approved AI tools, data classification rules, ownership, and monitoring provisions that govern AI use across the organization.

IT KORR Knowledge Center

AI Governance Policy Template

A structured template for documenting approved AI tools, data classification rules, ownership, and monitoring provisions that govern AI use across the organization.

Purpose & Scope

State why the policy exists — to enable productive use of AI tools while protecting sensitive data, ensuring accountability for AI-assisted output, and meeting existing regulatory and contractual obligations. Define what the policy covers: all employees, contractors, and third parties using AI tools on behalf of the organization, and every AI tool whether formally provisioned or independently adopted.

  • Scope includes generative AI assistants, embedded AI features in existing software (e.g., Microsoft 365 Copilot), and any third-party AI service that processes organizational data.
  • Scope applies regardless of whether the tool is paid, free, or accessed through a personal account on a work device.

Approved AI Tools & New Tool Request Process

  • Maintain a single, authoritative list of approved AI tools, with the approved use case and data boundaries for each.
  • Define the request process for a new tool: who submits it, what information is required (vendor, data handled, purpose), and who evaluates it.
  • Evaluation should cover data handling and retention practices, vendor security posture, contractual terms, and fit against existing data classification rules before approval.
  • Publish the current approved list somewhere all staff can easily check before adopting a new tool.

Data Classification Rules for AI Use

  • Public/general data — may be used with any approved AI tool without additional review.
  • Internal data — may be used only with tools that meet the organization's minimum security and data-handling requirements.
  • Confidential/regulated data (client records, protected health information, financial account data, credentials) — may not be submitted to any AI tool unless it is specifically approved for that data tier under contract terms that prohibit training on submitted data.
  • When in doubt about a data tier, default to the more restrictive classification until confirmed otherwise.

Roles & Responsibilities

  • AI Governance Owner — accountable for maintaining the policy, the approved tools list, and the request process.
  • Approval Authority — reviews and approves or denies new tool requests and exceptions; typically IT leadership or a designated governance committee.
  • Department Managers — responsible for ensuring their teams understand and follow the policy in day-to-day work.
  • All Users — responsible for using only approved tools for the data tiers permitted, and reporting suspected misuse or policy gaps.

Monitoring & Audit Provisions

  • Periodically review AI tool usage logs (where available) against the approved tools list to identify unapproved or shadow AI use.
  • Include AI tool usage as a standing item in existing security or compliance audits.
  • Document any policy exceptions granted, including scope, duration, and approving authority.

Policy Review Cadence

  • Review the policy and approved tools list at least twice per year, and immediately following any material AI-related incident.
  • Version the policy document and record who approved each revision.

Related Resources

  • AI Governance Fundamentals — /knowledge-center/artificial-intelligence/ai-governance-secure-ai/ai-governance-fundamentals
  • Building an AI Governance Program — /knowledge-center/artificial-intelligence/ai-governance-secure-ai/building-an-ai-governance-program

This document is a starting-point resource, not legal or compliance advice. Review it against your organization's actual systems before adoption — see the full AI Governance & Secure AI for Business Hub for the reasoning behind each recommendation.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT