HOME/GUIDES/GOVERNANCE
beginner18 min readMarch 26, 2026

Write Your Company's AI Policy in One Afternoon

A practical, section-by-section walkthrough with a copy-paste template so you go from zero governance to a real document before end of day

AI PolicyGovernanceComplianceLegalRisk Management

Why This Matters Right Now

44% of law firms have no formal AI governance policy. Not a weak policy. Not an outdated one. None.

Meanwhile, the Colorado AI Act is live. California's AI transparency requirements are in effect. The EU AI Act is being enforced. And every week, another headline about AI mishandling sensitive data.

Here is what a typical unregulated AI deployment looks like at a small or mid-size firm:

  1. -Someone signs up for a SaaS AI tool
  2. -They connect it to company data
  3. -No risk assessment
  4. -No documentation
  5. -No monitoring
  6. -Nobody knows what data is going where

That is not a technology problem. It is a governance gap. And it is fixable in one afternoon.

A structured approach to AI governance starts with a clear, written policy
A structured approach to AI governance starts with a clear, written policy

This guide gives you a complete AI policy document you can customize and implement today. Every section includes the actual language you need, not vague principles, but sentences you can copy, paste, and adapt.

What Your AI Policy Needs to Cover

A complete AI policy has 6 sections:

SectionWhat It CoversTime to Write
1. Approved Tools and Use CasesWhat AI tools are allowed and for what30 minutes
2. Data ClassificationWhat data can and cannot go into AI45 minutes
3. Review and Approval WorkflowsWho approves AI use for new tasks20 minutes
4. Incident ResponseWhat happens when AI makes an error30 minutes
5. Training RequirementsWhat staff needs to know before using AI20 minutes
6. Compliance ChecklistHow you stay legal30 minutes

Total: roughly 3 hours. One afternoon.

Section 1: Approved AI Tools and Use Cases

This is the foundation. Your team needs to know exactly what is allowed and what is not.

Step 1: Inventory what is already in use

Before you write policy, find out what is already happening. Send this to your team:

"We are writing our AI governance policy. Please list every AI tool you have used for work in the last 90 days, including free tools, browser extensions, and any tool you have pasted work content into. No judgment. We need accuracy."

You will be surprised. Most firms discover 5 to 10 AI tools in use that leadership did not know about.

Step 2: Categorize each tool

For each tool your team reports, classify it:

Category A: Approved for general use. Tools that have been vetted, have acceptable privacy terms, and can be used for non-sensitive work. Example: ChatGPT (with data opt-out enabled) for drafting marketing copy, brainstorming, general research.

Category B: Approved with restrictions. Tools approved for specific use cases only. May have data limitations. Example: Grammarly (approved for external communications only, not for client documents).

Category C: Prohibited. Tools that do not meet your data handling requirements. Example: Any AI tool that trains on user data by default and does not offer enterprise data agreements.

Step 3: Write the approved use cases

For each Category A and B tool, list exactly what it can be used for. Be specific:

ChatGPT (Category A)

  • -Approved for: Marketing copy drafting, general research, email tone adjustment, brainstorming
  • -NOT approved for: Client-specific work, legal document drafting, financial analysis, any task involving PII
  • -Data rule: Never paste client names, case numbers, financial figures, or personally identifiable information

The more specific you are here, the fewer gray areas your team encounters.

Section 2: Data Classification for AI

This is the section that prevents the worst outcomes. Your team needs a clear, simple framework for what data can go where.

The 3-Tier Data Classification

Tier 1: PUBLIC (Green Light). Data that is already public or has no sensitivity. Can be used with any approved AI tool. This includes published marketing materials, public-facing website content, general industry research, and internal templates without client data.

Tier 2: INTERNAL (Yellow Light). Business data that is not public but is not client-specific. Can be used with Category A tools only, with caution. This includes internal process documentation, anonymized team performance metrics, non-confidential business strategy notes, and vendor communications.

Tier 3: RESTRICTED (Red Light). Client data, financial data, PII, or anything covered by privilege or confidentiality agreements. Cannot be used with any cloud-based AI tool unless the tool has a signed BAA/DPA and enterprise data agreement. This includes client names, case details, matter information, financial records, account numbers, employee personal information, attorney-client privileged communications, health records (HIPAA), and any data covered by NDA.

The Quick Decision Test

Train your team to ask this before pasting anything into AI:

"If this exact text appeared on the front page of a newspaper with our company name attached, would it be a problem?"

If yes: Tier 3. Do not paste into cloud AI. If maybe: Tier 2. Use approved tools only, strip identifying details. If no: Tier 1. Proceed with any approved tool.

This single test catches 90% of potential data incidents.

Data classification is the backbone of AI governance
Data classification is the backbone of AI governance

Section 3: Review and Approval Workflows

Who decides when a new AI use case is allowed? Without a clear process, you get one of two failure modes: nobody approves anything and teams stop using AI entirely, or nobody checks anything and teams use AI for everything unchecked.

The Approval Matrix

What Needs ApprovalWho ApprovesTurnaround
New AI tool (not yet in policy)IT Lead + Compliance/Legal5 business days
New use case for approved toolDepartment Manager2 business days
Using AI on Tier 2 dataDepartment Manager + Data Officer2 business days
Using AI on Tier 3 dataNOT APPROVED via standard process, escalate to leadershipN/A
Emergency/one-time useVerbal approval + written follow-up within 24 hoursSame day

The New Tool Vetting Checklist

When someone requests a new AI tool, evaluate it against these 8 questions:

  1. -Does the vendor privacy policy allow training on user data? (If yes, likely Category C)
  2. -Does it offer a Data Processing Agreement (DPA)?
  3. -Where is data stored? (Country, cloud provider)
  4. -Can you delete your data on demand?
  5. -Is there SOC 2 or ISO 27001 certification?
  6. -Does it offer SSO or enterprise authentication?
  7. -What is the vendor data breach notification policy?
  8. -Is there an opt-out for model training?

If a tool fails questions 1, 2, or 4, it is Category C. No exceptions.

Section 4: Incident Response

When (not if) AI produces an incorrect output that reaches a client or makes a decision with bad data, your team needs to know exactly what to do.

The AI Incident Response Protocol

Step 1: Contain (within 1 hour). Identify what AI-generated content was sent externally. Stop any automated AI workflows connected to the incident. Document what happened, when, and who was affected.

Step 2: Assess (within 4 hours). What was the AI output that caused the issue? What data was the AI working with? Was client data exposed to a third-party AI service? What is the potential client/business impact?

Step 3: Notify (within 24 hours). Inform affected clients if their data was exposed. Notify your data protection officer (if applicable). If regulated data was involved, check legal notification requirements. Document the notification in your incident log.

Step 4: Remediate (within 1 week). Fix the immediate issue (correct the output, retract if needed). Identify root cause: bad prompt, wrong data tier, or tool misconfiguration. Update the AI policy to prevent recurrence. Brief the team on what happened and what changed.

The Incident Log Template

Keep a simple spreadsheet. Every AI incident gets a row:

DateTool UsedWhat HappenedData Tier InvolvedRoot CauseAction TakenPolicy Change Made

This log is your evidence of governance. When a regulator or client asks "what is your AI oversight process?" this is what you show them.

Section 5: Training Requirements

Your policy is only as good as your team's understanding of it. Here is the minimum training your team needs:

Required Training (Before Using Any AI Tool)

All Staff (30-minute onboarding): What our AI policy covers (share the document). The 3-tier data classification system. The newspaper test for data decisions. How to request a new tool or use case. Where to report AI incidents.

AI Power Users (additional 1-hour session): Prompt engineering basics (how to get useful output). Output verification (never trust AI output without review). Common failure modes (hallucinations, outdated information, tone mismatch). How to document AI-assisted work.

Managers (additional 30-minute session): How to approve new use cases. How to monitor team AI usage. How to handle incident escalations. Quarterly review process.

The Quarterly Review

Every 90 days, review and update your policy. What new tools have been requested? Any incidents in the last quarter? Any new regulations or compliance requirements? Is the approved tools list still current? Does the team have questions or pain points?

Mark the review date on your calendar now. Governance that is not reviewed decays fast.

Section 6: Compliance Checklist

As of March 2026, these are the regulations your AI policy should address:

Colorado AI Act (Effective 2026)

Requires disclosure when AI is used in consequential decisions (employment, lending, insurance, education, housing). Businesses must conduct impact assessments for high-risk AI systems. Consumers have the right to know when AI is involved in decisions about them. Your policy must: Document all AI systems used in decision-making, maintain impact assessments, provide consumer disclosure.

California AI Transparency Laws (Effective 2026)

Requires disclosure of AI-generated content in certain contexts. Businesses must label AI-generated images, video, and audio. Political and commercial communications have additional requirements. Your policy must: Include disclosure language for AI-generated content, maintain records of what content was AI-assisted.

GDPR (If You Have EU Clients/Data)

Automated decision-making rights under Article 22. Data processing requirements apply to AI tools. Right to explanation for AI-driven decisions. Your policy must: Ensure AI tools have appropriate DPAs, document lawful basis for AI processing.

Industry-Specific (Check Your Sector)

Legal: ABA Model Rules on competence (1.1) and supervision (5.1, 5.3) apply to AI use. Healthcare: HIPAA applies to any AI processing PHI. Financial: SEC and FINRA guidance on AI in advisory services. Real Estate: Fair housing laws apply to AI-assisted property recommendations.

The Compliance Quick-Check

For each AI tool in your approved list, verify: Data processing agreement signed. Data residency requirements met. Consumer disclosure language prepared (if applicable). Impact assessment completed (if high-risk use case). Opt-out from model training confirmed. Incident response plan covers this tool. Training materials updated to include this tool.

Your Complete AI Policy Template

Here is the complete document structure. Copy this, fill in your specifics, and you have a working AI policy:

[Company Name] Artificial Intelligence Usage Policy Effective Date: [Date] | Review Date: [Date + 90 days]

  1. -Purpose — Why this policy exists and who it applies to
  2. -Approved AI Tools — Category A, B, C list with approved use cases
  3. -Data Classification — Tier 1/2/3 definitions with examples from your business
  4. -Approval Process — Matrix of who approves what
  5. -Incident Response — The 4-step protocol
  6. -Training Requirements — Onboarding, power users, managers
  7. -Compliance — Applicable regulations and your response
  8. -Review Schedule — Quarterly review dates and responsibilities
  9. -Acknowledgment — Signature line for each team member

Print it. Have everyone sign it. File it. That is governance.

The One Thing Most Policies Miss

Most AI policies focus on what tools are allowed. Good policies also address where the AI runs.

When your team uses a cloud AI tool (ChatGPT, Claude, Gemini, any SaaS product), your data leaves your network. It travels to the vendor's servers. It is processed there. The vendor's privacy policy governs what happens next.

For Tier 1 data, that is fine. For Tier 2, it is a calculated risk. For Tier 3, client data, privileged communications, financial records, it is often a compliance violation.

The alternative is AI that runs on your infrastructure. Same capabilities. Same intelligence. But the data never leaves your building.

On-premise AI keeps your data within your own infrastructure
On-premise AI keeps your data within your own infrastructure

How Cadence by Orquestria Solves This

Everything in this guide, you can implement yourself. We wrote it so you can.

But there is one problem the policy alone cannot fix: if your team needs AI for Tier 3 data (client files, privileged communications, case details), cloud AI tools are off the table. Your policy should prohibit it. But that means your team loses the biggest productivity gains AI offers, right where they need it most.

That is what Cadence was built for.

Cadence by Orquestria deploys AI directly on your firm's local infrastructure. Not a web SaaS. Not a cloud dashboard. Your servers. Your network. Your control.

  • -On-premise CRM and AI processing. Cadence runs your firm's client relationship management and AI operations on your own servers. Client data, case files, billing records, and communications never touch a cloud API. The entire system operates inside your network perimeter.
  • -No SaaS dependency. Unlike cloud CRM tools (Clio, PracticePanther, MyCase) that store your client data on their servers, Cadence keeps everything local. If the internet goes down, your CRM still works. If a cloud vendor has a breach, your data is not in it.
  • -WhatsApp interface. Your team interacts with the local AI through WhatsApp. Search client files, check case status, pull document summaries, log billable time, all from the app they already use. The AI processes the request locally and responds through the WhatsApp Business API. The client data never leaves your infrastructure.
  • -Full audit trail on your servers. Every AI query, every document access, every CRM interaction is logged on your infrastructure. When a regulator asks for your AI activity records or a client requests their data history, you have it, stored locally, under your direct control.
  • -Governance enforced by architecture. Cadence enforces the data classification tiers from Section 2 of this guide automatically. Tier 3 data is processed locally by design. There is no configuration that allows client data to leak to external services because external services are never called for data processing.

The difference between a cloud AI policy and an on-premise deployment:

  • -Cloud AI policy: "Please do not paste client data into ChatGPT" (relies on every team member following rules perfectly, every time)
  • -On-premise with Cadence: Client data physically cannot reach external servers (enforced by infrastructure architecture)

One depends on human compliance. The other makes it impossible to break the rules.

Cadence is currently in active deployment with law firms and professional services firms. Implementation takes days, not months. Your existing systems and documents stay in place. The AI layer and local CRM wrap around what you already use.

If your firm handles sensitive data and needs AI that stays in-house, let us talk.

Need help implementing AI governance with on-premise infrastructure?

GET IN TOUCH ->