MENUCLOSE
Resources / Free tool
Generate an AI policy you can ship by Monday.
Pick your controls — including an owner, a budget, a model scope, and a kill switch for every AI actor (human, app, or agent). Download an editable Word document grounded in NIST AI RMF, the EU AI Act, and ISO 42001. A real document for security and legal — not a Notion checklist.
Resources / Generator
Resources / Why this template
There are a lot of AI policy templates. Most of them are bad.
They’re copy-pasted from a competitor’s site, written by someone who hasn’t looked at the EU AI Act, or so generic that an auditor will spot it in 30 seconds. This one is different: built from real frameworks, tied to the AI tools and agents your company actually runs, and structured so every clause maps to a control you can enforce — an owner, a budget, a model scope, an audit trail, and an off switch — not just a line you signed.
NIST AI Risk Management Framework (Govern / Map / Measure / Manage), EU AI Act risk classification, and ISO/IEC 42001 management system requirements. The language an auditor will recognize.
References ChatGPT, Claude, Copilot, Gemini, and Microsoft 365 Copilot by name — and gives autonomous agents an owner, a budget, and a kill switch. Gartner projects 150K+ agents per Fortune 500 by 2028, and only 13% of leaders feel adequately governed. This template assumes they’re coming.
Includes the honest-coverage language that protects you when the auditor asks “how do you know?” — Observed, Inferred, Enforced, and Not Covered, without overclaiming.
Microsoft Word .docx for legal and Markdown for engineering. Same content, both formats, no PDF lock-in.
Resources / What’s in the template
Eight sections. Every one defensible.
What counts as “AI” in your environment, and who the AI actors are — the humans, apps, and agents using AI through your stack. Third-party assistants (ChatGPT, Claude, Copilot, Gemini), embedded features (Notion AI, Microsoft 365 Copilot), API usage by engineering, autonomous agents that spend and act unattended, and internal models. Without a real scope — and an owner for every actor — the rest is unenforceable.
What each AI actor can use AI for, by role and data class. Drafting and brainstorming with non-sensitive data. Code generation with non-proprietary code. Summarization within approved tools. For agents: an approved model scope and a budget, not an open-ended mandate. Clear, role-aware, not absolutist.
What’s out: sensitive customer PII into unmanaged consumer tools, regulated data (PHI, financial account data, etc.) into non-BAA providers, code containing secrets, anything covered by an NDA you can’t cite.
The list — by name — and the procurement path for adding more. Includes data-residency and retention notes from each provider’s enterprise terms. Updated when contracts change, not annually.
How the company observes and controls AI usage per actor. Which signals you collect (gateway, provider APIs, expense, SSO). What you budget, what you cap, and how you disable a misbehaving actor’s Tallin-mediated model access when spend or behavior goes wrong. The honest coverage statement that protects you in an audit: “we observe X%, infer Y%, enforce Z%, and acknowledge gaps in W% — including direct provider calls made outside Tallin and tool / MCP execution side effects.”
What happens when sensitive data goes to the wrong place. Containment steps. Provider notification. Customer notification thresholds. The same shape as your existing security incident plan — extended for AI.
Quarterly review of the provider list and coverage report. Annual policy refresh. Out-of-band review when a major new tool enters the company. Documented, with dates and owners.
Who owns the policy (typically Security or a designated AI Governance lead), who reviews it (Legal, IT, the AI Council if you have one), and who enforces it day-to-day (managers, with escalation paths). And — for agents that act without a human in the loop — a named human owner accountable for that actor’s scope, budget, and off switch.
Resources / The honest part
A policy is a starting point. Enforcement is the product.
A signed policy without runtime control is theater. The whole point of this template is to get you to the next step: routing AI through Tallin so each section becomes a live control — every actor with an owner, a budget, a model scope, and a kill switch — backed by honest coverage you can show an auditor. The template is free either way, but the value compounds when policy and enforcement live in the same system.
Stop writing policy from scratch.
Request access, grab the template, run the assessment. Less than 30 minutes from open tab to draft policy on your CISO’s desk.