AI Governance Policy Builder
Build internal AI governance policies from scratch. Covers acceptable use, model selection, data handling, vendor contracts, compliance mapping, and board reporting.
When to Use
- Writing or reviewing internal AI acceptable use policies
- Establishing AI governance committees or review boards
- Mapping AI usage to regulatory frameworks (EU AI Act, NIST, ISO 42001)
- Evaluating vendor AI terms and liability clauses
- Preparing board-level AI governance reports
Governance Policy Framework
1. Acceptable Use Policy (AUP)
Every organization running AI needs a written AUP covering:
Permitted Uses
- List approved AI tools by department and function
- Define data classification tiers (public, internal, confidential, restricted)
- Map which data tiers can enter which AI systems
- Specify approved vendors vs. shadow AI (employees using personal ChatGPT accounts)
Prohibited Uses
- Customer PII in non-SOC2 models without anonymization
- Autonomous financial decisions above $[threshold] without human review
- HR screening/scoring without bias audit documentation
- Any use violating sector regulations (HIPAA, GDPR, SOX, PCI-DSS)
Shadow AI Detection
| Signal | Risk Level | Action |
|---|---|---|
| API calls to unknown AI endpoints | HIGH | Block + investigate |
| Browser extensions with AI features | MEDIUM | Audit + approve/deny |
| Personal accounts on company devices | MEDIUM | Policy reminder + monitor |
| Exported data to AI training sets | CRITICAL | Immediate review |
2. AI Model Selection & Procurement
Evaluation Scorecard (100 points)
| Criteria | Weight | What to Check |
|---|---|---|
| Data residency & sovereignty | 20 | Where is data processed? Stored? Can you choose region? |
| Security certifications | 20 | SOC2 Type II, ISO 27001, HIPAA BAA, FedRAMP |
| Model transparency | 15 | Training data provenance, bias testing, version control |
| Contract terms | 15 | Data usage rights, indemnification, SLA, exit clauses |
| Performance & cost | 15 | Latency, accuracy benchmarks, token pricing, rate limits |
| Integration & support | 15 | API stability, documentation quality, support SLA |
Minimum score for production deployment: 70/100
Red Flags (automatic disqualification):
- Vendor trains on your data without opt-out
- No data processing agreement (DPA) available
- Indemnification excluded for AI outputs
- No incident response SLA
3. Data Handling & Classification
AI Data Flow Audit Template
For each AI integration, document:
- Input data: What goes in? Classification tier? PII present?
- Processing: Where? Which model? Hosted or API? Region?
- Output data: What comes out? Stored where? Retention period?
- Training: Does vendor use your data for training? Opt-out confirmed?
- Logging: Are prompts/responses logged? Where? Who has access?
- Deletion: Can you request data deletion? Verified how?
Data Minimization Checklist
- Only send minimum necessary data to AI systems
- Strip PII before processing where possible
- Use synthetic data for testing and development
- Implement input sanitization for prompt injection prevention
- Audit output for data leakage (model regurgitating training data)
4. Regulatory Compliance Mapping
EU AI Act (effective Aug 2025, enforcement Feb 2025)
| Risk Category | Examples | Requirements |
|---|---|---|
| Unacceptable | Social scoring, real-time biometric ID (most cases) | Banned |
| High-risk | HR screening, credit scoring, medical devices | Conformity assessment, human oversight, transparency |
| Limited | Chatbots, deepfakes | Transparency obligations (disclose AI use) |
| Minimal | Spam filters, game AI | No requirements |
NIST AI RMF (Risk Management Framework)
- Map: Identify AI systems in use
- Measure: Quantify risks per system
- Manage: Implement controls proportional to risk
- Govern: Establish oversight structure and accountability
ISO 42001 (AI Management System)
- Useful for organizations wanting certified AI governance
- Aligns with ISO 27001 (already have it? Easier path)
- Covers: AI policy, risk assessment, objectives, competence, documentation
5. AI Governance Committee Structure
Recommended Composition
- Chair: CTO or Chief AI Officer
- Legal: 1 representative (contracts, compliance)
- Security: CISO or delegate (data protection, incident response)
- Business: 1-2 department heads (use case prioritization)
- Ethics: External advisor or designated internal role
- Finance: CFO delegate (budget, ROI tracking)
Meeting Cadence
- Monthly: Review new AI use cases, vendor changes, incidents
- Quarterly: Policy updates, compliance audit, budget review
- Annually: Full governance framework review, board report
Decision Authority
| Decision | Authority Level |
|---|---|
| New AI tool (< $5K/year) | Department head + security review |
| New AI tool (> $5K/year) | Governance committee approval |
| Customer-facing AI | Committee + legal + CEO sign-off |
| AI incident response | Security lead (immediate) → Committee (48h review) |
6. Vendor Contract Checklist
Before signing any AI vendor contract, confirm:
- Data processing agreement (DPA) signed
- Your data is NOT used for model training (or explicit opt-out confirmed)
- Data residency requirements met (specify regions)
- Indemnification clause covers AI-generated output liability
- SLA includes uptime, latency, and support response time
- Exit clause: data export format, deletion timeline, transition support
- Security certifications current and verified (not expired)
- Incident notification timeline specified (72h or less)
- Subprocessor list provided with change notification rights
- Insurance coverage for AI-specific risks confirmed
- Price lock or cap on increases for contract duration
- Right to audit (or audit report access)
7. Board Reporting Template
Quarterly AI Governance Report
AI GOVERNANCE REPORT — Q[X] [YEAR]
1. AI PORTFOLIO SUMMARY
- Active AI systems: [count]
- New deployments this quarter: [count]
- Retired/replaced: [count]
- Total AI spend: $[amount] (vs budget: $[amount])
2. RISK DASHBOARD
- High-risk systems: [count] — all compliant: [Y/N]
- Open incidents: [count] — resolved this quarter: [count]
- Shadow AI detections: [count] — remediated: [count]
- Compliance gaps: [list]
3. VALUE DELIVERED
- Hours saved: [estimate]
- Revenue attributed to AI: $[amount]
- Cost reduction: $[amount]
- Customer satisfaction impact: [metric]
4. KEY DECISIONS NEEDED
- [Decision 1: context + recommendation]
- [Decision 2: context + recommendation]
5. NEXT QUARTER PRIORITIES
- [Priority 1]
- [Priority 2]
8. Incident Response for AI Systems
AI-Specific Incident Categories
| Category | Example | Response Time |
|---|---|---|
| Data breach via AI | Model leaks PII in output | Immediate — invoke security IR plan |
| Hallucination causing harm | Wrong medical/legal/financial advice acted on | 4h — document, notify affected parties |
| Bias detected | Discriminatory output in hiring/lending | 24h — suspend system, audit, remediate |
| Prompt injection | Attacker manipulates AI behavior | Immediate — block vector, patch |
| Cost overrun | Runaway API calls | 4h — rate limit, investigate, cap |
| Vendor incident | Provider breach or outage | Per vendor SLA — activate backup |
Post-Incident Review Template
- What happened (factual timeline)
- Impact (who/what affected, cost, duration)
- Root cause (not blame — systems thinking)
- Fixes applied (immediate + permanent)
- Policy/process changes needed
- Board notification required? (Y/N + rationale)
Cost of NOT Having AI Governance
| Company Size | Annual Risk Without Governance |
|---|---|
| 15-50 employees | $50K-$200K (shadow AI waste, compliance fines) |
| 50-200 employees | $200K-$800K (data incidents, vendor lock-in, redundant tools) |
| 200-1000 employees | $800K-$3M (regulatory penalties, IP exposure, audit failures) |
| 1000+ employees | $3M-$15M+ (class action, regulatory enforcement, reputational damage) |
90-Day Implementation Roadmap
Month 1: Foundation
- Draft acceptable use policy
- Inventory all AI systems in use (including shadow AI)
- Classify data flowing through each system
- Identify governance committee members
Month 2: Controls
- Finalize and distribute AUP
- Implement vendor evaluation scorecard for new purchases
- Set up AI incident response procedures
- Begin regulatory compliance mapping
Month 3: Operationalize
- First governance committee meeting
- Deliver first board report
- Establish monitoring for shadow AI
- Schedule quarterly policy review cycle
Built by AfrexAI — AI operations infrastructure for mid-market companies.
Get the full industry-specific context pack for your sector ($47): https://afrexai-cto.github.io/context-packs/
Calculate your AI automation ROI: https://afrexai-cto.github.io/ai-revenue-calculator/
Set up your AI agent workforce in 5 minutes: https://afrexai-cto.github.io/agent-setup/
Need all 10 industry packs? $197 for the complete bundle: https://buy.stripe.com/aEUaGJ2Xd0rI6zKfZ7