Where it belongs
Recommended placement is Resources -> Templates & Playbooks, with future grouping under Governance Templates or Policy Templates.
Governance Templates
Enterprise AI Governance Policy Template
A practical fill-in-the-blanks policy template for AI systems, generative AI, and autonomous agents. Use it to prepare internal review with legal, compliance, security, privacy, risk, audit, executive, and business teams.
Context
Use this as a starting policy, not as a final approval.
The template helps teams establish common language for AI inventory, agent registration, Agent Passport expectations, risk classification, runtime authorization, human review, evidence, security, data governance, third-party review, and framework alignment. It is designed for online reading, printing, PDF export through the browser, and internal adaptation.
Powered by Scaled Agents™
Enterprise AI Governance Policy Template
For AI Systems, Generative AI, and Autonomous Agents
Organization Name
Policy Owner
Version
Effective Date
Review Date
Approval Authority
Disclaimer
This template is provided for educational and planning purposes only. It is not legal, regulatory, compliance, audit, security, privacy, or professional advice. Organizations should review and adapt this document with their legal, compliance, security, privacy, risk, audit, business, and executive teams before use.
1. Purpose
This policy establishes governance, accountability, oversight, risk management, security, monitoring, evidence, and review requirements for AI systems, generative AI tools, and autonomous AI agents used by the organization.
2. Scope
This policy applies to AI systems, generative AI tools, large language models, AI assistants, autonomous agents, agentic workflows, internal tools, third-party AI services, vendors, contractors, employees, and customer-facing AI use cases.
3. Definitions
| Term | Definition |
|---|---|
| AI System | A software, model, tool, workflow, or service that uses artificial intelligence to generate, classify, recommend, automate, predict, summarize, retrieve, transform, or support decisions. |
| AI Agent | An AI-enabled system that can pursue assigned objectives, use tools, call APIs, access data, interact with systems, or coordinate workflow steps. |
| Autonomous Action | An action performed by an AI system or AI agent without immediate human approval at the moment of action. |
| Human Reviewer | A designated person responsible for reviewing, approving, denying, escalating, or requesting more evidence for AI-related work. |
| Agent Owner | The accountable human owner responsible for an AI agent's purpose, scope, risk tier, permissions, review path, and lifecycle. |
| Agent Passport | A governance record for an AI agent's identity, owner, purpose, approved scope, data access, tools, actions, review requirements, evidence, and lifecycle state. |
| Agent Registry | The organization's inventory of AI systems and AI agents, including owner, purpose, risk, permissions, review state, and lifecycle status. |
| Runtime Authorization | A scoped authorization decision that determines whether a specific AI action may proceed under current policy, evidence, approval, and runtime state. |
| Human-in-the-Loop | A control pattern requiring a human reviewer to review, approve, deny, or escalate AI-generated work before it creates impact. |
| Evidence Record | A record that supports a governance decision, such as an approval, denial, action log, exception, incident, review, or audit-supporting artifact. |
| High-Risk AI Use Case | A use case that may materially affect people, finances, legal rights, regulated obligations, security posture, operations, customer outcomes, or critical systems. |
| Third-Party AI Service | An AI system, model, platform, API, tool, or service provided by an external party. |
4. Governance Roles and Responsibilities
| Role | Named Owner | Responsibilities |
|---|---|---|
| Executive Sponsor | ________ | Sets AI governance expectations, approves program direction, and resolves executive-level risk decisions. |
| AI Governance Committee | ________ | Reviews AI governance standards, high-risk use cases, exceptions, lifecycle reviews, and policy updates. |
| Business Owner | ________ | Owns business purpose, value, process fit, and operational acceptance. |
| Agent Owner | ________ | Owns agent purpose, scope, Passport, risk tier, permissions, evidence, and lifecycle. |
| Product Owner | ________ | Owns user needs, roadmap fit, release readiness, and user-facing controls. |
| Security Reviewer | ________ | Reviews identity, access, secrets, network, tool/API, logging, monitoring, and incident controls. |
| Compliance Reviewer | ________ | Reviews regulatory obligations, policy mapping, evidence needs, and review requirements. |
| Privacy Reviewer | ________ | Reviews personal data, sensitive data, retention, sharing, and privacy impact. |
| Human Reviewer | ________ | Reviews outputs, approvals, exceptions, escalations, and high-risk recommendations. |
| Platform Operator | ________ | Operates platform controls, logging, monitoring, and approved runtime changes. |
| Internal Audit | ________ | Reviews evidence completeness and control operation when audit review is in scope. |
5. AI Inventory and Registration Requirements
All AI systems and AI agents must be registered before production use.
| Field | Value |
|---|---|
| AI system or agent name | ________ |
| Business purpose | ________ |
| Owner | ________ |
| Department | ________ |
| Risk level | Level __ |
| Data classification | ________ |
| Model/provider used | ________ |
| Tools/connectors used | ________ |
| Permissions | ________ |
| Human oversight requirement | ________ |
| Expiration/review date | ________ |
| Approval status | Draft / Under Review / Approved for Test / Approved for Production / Suspended / Retired |
6. Agent Passport Requirements
Production AI agents should have an approved Agent Passport before use in organization workflows.
| Field | Value |
|---|---|
| Agent Passport ID | ________ |
| Agent name | ________ |
| Agent version | ________ |
| Owner | ________ |
| Approved purpose | ________ |
| Approved data access | ________ |
| Approved tools | ________ |
| Approved actions | ________ |
| Runtime boundaries | ________ |
| Human approval requirements | ________ |
| Evidence/logging requirements | ________ |
| Expiration date | ________ |
| Reviewers and approvers | ________ |
7. Risk Classification
| Level | Description | Minimum Approval Requirement |
|---|---|---|
| Level 1 | Informational / low risk | Business owner review. |
| Level 2 | Internal productivity | Business owner and security/privacy screening. |
| Level 3 | Business process support | Business owner, agent owner, security reviewer, and human oversight plan. |
| Level 4 | High-impact decision support | AI governance committee review, compliance/privacy review, evidence plan, monitoring plan, and human approval path. |
| Level 5 | Regulated, critical, or autonomous action | Executive sponsor approval, legal/compliance/security/privacy review, explicit runtime authorization, human review path, audit evidence plan, and lifecycle review. |
8. Human Accountability
Accountability remains with designated human owners and reviewers regardless of automation level. AI systems and agents may draft, classify, summarize, recommend, route, prepare evidence, or support decisions. They must not approve their own work, expand their own authority, bypass review, or take high-risk action without an approved human review path.
9. Runtime Authorization
Permitted and restricted action types must be defined before use.
| Action Type | Allowed? | Approval Required? | Notes |
|---|---|---|---|
| Read | Yes / No | Yes / No | ________ |
| Create | Yes / No | Yes / No | ________ |
| Update | Yes / No | Yes / No | ________ |
| Delete | Yes / No | Yes / No | ________ |
| Execute | Yes / No | Yes / No | ________ |
| Communicate externally | Yes / No | Yes / No | ________ |
| Trigger workflow | Yes / No | Yes / No | ________ |
| Access sensitive data | Yes / No | Yes / No | ________ |
| Make recommendations | Yes / No | Yes / No | ________ |
| Take autonomous action | Yes / No | Yes / No | ________ |
High-risk actions should require explicit approval and current authorization before execution.
10. Human-in-the-Loop Requirements
Human review is required when AI work involves sensitive data access, financial action, legal or regulatory action, employment-related decision support, customer-impacting decision support, external communication, high-risk recommendation, exception handling, or material system, workflow, access, or deployment change.
11. Monitoring, Logging, and Evidence
The organization should maintain activity logs, tool usage logs, decision records, approval records, escalation records, exception records, audit-supporting evidence, and evidence retention for ________ years.
12. Security Requirements
AI systems and agents must follow organization security requirements, including identity and access management, least privilege, secrets management, Zero Trust principles, API security, encryption, data loss prevention, environment separation, incident response, and vendor security review.
13. Data Governance and Privacy
AI systems and agents must follow organization data governance and privacy requirements, including data classification, personal data handling, sensitive data handling, confidential data handling, training data restrictions, prompt/input restrictions, output handling, retention, data sharing, and cross-border concerns.
14. Third-Party AI and Vendor Requirements
Third-party AI services require review of vendor terms, data usage, security controls, privacy controls, model training terms, audit rights, regulatory obligations, and exit or termination considerations.
15. Scaled Agents Seven Layers of Agent Governance and Accountability
- Agent Identity and Registration.
- Agent Design and Accountability.
- Runtime Authorization.
- Execution Monitoring.
- Human Oversight.
- Compliance and Risk Management.
- Audit and Evidence.
16. Framework Alignment
This policy may support alignment with NIST AI RMF, ISO/IEC 42001, ISO/IEC 27001, CSA AI Controls Matrix, EU AI Act, and organization-specific regulatory requirements. This template does not certify compliance with any framework, law, regulation, or standard.
17. Policy Violations
Examples include using unapproved AI tools, deploying unregistered agents, bypassing human approval, unauthorized data access, missing evidence logs, using third-party AI without review, or expanding agent permissions without approval.
18. Exceptions Process
| Field | Value |
|---|---|
| Exception requested by | ________ |
| Business justification | ________ |
| Risk description | ________ |
| Compensating controls | ________ |
| Expiration date | ________ |
| Approver | ________ |
| Review date | ________ |
19. Policy Review and Maintenance
| Field | Value |
|---|---|
| Review cadence | ________ |
| Policy owner | ________ |
| Approval authority | ________ |
| Change history | ________ |
| Version history | ________ |
20. Appendices
Appendix A: AI System Registration Form
Name: ________ Purpose: ________ Owner: ________ Risk level: ________ Data classification: ________ Approval status: ________
Appendix B: Agent Passport Intake Form
Agent name: ________ Owner: ________ Approved purpose: ________ Approved data access: ________ Approved tools/actions: ________ Human review requirements: ________ Evidence requirements: ________
Appendix C: AI Risk Assessment Worksheet
Use case: ________ Impact: ________ Data sensitivity: ________ Autonomy level: ________ Human oversight: ________ Risk tier: ________ Required controls: ________
Appendix D: Human Review Checklist
Owner identified. Risk level assigned. Evidence reviewed. Data access reviewed. Tool permissions reviewed. External communication reviewed. Approval, denial, or escalation recorded.
Appendix E: Third-Party AI Review Checklist
Terms reviewed. Data usage reviewed. Security controls reviewed. Privacy controls reviewed. Model training terms reviewed. Audit rights reviewed. Exit path reviewed.
Appendix F: AI Governance Committee Charter Placeholder
Purpose: ________ Membership: ________ Decision authority: ________ Meeting cadence: ________ Escalation path: ________
Appendix G: AI Incident Intake Form
Incident date: ________ Reported by: ________ AI system or agent: ________ Description: ________ Impact: ________ Immediate containment: ________ Owner: ________ Evidence references: ________