AI policy for your organization: what should you regulate now?

AI-beleid voor je organisatie: wat moet je nu regelen?

AI is already in your organization. Even if you think it isn't.

It's in Outlook, Teams, your accounting software, your spam filter and smart features your team uses every day. Helpful? Definitely. Risky? Also, if you don't make arrangements.

Moreover, since 2024, there has been the AI Act. European legislation that determines how organizations must deal with AI responsibly. This does not require thick policy folders, but clear choices. Because anyone using AI must be able to explain what is happening, what risks are involved and who is responsible for what.

For that, you need three things:

  • An AI policy, with clear ground rules about what can and cannot be done.
  • An AI registry, showing which AI tools you use, for what, with what data and what risk.
  • AI-literate employees, who understand how AI works, where the limits are and when they should think better for themselves.

The latter is not a casual tip. AI literacy has been mandatory since Feb. 2, 2025 for organizations that use or provide AI systems.

In this article, we'll take you step by step. From the law, to policy and registry, to your people. So that you don't get stuck in "we have to do something with this," but know what you can take care of tomorrow.

 

AI is everywhere, including yours

Ask ten people in your organization if they use AI, and half will say no. But that's almost never true. AI has long been in the tools they touch every day: The smart suggestions in Excel, the summary of a Teams meeting, the spam filter in your email. That's all AI.

And then you have the AI you consciously choose to use. ChatGPT for texts or analysis. A tool that pre-sorts resumes. A chatbot on your website. Software that processes invoices automatically. That's the kind of AI you really need to do something with, because it makes its own choices that affect people.

That's exactly where it gets interesting. Because the more impact AI has on people, data or decisions, the more important the rules of the game become.

The risk is usually not in AI itself, but in the lack of agreements. Someone pastes customer data into ChatGPT, and no one knows where that data then stays. A department uses a tool that has never been approved by anyone. That goes well for a long time, until one time it goes wrong.

That's why you need oversight. What AI are you using? What for? With what data? Who is responsible? And when should a human be required to watch?

 

The AI Act: what will change and when?

The European AI Act is the world's first major law regulating AI. The Act took effect on Aug. 1, 2024, and will be implemented in phases, spread over a few years. The idea is simple: the greater the impact of an AI system on humans, the stricter the rules.

The law works with four levels of risk:

  1. Unacceptable Risk: Prohibited. Think of social scoring, manipulation or AI reading emotions in the workplace. In Europe, we just say no to that.
  2. High risk: Strict requirements. For example, with AI for job applications, credit rating, education or medical applications. You have to be able to prove that the system works fairly, securely and verifiably.
  3. Limited risk: Transparency is the key word here. Is someone talking to a chatbot? Then it should be clear that there is no human on the other end.
  4. Minimal risk: These are most everyday AI applications, such as spell checkers, spam filters and search suggestions. The rules here are light.

The timeline

Key deadlines:

  • Feb. 2, 2025: prohibited AI systems are no longer allowed and AI literacy is mandatory.
  • Aug. 2, 2025: rules for general-purpose AI, such as large language models, are in effect.
  • Aug. 2, 2026: many obligations for high-risk AI systems and transparency take effect.
  • Aug. 2027: the next phase for high-risk AI in products, such as medical devices and machines.

The AI Act does not stand alone. As soon as you process personal data, the AVG comes around the corner. Are you using AI to track, assess or select employees? Then the WOR comes into play and you need to involve the works council. And for organizations in key sectors, NIS2, the cybersecurity law, may also be relevant.

In short, AI does not live in a legal vacuum. If you use AI seriously, then you need to regulate it seriously.

 

What is AI policy and why do you need it?

An AI policy is the by-laws for how your organization handles AI. Nothing more, nothing less. It gives your employees clarity about what is allowed, what is not allowed, and who is responsible for what.

A good policy does not have to be a tome. Rather eight clear pages than twenty pages full of jargon that no one reads.

This belongs in it:

  • Scope and definitions: What tools and systems are covered by the policy? What does your organization consider AI? That way you avoid discussion about every clever button in Excel.
  • Roles and responsibilities: Who approves a new AI tool? Who manages the registry? Who checks that a system continues to do what it is supposed to do?
  • Permitted uses: May customer service use ChatGPT for emails? May marketing use AI for image generation? May HR use a tool to screen resumes? Here's where you lay out the boundaries, in plain language.
  • Data and privacy: What data is and isn't allowed in an AI tool? Where will that data be processed? Who has access to the outcome? This touches directly on the AVG.
  • Human oversight: AI may support, accelerate and advise. But for decisions that affect people, a human remains responsible. The machine calculates, summarizes or predicts. The human decides.

What does that provide? Peace, clarity and control. Employees know what is possible, managers know where the risks are, and your organization can demonstrate that AI is not just being deployed at random.

And just as important: good policy makes AI more useful. Because people are more daring when they know where the limits are.

 

The AI registry: knowing what you have in house

You can't make agreements about tools you don't know. That's why every AI policy needs an AI register.

This is an overview of the AI systems your organization uses. Not only the name of the tool, but also what you use it for, which department works with it, what data goes into it, where that data is processed and what risk is attached to it.

The big question is always: what do you put in it?

Because if you have to register every spam filter, spell check and smart button, you're going to be busy for a while. Therefore, the rule of thumb is:

Conscious choice + impact on people = register.

A few examples:

  • ChatGPT for customer emails or analytics? On the registry.
  • A tool that pre-sorts job applicants? Definitely in the registry, because it affects people directly.
  • A chatbot on your website? In the registry, including transparency: visitors should know they are talking to AI.
  • Automatic spell check in Word? You can usually leave that one in place. Standard function, low risk, low impact.

An AI registry is not a one-time cleanup. Tools come and go. Departments test new software. Vendors change terms and conditions. So you keep the registry updated.

The beauty is that a good registry does double duty. It helps you comply with the AI Act, and it is immediately the basis for your AI literacy plan, because you now know exactly what systems your employees are using and therefore what knowledge they need.

 

AI literacy: the human behind the tool

Policies and records are important. But if your people don't understand what they are working with, it will remain paperwork.

That's why AI literacy is so important. And not just important, mandatory. Section 4 of the AI Act requires organizations to ensure that employees working with AI are sufficiently AI literate. That duty has been in place since Feb. 2, 2025.

That doesn't mean everyone has to become a prompt engineer, data scientist or lawyer. Thankfully. It's about practical understanding: knowing how AI works, what it can do, what it can't do, and when it's best not to rely on it.

Two things are important:

  1. It's an effort commitment.
    You don't have to prove that every employee has passed an exam. You do have to be able to demonstrate that you are serious about awareness, training and responsible use.
  2. The level depends on the role
    Standard training for everyone is too short. Someone who works with an AI tool all day needs more knowledge than someone who uses it occasionally. So you tailor the training to what people encounter in their jobs.

Enforcement becomes more serious as of Aug. 2, 2026, but the requirement is already in place now. So that doesn't mean you can wait. So those who do nothing now are already behind.

How do you make your people AI literate?

This is where our workshops come in.

We give practical AI literacy workshops that connect to the AI Act and to the roles within your organization. No dry e-learning that everyone clicks through with coffee in hand, but sessions where your team learns how AI works, where the risks are and how to use AI smartly, safely and responsibly in daily work.

Upon completion, participants receive a personalized certificate. Verifiable and instantly addable to your LinkedIn.

This is useful for your employees, but also for your organization. You show that you are actively working on AI literacy and that you don't just let people experiment with AI. In this way you build awareness, trust and demonstrability.

Exactly what you need when AI becomes a mature part of your organization.

 

How to start: a practical step-by-step plan

Enough theory. Time to see what you can do tomorrow.

Step 1: Map out your AI tools.
Ask around in your organization what AI tools people are using. Not just the familiar names like ChatGPT or Copilot, but also tools with built-in AI features. Chances are more will surface than you thought. This is the start of your AI registry.

Step 2: Determine the risk for each tool
Use the rule of thumb: conscious choice + impact on people = register and assess. Look especially at tools that process personal data, influence decisions or directly impact customers, employees or job applicants.

Step 3: Create a practical AI policy
Start with the basics: scope, roles, permitted uses, data and human oversight. Keep it short, clear and actionable. A policy that no one reads is not a policy. That's PDF wallpaper.

Step 4: Train your employees role-focused
Make your people AI-literate. Not everyone needs the same knowledge, so tailor training to the role. A marketer, HR person, manager and AI manager encounter different risks. This is mandatory, so don't leave it out.

Step 5: Keep your registry and policies alive
AI changes rapidly. Tools gain new features, vendors adjust terms and teams start experimenting. So schedule set times to check and update your registry, policies and training.

You don't have to do this perfectly in one week. But doing nothing is not an option. Every deadline that passes makes it harder to demonstrate later that you are using AI seriously and responsibly.

 

From loose tools to getting a grip on AI

AI in your organization is no longer a question of if, but of how.

The law basically asks three things of you: know what you are using, agree on what is allowed and make sure your people understand what they are working with. In other words: an AI registry, an AI policy and AI-literate employees.

That sounds like a lot. But with a smart approach, it's perfectly manageable. Start with inventory, make clear choices and train your people on what they really need in their work.

Want help with that? We help organizations deploy AI responsibly and practically. With AI policy, a workable AI register and AI literacy workshops including a personal certificate for your employees.

This way you don't just regulate what has to be done, but also build trust, knowledge and control.

Ready to get a grip on AI? Contact us and together we'll see where you stand and what the smartest first step is.

Request your AI workshop