How to Build a Practical, Compliance-Ready AI Policy

In the past few weeks, AI regulation has gone from abstract to operational. With the EU AI Act taking effect, U.S. states moving ahead with their own laws, and regulators issuing fresh guidance in finance and HR, it's no longer enough to “wait and see.”

That said, most companies are still in the early stages of formalizing their internal AI governance. If you’ve started experimenting with AI tools—but haven’t written down how they should (or shouldn’t) be used—you’re not alone. But now is the time to catch up.

This week’s edition focuses on one of the most foundational elements of AI governance: your internal AI policy. Whether you already have one or are building from scratch, I’ll walk through what it should include, how strict it needs to be, and how to tailor it to your team’s risk profile.

📢 Upcoming Event for Finance Leaders – Save the Date!

As many of my readers might know, I’m not only a newsletter author but also an expert in the AI Finance Club, a growing community of CFOs and finance leaders mastering AI in real time.

Nicolas Boucher, who leads the Club, is hosting a free live webinar next week that’s perfect for anyone exploring how AI is reshaping the CFO role.

📅 When: Tuesday, July 29, 2025
🕒 Time: 11:00 AM ET / 5:00 PM CET
📍 Register here – it’s free!

If you’ve been curious about the Club or want a clear entry point into AI for finance, this is the best way to get started. Highly recommended! 

The Balanced View: What a Good AI Policy Looks Like

If your organization is using AI tools in financial operations, reporting, planning, or HR—even informally—you need a written AI policy. With active regulation in the EU, New York, and several other U.S. states, and new frameworks emerging globally, internal governance is no longer optional.

AI Policy as a Compliance Tool

A strong AI policy helps reduce operational risk, but it also plays a key role in regulatory readiness.

If your company operates in, serves clients in, or processes data from any of the following, your AI use may fall under binding obligations:

• European Union → subject to the EU AI Act (especially high-risk use cases)

• New York State / NYC → subject to employment-related AI rules, bias audits, and explainability requirements

• California, Colorado, Utah, Tennessee → each with their own rules around AI disclosures, deepfakes, algorithmic transparency, or public accountability

• Canada and Australia → both moving forward with national AI legislation modeled on the EU approach

In highly regulated sectors (financial services, healthcare, insurance, government contractors), additional rules or sector-specific guidance often apply. If you're handling sensitive financial data, PII, or compliance documentation, your AI use may trigger requirements around security controls, documentation, or human oversight—even if the tool is embedded in another platform.

For U.S.-based teams, even where there is no federal law, the NIST AI Risk Management Framework is emerging as a de facto standard for internal AI governance and procurement reviews. Several regulators (FTC, SEC, CFPB) have already referenced it in recent enforcement actions or guidance.

What Should an AI Policy Cover?

Here are the key components that a sound AI policy should include:

1. Regulatory Scope and Jurisdictional Exposure

Start with a simple statement:

• Which jurisdictions your company operates in

• Which of those have active or pending AI laws

• Which teams, tools, or workflows are in scope

If you fall under EU AI Act, New York State, or NIST-aligned expectations, state that clearly. Even if you’re not currently subject to formal rules, adopting a framework like NIST or ISO/IEC 42001 signals proactive governance.

2. Use Case Risk Classification 

Classify AI use by risk—not just by functionality. This helps teams know when approval or oversight is needed.

Green (Low Risk)
Drafting internal content, templates, or summaries using non-sensitive data.
→ Allowed without approval.

Yellow (Moderate Risk)
Using AI in internal planning, analysis, or draft reporting with business data.
→ Tool must be approved, and outputs require human review.

Red (High Risk)
AI-influenced decisions in finance, HR, or external-facing outputs; or any use involving PII or regulatory data.
→ Requires enterprise-grade tools, documentation, and audit trail. Subject to regulation in some jurisdictions.

3. Data Handling Rules

Your policy should define:

• What types of data can and cannot be used with AI tools

• Which tools are approved for which data types

• How data is classified (internal, confidential, regulated, export-controlled, etc.)

This section should tie directly to existing data privacy, IT security, and compliance policies.

4. Tool Approval and Review Process

Specify:

• Which AI tools are approved (and under what licenses)

• Whether enterprise security features are required

• Who approves new tools or upgrades

• Whether IT or compliance reviews are required before integration into workflows

5. Output Validation and Oversight

For regulated or critical use cases, your policy should require human validation before outputs are:

• Used to inform business decisions

• Shared externally (e.g., in investor or client communications)

• Filed for compliance or audit purposes

If your tools generate financial forecasts, credit models, or HR evaluations, regulators may require explainability, audit trails, and performance monitoring.

6. Documentation and Audit Readiness

Keep records of:

• What tools are used

• By whom and for what purpose

• What data types are processed

• What reviews have occurred

• Any incidents or overrides

Use a simple format—Excel, Notion, or SharePoint is enough for many companies. You don’t need a GRC system, but you do need defensible documentation.

How Restrictive Should It Be?

Your AI policy should protect the business—but not prevent progress. The right level of restriction depends on your company’s priorities, data sensitivity, and overall risk appetite.

If your organization values flexibility and wants to encourage innovation, your policy can be lighter—especially for low-risk, internal use cases. Many regulatory frameworks, including the EU AI Act, are still in early enforcement phases. In most regions, companies have several months or even years before legal consequences around AI use become routine. That gives you room to implement governance gradually, starting with basic controls and scaling as needed.

On the other hand, if your company’s core value proposition centers on data security, compliance, or responsible AI, a more restrictive policy can be a strategic differentiator. For firms in regulated sectors, or those working with sensitive client data, strict AI policies are not just about risk—they become part of your brand promise. In these cases, stronger internal controls, documented oversight, and enterprise-grade tool usage aren’t barriers—they’re selling points.

The most effective policies strike the right balance: structured enough to manage real risk, but flexible enough to support innovation and adoption.

Staying Current: Review Every 3–6 Months

AI regulation is evolving faster than most corporate governance policies are used to. Unlike more stable areas like finance or HR compliance, the rules around AI use, data classification, and tool accountability are still being shaped—often with short notice and regional variation.

Your AI policy and approved tool list should be reviewed more frequently than traditional internal policies. A 3- to 6-month review cycle is ideal, especially if your company operates in multiple jurisdictions or handles regulated data.

Make this cadence part of your policy itself. Assign responsibility (e.g., finance operations, compliance lead, or AI task force), and set calendar reminders to review tool usage logs, new regulatory developments, and any platform updates that might affect your compliance posture.

Deeper Dive: AI Policy Checklist to Guide Your First Draft

What Should Be in Your AI Policy?

✅ Regulatory scope

• Jurisdictions where AI laws apply (EU AI Act, U.S. state laws, Canada, etc.)

• Statement of alignment with frameworks (e.g. NIST AI RMF, ISO/IEC 42001)

✅ Use case risk classification

• Green / Yellow / Red model to define low, moderate, and high-risk AI use

• Examples mapped to each level, with matching oversight requirements

✅ Tool approvals

• List of allowed AI tools and subscription tiers

• Defined process for evaluating and approving new tools

• Security/compliance criteria for enterprise vs. public tools

✅ Data handling rules

• Tiered model for allowable data (public, internal, confidential, regulated)

• Clear restrictions on uploading sensitive or regulated data to public models

✅ Human oversight protocols

• Review requirements for outputs tied to finance, compliance, or HR

• Additional scrutiny for customer-facing or investor-facing outputs

✅ Documentation and audit logs

• Basic usage logging (tool, owner, data type, purpose, date)

• Oversight records for Red-class use cases

✅ Roles and responsibilities

• Policy owner (Finance Ops, Compliance, etc.)

• Named reviewers or approval leads for Yellow/Red use cases

✅ Policy update frequency

• AI policy review scheduled every 3–6 months

• Monitoring process for regulation changes or tool updates

✅ Shadow AI prevention

• Clear guidance for teams on acceptable exploratory use

• Guardrails to prevent unauthorized or invisible adoption

✅ Training and awareness

• Onboarding guidance or quarterly reminders for AI use expectations

• Optional: links to internal examples or case studies for safe use

Closing Thoughts

A few months ago, I was saying that an AI use policy didn’t need to be more than three bullet points. In many cases, that was true. But that’s no longer enough.

As regulatory complexity increases and AI tools evolve faster than most teams can keep up with, companies need a more structured approach. Not a 30-page legal document—but a clear, practical, and risk-based policy that guides teams across functions.

This is now a core part of operational governance. It protects the business, enables innovation, and prepares you for the compliance landscape that’s unfolding in real time.

If you need help building or updating your policy, just book a call and I’ll walk you through the structure I use with finance and compliance teams.

We Want Your Feedback!

This newsletter is for you, and we want to make it as valuable as possible. Please reply to this email with your questions, comments, or topics you'd like to see covered in future issues. Your input shapes our content!

Want to dive deeper into balanced AI adoption for your finance team? Or do you want to hire an AI-powered CFO? Book a consultation! 

Did you find this newsletter helpful? Forward it to a colleague who might benefit!

Until next Tuesday, keep balancing!

Anna Tiomina 
AI-Powered CFO