Why "it'll probably be fine" isn't enough
Without a policy, so-called shadow AI takes hold: employees use personal accounts on free tools for company data because it's convenient and nobody said no. That undermines both data protection (module 7) and the AI-literacy duty from the AI Act (module 20) - without anyone acting in bad faith.
What a good policy actually covers
Which tools are approved
A short list of approved tools - on a business tier rather than free consumer access, see module 7 - instead of a blanket ban that gets worked around anyway.
What data may be entered
A clear boundary - e.g. no customer data, no unpublished financial figures - instead of vague caution that everyone interprets differently.
Who needs approval for what
Which AI-assisted outputs - customer communication, contract drafts - need human review before going out (see module 13).
How new tools get approved
A simple process for a team to propose a new AI tool for review - instead of it being introduced informally and unnoticed.
Not a bureaucracy monster
An effective policy fits on one page. It doesn't need to cover every edge case - just answer the most common situations clearly and name a contact person for everything else.
Why this matters for you as a decision-maker
A policy also happens to be the simplest evidence for the AI-literacy duty (module 20) - it shows you actively engaged with the topic instead of leaving it to chance.