Resources / Free tool

Generate an AI policy you can ship by Monday.

Pick your controls — including an owner, a budget, a model scope, and a kill switch for every AI actor (human, app, or agent). Download an editable Word document grounded in NIST AI RMF, the EU AI Act, and ISO 42001. A real document for security and legal — not a Notion checklist.

Resources / Generator

Free tool

Generate your AI governance policy.

Pick the controls you want to commit to. We’ll assemble an editable Word document, each clause grounded in NIST AI RMF, the EU AI Act, and ISO 42001. A draft starting point — review with legal counsel before adoption.

Controls to include (10/10)
Work email required. By generating, you agree to our Privacy Policy.

Resources / Why this template

There are a lot of AI policy templates. Most of them are bad.

They’re copy-pasted from a competitor’s site, written by someone who hasn’t looked at the EU AI Act, or so generic that an auditor will spot it in 30 seconds. This one is different: built from real frameworks, tied to the AI tools and agents your company actually runs, and structured so every clause maps to a control you can enforce — an owner, a budget, a model scope, an audit trail, and an off switch — not just a line you signed.

Grounded in real frameworks

NIST AI Risk Management Framework (Govern / Map / Measure / Manage), EU AI Act risk classification, and ISO/IEC 42001 management system requirements. The language an auditor will recognize.

Built for humans, apps, and agents

References ChatGPT, Claude, Copilot, Gemini, and Microsoft 365 Copilot by name — and gives autonomous agents an owner, a budget, and a kill switch. Gartner projects 150K+ agents per Fortune 500 by 2028, and only 13% of leaders feel adequately governed. This template assumes they’re coming.

Defensible scope statements

Includes the honest-coverage language that protects you when the auditor asks “how do you know?” — Observed, Inferred, Enforced, and Not Covered, without overclaiming.

Editable Word + Markdown

Microsoft Word .docx for legal and Markdown for engineering. Same content, both formats, no PDF lock-in.

Resources / What’s in the template

Eight sections. Every one defensible.

Scope & definitions

What counts as “AI” in your environment, and who the AI actors are — the humans, apps, and agents using AI through your stack. Third-party assistants (ChatGPT, Claude, Copilot, Gemini), embedded features (Notion AI, Microsoft 365 Copilot), API usage by engineering, autonomous agents that spend and act unattended, and internal models. Without a real scope — and an owner for every actor — the rest is unenforceable.

Permitted use

What each AI actor can use AI for, by role and data class. Drafting and brainstorming with non-sensitive data. Code generation with non-proprietary code. Summarization within approved tools. For agents: an approved model scope and a budget, not an open-ended mandate. Clear, role-aware, not absolutist.

Prohibited use

What’s out: sensitive customer PII into unmanaged consumer tools, regulated data (PHI, financial account data, etc.) into non-BAA providers, code containing secrets, anything covered by an NDA you can’t cite.

Approved providers

The list — by name — and the procurement path for adding more. Includes data-residency and retention notes from each provider’s enterprise terms. Updated when contracts change, not annually.

Monitoring, budgets & kill switch

How the company observes and controls AI usage per actor. Which signals you collect (gateway, provider APIs, expense, SSO). What you budget, what you cap, and how you disable a misbehaving actor’s Tallin-mediated model access when spend or behavior goes wrong. The honest coverage statement that protects you in an audit: “we observe X%, infer Y%, enforce Z%, and acknowledge gaps in W% — including direct provider calls made outside Tallin and tool / MCP execution side effects.”

Incident response

What happens when sensitive data goes to the wrong place. Containment steps. Provider notification. Customer notification thresholds. The same shape as your existing security incident plan — extended for AI.

Review cadence

Quarterly review of the provider list and coverage report. Annual policy refresh. Out-of-band review when a major new tool enters the company. Documented, with dates and owners.

Roles & accountability

Who owns the policy (typically Security or a designated AI Governance lead), who reviews it (Legal, IT, the AI Council if you have one), and who enforces it day-to-day (managers, with escalation paths). And — for agents that act without a human in the loop — a named human owner accountable for that actor’s scope, budget, and off switch.

Resources / The honest part

A policy is a starting point. Enforcement is the product.

A signed policy without runtime control is theater. The whole point of this template is to get you to the next step: routing AI through Tallin so each section becomes a live control — every actor with an owner, a budget, a model scope, and a kill switch — backed by honest coverage you can show an auditor. The template is free either way, but the value compounds when policy and enforcement live in the same system.

What happens during design partner onboarding
01Download the policy template in Microsoft Word + Markdown. Yours to edit and ship inside the workspace.
02Run the free AI exposure assessment — Tallin scans for the AI tools your team is already using.
03Start with an Essentials or Growth trial to connect real provider signals and turn the policy into measurable controls.

Stop writing policy from scratch.

Request access, grab the template, run the assessment. Less than 30 minutes from open tab to draft policy on your CISO’s desk.