Skip to main content
AI & Agents/responsible-ai-policy

Responsible AI Policy

Draft an internal responsible-AI policy: principles to concrete do's and don'ts, human oversight, transparency, fairness, and a named enforcement owner.

Use this when an organization needs a focused responsible-AI policy: the principles, the do-and-don't rules, the human oversight and disclosure requirements, and a named owner who enforces it. This is the responsible-AI principles-to-practice document, not the full org governance program. If the organization needs risk tiering, vendor evaluation, a governance structure, and a rollout plan, use /ai-governance-framework instead and treat this policy as the principles layer inside it.

Related skills: Lives inside the broader /ai-governance-framework. Track policy gaps as risks in /ai-risk-register. For EU AI Act obligations specifically, use /eu-ai-act-readiness. For feature-level assessment, use /product-ethics-review.

The hard part most teams miss

A responsible-AI policy is now a board-level expectation. Regulators (the EU AI Act) and enterprise customers increasingly require documented governance before they will buy or partner. Most policies still fail the same three ways.

  1. A policy nobody can apply is theater. "We use AI ethically and fairly" governs nothing. Every principle has to become a concrete do-and-don't tied to a real workflow: which tool, which data, which step. If an employee cannot read a line and know what to do at their desk this afternoon, that line is decoration, not policy.
  2. The enforcement owner is the whole point. A principle with no named owner and no consequence changes nothing. Someone with a name and a title has to approve exceptions, run the review, and answer when it goes wrong. "The AI committee" is not an owner. A person is.
  3. It has to guide the hard cases. Any policy can forbid the obvious abuses nobody was going to commit. The value is in the genuinely ambiguous use: the recruiter screening resumes with AI, the analyst pasting a contract into a chatbot, the support agent letting AI answer a customer unsupervised. Write for those, or you have only governed the easy cases.

Process

Step 1: Gather inputs

Ask the user to provide:

  1. Organization -- name, size, industry, and the regulatory environment it operates in.
  2. Real AI workflows -- where is AI actually used today? Be specific: drafting customer emails, screening candidates, summarizing meetings, writing code, answering support tickets. Include shadow AI (tools people adopted without approval).
  3. Data the org handles -- PII, PHI, financial, proprietary, customer content, public. This decides what may and may not go into a tool.
  4. The hard cases -- the two or three uses leadership is genuinely unsure about. These are the test of the policy.
  5. The enforcement owner -- who will own this policy by name and title? If the answer is "we have not decided," that is the first decision to make, not a detail to defer.
  6. Existing principles -- any company values, ethics statement, or AI principles already published that this policy must stay consistent with.

Step 2: Set the principles, each tied to a practice

For each principle the org wants to stand behind, write the principle in one line, then convert it immediately into a concrete do and a concrete don't an employee can apply. A principle without its paired practice does not go in the policy.

Use this set as the starting frame and adjust to the org:

  • Human accountability -- a person owns every AI output, not the tool.
  • Transparency -- people know when they are interacting with AI and when AI shaped a deliverable.
  • Fairness -- AI is not used to make or screen decisions about people without a check for bias and a human in the loop.
  • Data protection -- what goes into a tool is governed by the data's sensitivity, not by convenience.
  • Appropriate use -- AI assists judgment in high-stakes work; it does not replace it.

Step 3: Draft the policy

# Responsible AI Policy: {{Organization}}
**Owner:** {{name, title}}
**Effective date:** {{date}}    **Version:** 1.0    **Next review:** {{date}}

## Purpose
This policy sets the rules for how {{Organization}} uses AI responsibly. It applies to
every employee, contractor, and vendor, and to every AI tool, whether company-provided
or individually adopted. It exists so AI helps the work without creating harm, exposure,
or decisions no person stands behind.

## Principles, and what they mean in practice
Each principle is paired with what to do and what not to do. The principle is the reason;
the practice is the rule.

1. Human accountability. A named person owns every AI-assisted output.
   - Do: review and verify AI output before you use it, ship it, or send it. You are
     accountable for what you submit, the same as if you wrote it yourself.
   - Don't: forward, publish, or act on AI output you have not checked, or treat
     "the AI said so" as a reason.

2. Transparency and disclosure. People know when AI is involved.
   - Do: label AI-generated content where a reader would reasonably expect to know,
     and disclose when someone is interacting with an AI rather than a person (for
     example, an AI chat assistant).
   - Don't: present AI output as solely your own work where disclosure is expected,
     or let a customer believe they are talking to a human when they are not.

3. Fairness. AI does not decide about people unchecked.
   - Do: keep a human in the loop on any AI use that screens, ranks, or evaluates
     people (hiring, performance, credit, eligibility), and check outputs for biased
     patterns before acting.
   - Don't: let AI make a final hiring, firing, disciplinary, or eligibility decision,
     or use it to screen people without a documented human review.

4. Data protection. Sensitivity drives what you may input.
   - Do: only put data into a tool that the tool is approved to handle for that
     sensitivity level. Use approved enterprise tools for anything beyond public data.
   - Don't: paste PII, PHI, customer content, credentials, secrets, or proprietary
     material into a consumer AI tool, or one that may train on your inputs.

5. Appropriate use. AI assists high-stakes judgment, it does not own it.
   - Do: use AI to draft, summarize, and explore in regulated, legal, medical, financial,
     or safety-critical work, then have a qualified person validate before it counts.
   - Don't: rely on AI output in a regulatory filing, legal advice, medical guidance,
     or financial decision without expert human validation.

## Acceptable use
AI is encouraged for: {{drafting, summarizing, brainstorming, research support, coding
assistance, and the org's other low-risk workflows}}, using approved tools and with the
review rules above.

## Prohibited use
The following are not permitted under any circumstances:
- Entering credentials, API keys, secrets, or {{regulated data type}} into any AI tool.
- Using AI to make final decisions about people without human review (hiring, firing,
  discipline, eligibility).
- Using AI to impersonate a specific real person, or to deceive about whether a human
  is involved.
- Using AI output in regulatory, legal, medical, or financial work without expert
  validation.
- Training or fine-tuning on proprietary or customer data without legal and security review.
- {{org-specific prohibitions}}

## Human oversight requirements
- Low-stakes use: self-review by the person using the tool.
- Decisions affecting customers or external parties: review by a second qualified person
  before release.
- Decisions affecting people (hiring, performance, eligibility) or regulated outputs:
  documented human review and sign-off by {{role}}, no exceptions.

## Data handling
- Public data: approved tools, no restriction.
- Internal data: approved enterprise tools only.
- Confidential, PII, PHI, customer content: approved enterprise tools with a data
  agreement (DPA/BAA) in place; never consumer tools. 

## Transparency and disclosure
- Label AI-generated or AI-significantly-assisted content shared externally where a
  reader would expect to know.
- Disclose clearly when a person is interacting with an AI rather than a human.
- Do not misrepresent AI output as solely human work where that distinction matters.

## Accountability and ownership
- Policy owner: {{name, title}}. Owns the policy, approves exceptions, runs the review,
  and answers for incidents.
- Every employee owns the AI output they submit or act on.
- Exceptions: requested in writing to the owner, granted only with documented rationale.

## Incident handling
- If AI causes or nearly causes harm (data exposure, a wrong output used in a decision,
  a customer complaint, a fairness failure): report it to {{owner / security contact}}
  within {{timeframe, e.g. 24 hours}}.
- The owner logs the incident, assesses impact, decides remediation, and updates this
  policy if a gap is found.
- No retaliation for reporting in good faith.

## Consequences
Violations are handled under {{the org's existing conduct/disciplinary process}}.
Repeated or willful violations involving sensitive data or people-affecting decisions
are treated as serious.

## Review
This policy is reviewed by the owner every {{quarter / six months}}, and after any
material incident or regulatory change.

Step 4: Pressure-test against the hard cases

Take the two or three ambiguous uses from Step 1 and walk each one through the drafted policy. For each, the policy must produce a clear answer: allowed, allowed with a named control, or prohibited. If a hard case lands in a gray zone, the policy is not specific enough yet. Add the rule that resolves it, in concrete do-and-don't form. Do not ship a policy that only governs the cases nobody was worried about.

Step 5: Review

Ask the user:

  • Can a non-technical employee read any principle and know what to do at their desk? If not, the practice line is missing.
  • Does every principle have a named owner and a real consequence? A policy with neither changes nothing.
  • Does the policy give a clear answer for each hard case from Step 1?
  • Does anything here need legal or security validation before it ships? Flag those with .
  • Is there an incident path a worried employee would actually use, with a timeframe and no retaliation?

Anti-patterns

Anti-patternWhy it failsDo instead
Aspirational principles, no practice"We use AI responsibly" tells no one what to doPair every principle with a concrete do and don't tied to a real workflow
No named ownerNobody approves exceptions, runs review, or answers for incidentsName a person and title as policy owner, not a committee
Governs only the easy casesForbids obvious abuse, silent on the ambiguous use people actually facePressure-test against the genuinely hard cases and write the rule that resolves each
Disclosure left vague"Be transparent" without naming when to label or discloseSpecify when to label AI content and when to disclose AI interaction
No consequenceA policy people can ignore without cost is ignoredTie violations to the existing conduct process and state it
Set and forgetTools, risks, and regulation move faster than an annual docName a review cadence and trigger review after any incident or regulatory change

Output location

Present the policy as formatted text in the conversation for the user to copy into their handbook or policy wiki.

Related AI & Agents skills

Agent Eval HarnessAgent Reliability AuditAI Agent DesignAI Eval DesignAI Guardrails DesignAI Health CheckAI Product SpecAI Risk Register
Back to Skills Catalog