Company AI policy: template and rules to set in 2026
How to draft an internal AI policy in 2026: scope, prohibited data, human review, AI lead, GDPR and AI Act compliance. A six-step template and key watch points.
Expert note: This article was written by our chartered accountancy firm. Information is current as of 2026. For a personalised review of your situation, contact us.
Quick answer. A company AI policy is an internal document that governs the use of artificial intelligence tools: scope, approved tools, data that must never be entered, human review and training. In 2026 it ties in with the GDPR and Regulation (EU) 2024/1689, and is built in six straightforward steps.
Your teams already use generative AI, whether you decided it or not. A salesperson pastes a client list into an assistant to draft an email, an accountant asks for a summary from a general ledger, a director has a contract reviewed. Each one saves time, and each one potentially exposes sensitive data in a consumer tool. The AI policy exists precisely to turn this spontaneous use into a controlled practice, without slowing the productivity gains.
We see the same sequence recur in our files: AI arrives from the bottom up, tool after tool, before any rule is written. The policy often comes only after a first incident, a client record entered in the wrong place or an inaccurate piece of content sent outside. This article sets out a six-step policy template and the watch points we flag to our clients.
Why an AI policy becomes essential in 2026#
The stakes are not theoretical. Three frameworks overlap and concern every company, whatever its size.
Regulation (EU) 2024/1689, the Artificial Intelligence Act, entered into force on 1 August 2024 and applies in stages. The prohibited AI practices in its Article 5 and the AI literacy obligation have applied since 2 February 2025. The obligations for general-purpose AI models have applied since 2 August 2025. The rules for the high-risk systems listed in Annex III apply from 2 August 2026. Penalties can reach EUR 35 million or 7 % of worldwide annual turnover.
The GDPR, Regulation (EU) 2016/679, requires the data minimisation principle: only data that is strictly necessary may be processed (Art. 5, 1, c). Pseudonymised data remains personal data, unlike anonymised data. For processing likely to result in a high risk, a data protection impact assessment is required (Art. 35).
Professional secrecy applies in addition for some professions. As a chartered accountant, we are bound by secrecy under Order No. 45-2138 of 19 September 1945 and the code of conduct: our clients' data cannot move freely to a third-party tool. The same logic applies to any business handling confidential data.
Our view. The AI policy is not just another compliance exercise. It is the fastest tool to cut a concrete and immediate risk, the leak of data through a free tool, while laying the groundwork for teams to build skills. A short, applied policy is worth more than a long, forgotten one.
The six-step AI policy template#
Here is the outline we recommend. Each step produces a section of the policy.
Step 1: map AI uses#
Start by listing the tools actually used, team by team. Writing, translation, data analysis, customer support, code, accounting. Note who uses them, on which files and with which account, personal or professional.
This inventory almost always reveals uses management was unaware of. Without this starting snapshot, the policy governs theoretical uses while the real risks sit in tools adopted on the margins.
Step 2: rank uses by risk level#
Rank each use according to the data processed and the impact of an error. Regulation (EU) 2024/1689 separates the prohibited practices in Article 5, the high-risk systems in Annex III and ordinary uses.
This grid avoids two symmetrical mistakes: banning everything, which pushes teams to work around the rule, or allowing everything, which exposes the company. Control effort then focuses on sensitive processing.
Step 3: define allowed and prohibited data#
This is the section consulted most day to day. It must be short and concrete. The table below illustrates the sorting principle.
| Type of data | Consumer tool | Approved, governed tool |
|---|---|---|
| Public data (marketing text, already published content) | Allowed | Allowed |
| Non-sensitive internal data | Avoid | Allowed |
| Personal data (clients, employees) | Prohibited | Subject to GDPR conditions |
| Trade secrets, contracts, financial data | Prohibited | Subject to conditions |
| Data covered by professional secrecy | Prohibited | Strict framework |
The guiding principle is simple: personal or confidential data must never be entered into a consumer tool. The minimisation required by the GDPR translates here into a clear operational instruction.
Step 4: set human review and traceability#
An AI output can be plausible and wrong. The policy requires human review before any external use of generated content, and a record of approved tools.
Specify who validates, what must be checked and how use is documented. Traceability protects the company if generated content is challenged or if use becomes the subject of an audit.
Step 5: appoint an AI lead and train teams#
Appoint a lead who decides on the adoption of new tools and answers day-to-day questions. Regulation (EU) 2024/1689 has imposed an AI literacy obligation since 2 February 2025: users must understand the limits of the tools they handle.
Short training, built on the real uses mapped in step 1, does more for compliance than a document signed but never read.
Step 6: roll out the policy and review it#
Communicate the policy, have it acknowledged and set a review date. The ecosystem moves fast and the timetable of Regulation (EU) 2024/1689 runs to 2 August 2026 for high-risk systems.
A frozen policy becomes inaccurate within months. A periodic review, at least yearly, keeps it useful and credible.
What the policy must contain, point by point#
The policy fits on a few pages. Here are the headings we consider essential.
- The scope: who is concerned, which tools, which uses are covered.
- The list of approved tools and the procedure to propose a new one.
- The data prohibited from entry, plainly worded.
- The requirement of human review before external use.
- The traceability and documentation rules.
- The name and role of the AI lead.
- A reminder of GDPR and Regulation (EU) 2024/1689 obligations.
- The update date and the review frequency.
Trade-off. Should consumer tools be banned or governed? An outright ban is tempting but encourages workarounds: teams use the tool on a personal account, beyond any control. Governance, with a list of prohibited data and a professional version of the tool where one exists, is more realistic for most SMEs. A strict ban is justified for the most sensitive data, such as data covered by professional secrecy.
The pitfalls we see most often#
The policy rarely fails on substance. It fails on application.
The underestimated risk. The main danger is not the official tool chosen by management, but the free tool quietly adopted by a busy colleague. That is the door through which client data leaves. A policy that only covers approved tools and ignores informal use misses the essential point.
A second pitfall concerns pseudonymisation. Replacing a name with a code is not enough to take data out of the GDPR: pseudonymised data remains personal data. Only anonymisation, which is irreversible, takes the information out of scope. Many directors believe they are protected by masking names; they are not.
The third pitfall is confusing the policy with the technical reality. Writing that entering personal data is prohibited does not configure the tool. The policy must come with technical choices: a professional version that does not reuse data for training, named accounts, logging.
2026 watch points. The timetable of Regulation (EU) 2024/1689 is advancing: AI literacy and prohibited practices since February 2025, general-purpose models since August 2025, high-risk systems from 2 August 2026. If the company develops or integrates a system covered by Annex III, the August 2026 deadline must appear in the action plan. The CNIL also publishes recommendations on the use of AI and data protection that are worth reading before any structuring decision.
A common case: the SME discovering use after the fact#
In transformation files, the most common scenario looks like this. A services SME finds, during an internal review, that half its teams already use a free AI assistant, each on a personal account, on working documents that sometimes include client details. No rule exists. Management hesitates between cutting everything off, which would alienate teams attached to the time saved, and letting it run, which keeps the risk in place.
The policy settles this dilemma. The inventory makes the use objective, the risk ranking separates what can continue from what must stop, the prohibited-data list gives a clear instruction, and the lead becomes the contact point that prevents a return to personal accounts. The whole thing fits into a scoping meeting and a short document. The point is not primarily legal: it is to secure a practice that is already in place.
Quick decision: where to start#
| Your situation | Recommended first action |
|---|---|
| No rules, use already widespread | Map uses before writing anything |
| Policy exists but never reviewed | Check the prohibited-data list and the review date |
| Sensitive client or wealth data | Ban entry into consumer tools, choose a governed version |
| Project for an Annex III system | Anticipate the 2 August 2026 deadline and document compliance |
To connect the policy to your finance function, our digital transformation of the finance function integrates these rules into accounting tools, for example when you deploy the Pennylane tool. If AI touches your bookkeeping, our analysis of AI applied to accounting and the guide AI in accounting: ROI, risks and the AI Act go deeper on the accounting side. For concrete examples, see the generative AI use cases in SMEs. Younger companies will find a suitable framework in our support for tech startups, and you can discuss it with our chartered accountancy firm in Paris 8.
Frequently asked questions
What is a company AI policy?+
It is an internal document that governs the use of artificial intelligence tools. It defines the scope, the approved tools, the data that must never be entered, the requirement of human review, traceability and training. The policy turns scattered, spontaneous use into a controlled practice, aligned with the GDPR and the European regulation on artificial intelligence.
Is an AI policy mandatory?+
No text imposes a document called an AI policy. However, Regulation (EU) 2024/1689 sets an AI literacy obligation since 2 February 2025, and the GDPR requires data minimisation. The policy is the practical way to meet these obligations and to record the rules that apply within the company.
What data must never be entered into a consumer AI tool?+
Personal data, trade secrets and client data covered by professional secrecy must never be entered. The minimisation required by the GDPR forbids processing more data than necessary. For such information, a professional and governed version of the tool is reserved, or it is avoided altogether.
Is pseudonymisation enough to protect data?+
No. Pseudonymisation reduces the risk but pseudonymised data remains personal data under the GDPR. Only anonymisation, which is irreversible, takes the information out of the regulation's scope. Masking a name with a code therefore does not exempt you from data protection obligations.
Who should be the AI lead in the company?+
The lead can be a director, an IT manager or a trained employee. Their role is to decide on tool adoption, answer questions and keep the list of approved tools up to date. In a small organisation this role is often combined with another function; what matters is that an identified contact point exists.
What penalties apply for breaching the AI regulation?+
Regulation (EU) 2024/1689 provides for penalties of up to EUR 35 million or 7 % of worldwide annual turnover for the most serious breaches, such as the use of a practice prohibited by Article 5. The amount depends on the nature of the infringement. An applied policy helps reduce this risk.
How often should the AI policy be reviewed?+
At least once a year, and at every major change: a significant new tool, a new regulatory deadline, an internal incident. The timetable of Regulation (EU) 2024/1689 runs to 2 August 2026 for high-risk systems, which justifies regular monitoring. A frozen policy quickly loses its value.
Key takeaways#
The AI policy is now the simplest tool to secure a use that is already in place. Built in six steps, mapping, risk ranking, prohibited data, human review, an AI lead, roll-out, it cuts the risk of data leaks while supporting teams as they build skills. It ties in with the GDPR and Regulation (EU) 2024/1689, whose deadlines run to 2 August 2026.
The decisive point is not the drafting but the application: addressing informal use, backing the policy with technical choices, and reviewing it regularly. This article informs you of the framework; a decision specific to your situation requires reviewing your tools, your data and your regulatory exposure. Our firm can help you build a policy tailored to your business.
Updated 17 June 2026. Content written by Hayot Expertise, chartered accountant and statutory auditor, registered with the Order of Chartered Accountants of Île-de-France.
Article written by Samuel HAYOT
Chartered Accountant, registered with the Institute of Chartered Accountants.
Regulated French accounting and audit firm based in Paris 8, built to support companies across France with a digital and decision-oriented approach.
Sources
Official and operational sources cited for this page.
This topic is part of our service Finance transformation | Automation & dashboards
Need a quote or personalised advice?
Our accountancy firm supports you through all your steps. Get a free quote to review your situation and receive a bespoke fee proposal, or contact us directly.