IT KORR Knowledge Center
AI Governance Policy Template
A structured template for documenting approved AI tools, data classification rules, ownership, and monitoring provisions that govern AI use across the organization.
Purpose & Scope
State why the policy exists — to enable productive use of AI tools while protecting sensitive data, ensuring accountability for AI-assisted output, and meeting existing regulatory and contractual obligations. Define what the policy covers: all employees, contractors, and third parties using AI tools on behalf of the organization, and every AI tool whether formally provisioned or independently adopted.
- Scope includes generative AI assistants, embedded AI features in existing software (e.g., Microsoft 365 Copilot), and any third-party AI service that processes organizational data.
- Scope applies regardless of whether the tool is paid, free, or accessed through a personal account on a work device.
Approved AI Tools & New Tool Request Process
- Maintain a single, authoritative list of approved AI tools, with the approved use case and data boundaries for each.
- Define the request process for a new tool: who submits it, what information is required (vendor, data handled, purpose), and who evaluates it.
- Evaluation should cover data handling and retention practices, vendor security posture, contractual terms, and fit against existing data classification rules before approval.
- Publish the current approved list somewhere all staff can easily check before adopting a new tool.
Data Classification Rules for AI Use
- Public/general data — may be used with any approved AI tool without additional review.
- Internal data — may be used only with tools that meet the organization's minimum security and data-handling requirements.
- Confidential/regulated data (client records, protected health information, financial account data, credentials) — may not be submitted to any AI tool unless it is specifically approved for that data tier under contract terms that prohibit training on submitted data.
- When in doubt about a data tier, default to the more restrictive classification until confirmed otherwise.
Roles & Responsibilities
- AI Governance Owner — accountable for maintaining the policy, the approved tools list, and the request process.
- Approval Authority — reviews and approves or denies new tool requests and exceptions; typically IT leadership or a designated governance committee.
- Department Managers — responsible for ensuring their teams understand and follow the policy in day-to-day work.
- All Users — responsible for using only approved tools for the data tiers permitted, and reporting suspected misuse or policy gaps.
Monitoring & Audit Provisions
- Periodically review AI tool usage logs (where available) against the approved tools list to identify unapproved or shadow AI use.
- Include AI tool usage as a standing item in existing security or compliance audits.
- Document any policy exceptions granted, including scope, duration, and approving authority.
Policy Review Cadence
- Review the policy and approved tools list at least twice per year, and immediately following any material AI-related incident.
- Version the policy document and record who approved each revision.
Related Resources
- AI Governance Fundamentals — /knowledge-center/artificial-intelligence/ai-governance-secure-ai/ai-governance-fundamentals
- Building an AI Governance Program — /knowledge-center/artificial-intelligence/ai-governance-secure-ai/building-an-ai-governance-program