How to Write an AI Security Policy: A Practical Template for Mid-Market Companies

An AI security policy cannot be written in isolation. It encodes organizational decisions — about risk tolerance, about who has authority to approve AI deployments, about what categories of data AI systems are permitted to access — that must be made before the policy document exists. Attempting to write the policy before these decisions are made produces a document full of placeholders and vague commitments that cannot be operationalized.

The first decision is risk tolerance: what categories of AI use does the organization consider acceptable, what categories require scrutiny, and what categories are prohibited outright? A reasonable baseline for mid-market companies permits AI tools that assist individual productivity with no access to sensitive data, requires formal review for AI systems that access regulated data or influence consequential decisions, and prohibits AI tools that would process data subject to contractual restrictions or that operate in jurisdictions with conflicting regulatory requirements. Your specific risk tolerance will depend on your industry, your regulatory environment, and your existing data governance posture.

The second decision is decision rights: who is authorized to approve new AI deployments, and at what tier of risk does approval escalate? A workable model assigns frontline approval authority to department heads or IT for low-risk tools, requires security and compliance review for medium-risk deployments, and escalates high-risk deployments — particularly agentic systems and AI that processes regulated data — to a defined senior approver or governance committee. The policy must name these roles, not describe them generically, or the approval process will default to whoever happens to be available rather than whoever has the appropriate expertise and accountability.

The third decision is data classification alignment: which data categories may be used as inputs to AI systems, which require additional controls, and which are prohibited from AI processing entirely? This decision requires coordination with your existing data classification framework. If you classify data into tiers — public, internal, confidential, restricted — the AI policy needs to specify which AI deployment types are permitted to access each tier. An AI tool that processes only public and internal data carries fundamentally different risk than one with access to confidential customer records or restricted financial data.

Purpose and Scope. The policy must clearly define what it covers. Scope should include all AI tools, platforms, and systems used by employees, contractors, and third parties acting on the organization's behalf, regardless of whether they are IT-provisioned or individually adopted. Explicitly including shadow AI in scope — tools used without IT approval — is necessary to establish that unapproved AI use is a policy violation, not a gray area. The purpose statement should connect the policy to the organization's risk management objectives, not just compliance obligations, to establish that it exists for substantive reasons.

AI Risk Classification. This section defines the organization's risk tiers and the criteria that place a deployment in each tier. A three-tier model is practical for most mid-market organizations. Low risk: AI tools that assist individual productivity, have no access to sensitive or regulated data, cannot take autonomous actions, and are used by individuals without influencing decisions that affect others. Medium risk: AI systems that access internal sensitive data, generate content that is published externally or delivered to customers, assist with decisions that have meaningful consequences for employees or customers, or are integrated with business systems. High risk: AI agents with tool access and autonomous action capability, AI systems that process regulated data including PII, PHI, or financial records, AI used in consequential decision workflows, and any AI deployment subject to regulatory oversight. Each tier should have defined approval requirements, technical control requirements, and monitoring requirements.

Approved and Prohibited Uses. This section provides concrete guidance on permitted AI uses, required controls for those uses, and prohibited uses that the organization has determined create unacceptable risk. Approved uses with standard controls typically include AI writing assistants operating on non-sensitive data, AI coding assistants operating on non-proprietary code, AI summarization tools for public or internal documents, and AI productivity tools that do not integrate with business systems. Uses requiring additional controls typically include AI operating on customer data, AI integrated with business systems, AI that generates external-facing content, and AI used in hiring, performance, or other employment decisions. Prohibited uses typically include AI tools with no BAA that process PHI, AI tools operated by providers with no data processing agreement, consumer AI tools processing confidential client data, and AI used to make fully automated decisions with no human review in contexts where regulations require human oversight.

Procurement and Approval Process. This section specifies the workflow for requesting approval of a new AI tool or deployment. It should name the intake mechanism — a form, a ticketing system, a defined email address — and specify what information the requestor must provide: the tool or system being requested, the intended use case, the data it will access, the users who will have access, and any vendor agreements already in place. It should define the review steps for each risk tier and the expected turnaround time. Without a defined process, approvals happen informally, inconsistently, and without documentation that demonstrates governance coverage to an auditor.

Data Handling Requirements. This section specifies how employees must handle data in the context of AI use. It covers what data categories may be entered into which AI tools, requirements for reviewing AI outputs before acting on them, restrictions on storing sensitive data in AI tool conversation histories, and requirements for notifying the security team if a potential data exposure through an AI tool is suspected. This section should be written to be understandable to a non-technical employee — it is the part of the policy that governs day-to-day behavior, and ambiguity here produces inconsistent compliance.

Vendor Assessment Requirements. This section specifies what the organization requires from AI vendors before deployment. At minimum: a data processing agreement or BAA if the vendor will process regulated data, documentation of the vendor's security controls, disclosure of where model inference and data storage occur, confirmation that the vendor will not use customer data to train or fine-tune models without consent, and the vendor's breach notification obligations and timeline. For high-risk deployments, additional requirements may include SOC 2 Type II reports, penetration test results, and specific contractual provisions around data deletion and audit rights.

Monitoring and Enforcement. A policy without enforcement mechanisms is a statement of preference, not a governance control. This section specifies how compliance with the AI policy will be monitored — through access reviews, shadow AI detection tooling, periodic attestation, or audit sampling — and what the consequences of policy violation are. It should also specify the review cycle for the policy itself, who is responsible for maintaining it, and the conditions that trigger an out-of-cycle review, such as a significant change in the regulatory environment or a material AI security incident.

The difference between an enforceable AI security policy and an aspirational one is operational specificity. Enforceable policies name roles rather than describing them, specify processes rather than requiring that processes exist, define thresholds rather than requiring that risk be considered, and establish accountability rather than distributing it so broadly that no one is responsible.

The approval process must have a named owner who is accountable for its operation. The risk classification criteria must be specific enough that a department head can classify a new AI tool without calling the security team for interpretation. The prohibited uses list must be specific enough that an employee knows whether their intended use is permitted without reading the policy three times. The monitoring program must be real — actual tooling, actual review cycles, actual escalation paths — not a commitment to monitor that is never operationalized.

Enforceability also requires that the policy be maintained. AI technology and the regulatory environment are both moving faster than most policy review cycles. An AI security policy that was current eighteen months ago may be materially out of date today. Build a review trigger into the policy — a mandatory annual review plus out-of-cycle review when the threat landscape, regulatory environment, or the organization's AI deployment posture changes significantly — and assign someone who is accountable for initiating that review.