The short answer. An AI usage policy is the formal document that defines how staff in a business can use AI tools — which tools are approved, what data can and cannot be put into them, when human review is required, and who owns the policy. For UK businesses it sits alongside the existing acceptable-use policy, data protection policy, and information security policy, and is the principal artefact a regulator, client, or auditor will ask to see.
The eight components a UK AI usage policy should contain
An effective UK AI usage policy covers eight areas. A policy missing any of them tends to surface as a gap during the first procurement question, supervision visit, or audit.
1. Scope. Which staff, which tools, which contexts. Distinguish between general-purpose AI (ChatGPT, Claude, Gemini) and embedded AI (Copilot inside Microsoft 365, AI features inside the CRM or ERP). Both are in scope; their controls differ.
2. Approved tools register. The list of AI tools the business has formally approved, with the date of approval, the data agreement in place, the approval owner, and the renewal date.
3. Prohibited use. The explicit list of things staff must not do — typically: do not paste client data into unapproved tools; do not use AI for decisions affecting clients without human review; do not use personal AI accounts for work tasks. Specificity matters here; vague prohibitions don't survive contact with a Tuesday afternoon.
4. Data handling rules. What categories of data can be used with which tools. Most UK businesses end up with a three-tier model: Tier 1 (public/non-sensitive — any approved tool); Tier 2 (internal — approved enterprise tier with DPA in place); Tier 3 (regulated/sensitive — additional controls or prohibition).
5. Human-in-the-loop requirements. When human review is required before AI output is acted on. UK GDPR Article 22 is the floor here, but most defensible policies go further — particularly in regulated sectors.
6. Approval workflow for new tools. The process by which a staff member can request a new AI tool be approved. Including the security and DPIA steps that have to happen before approval, and the named owner of the approval decision.
7. Training requirement. The minimum training every staff member who uses AI tools must complete. Evidence of completion retained. Typically refresher annually.
8. Incident reporting. How staff should report a suspected AI-related incident (data leak via an AI tool, AI output acted on incorrectly, vendor security event). Who they report it to, response timeline, escalation path.
Why a generic AI policy template usually fails
The widely-shared 2024 templates were written for a different threat environment. They tend to focus on "AI ethics" as a values statement rather than operational controls. UK businesses adopting one of those templates verbatim end up with a policy that reads well at a board meeting but cannot answer a procurement question. The Arx Certa template is structured around the eight components above — operational, not aspirational.
Who owns the AI usage policy
The pattern that works: a named senior owner (typically the COO, head of compliance, or DPO depending on business size) with the technology lead as second author. Both signatures on the cover page. Review cadence quarterly during active AI adoption, annually thereafter. The same owner is accountable for the approval decisions made under it.
What an AI usage policy is not
It is not the data protection policy in disguise; the two reference each other but cover different territory. It is not the information security policy; same point. It is not a contract; staff acknowledge it but it is not their employment contract or their contractor agreement. It is not the AI vendor's terms of service.
How the AI usage policy connects to AI readiness
The AI usage policy is the governance dimension of AI readiness made operational. A business with the policy in place but the four other dimensions (data, infrastructure, security, use case) missing scores higher than a business with no policy — but neither is operating AI safely. The Arx Certa scorecard checks all five dimensions; the policy is necessary but not sufficient.
Frequently asked
What's the difference between an AI usage policy and an AI governance framework?
The AI usage policy is the staff-facing document — what people can and cannot do with AI tools. The AI governance framework is the broader operational structure — accountabilities, review cadences, vendor management, risk register, board reporting. The policy is one artefact inside the framework. UK businesses need both.
Does the Information Commissioner's Office have a model AI policy?
The ICO publishes guidance on AI and data protection, including the AI and data protection risk toolkit, but does not publish a model AI usage policy template. Most UK businesses adapt a third-party template (the Arx Certa template is one option) and tailor to their sector regulators.
Should the AI usage policy be signed by every staff member?
Acknowledged, yes — typically as part of the annual policy acknowledgement cycle alongside the data protection and acceptable-use policies. A signature is heavier than most organisations need. Acknowledgement with evidence of training completion is the more common pattern.
How long should an AI usage policy be?
Six to ten pages for most UK SMEs and mid-market businesses. Long enough to cover the eight components properly; short enough that staff actually read it. Anything over fifteen pages typically signals a policy written for a regulator's benefit rather than a staff member's.
How often should the AI policy be reviewed?
Quarterly during active AI adoption (the first 12-18 months for most businesses), annually thereafter. Trigger-based reviews when a new approved tool is added, when a regulator publishes new guidance, or when a related incident occurs.
Related Arx Certa services
If the gaps the scorecard surfaces need outside help to close, these are the engagement types we run for UK firms:
- AI services — implementation reviews, AI policy work, vendor due diligence, and pilot scoping.
- Cybersecurity — UK GDPR, NCSC alignment, vendor risk assessment, audit-readiness.
- Database — the data foundations AI projects depend on.
- Infrastructure — cloud, identity, network and integration foundations.
See how your policy ranks across all five readiness dimensions
The Arx Certa AI Readiness Scorecard takes 4 minutes and tells you whether your AI policy is doing the work it should — and what the four other dimensions look like alongside it.
Get your AI readiness score →