Generate a free AI policy template in minutes. Covers acceptable use, data handling, oversight and prohibited uses. Ready-to-adopt for your organisation.
It is a short document that tells your people which AI tools they may use, what data must never go into them, when AI use should be disclosed, and who is accountable. You almost certainly need one already: surveys show most staff are using AI tools at work whether or not anyone has set rules. Without a policy, your first AI incident, a data leak into a public chatbot for example, happens with no agreed boundary to fall back on.
Yes. The generator is free, the policy is yours to keep, edit and adopt, and Starkhorn takes no ongoing rights over it. We ask for your name, work email and organisation so we can send you the policy and, if you want, talk about putting governance behind it.
No. This is a starting draft, not legal advice and not certification. It is anchored in ISO 42001, NCSC and ICO guidance so it points you in a sensible direction, but compliance with UK data-protection law, the EU AI Act or any standard requires your own review, and certification against ISO 42001 is granted only by accredited bodies after a formal audit. Have a qualified professional review the policy before you rely on it.
ISO/IEC 42001:2023, the world's first AI management system standard, which expects an approved AI policy; the NCSC's guidance on the secure development and use of AI systems; and the ICO's guidance on AI and data protection under UK GDPR. Where the policy touches transparency for AI-generated content, it reflects the direction of the EU AI Act's transparency obligations, without claiming legal compliance with them.
Because it can reach UK organisations whose AI output is used in the EU, and its transparency obligations for AI-generated content begin to apply from 2 August 2026. The generator's disclosure clauses move you in a sensible direction, but this tool does not assess or confer legal compliance with the Act.
As a baseline: personal data about clients, staff or beneficiaries; special-category or sensitive personal data; confidential or commercially sensitive information; anything under an NDA; and security credentials or system secrets. The generator pre-selects these and lets you add your own. A simple test for staff: if you would not be comfortable seeing it outside the organisation, do not put it into an AI tool.
Banning it rarely works; staff use it anyway, just invisibly, which is the worst outcome for governance. Most UK organisations are better served by allowing approved tools with clear guardrails: business accounts, named prohibited data, human sign-off on anything consequential, and a route to ask. The generator supports an approved-list, allow-with-guardrails, or restricted stance, so you can pick what fits your risk appetite.
About six minutes, and no. The questions are in plain business language and every one has a sensible default. It is written for the board member, chief executive, COO, CFO or charity trustee who has to answer for AI use, not for technical specialists.
Adopt it properly: have it reviewed and approved by your board or trustees, brief your staff, and put the supporting governance behind it, an AI inventory, an accountable owner and a risk process. The free AI Governance and ISO 42001 Readiness Assessment shows where your wider governance is strong or exposed. If you want a hand turning the policy into a working AI management system, that is the kind of work Starkhorn does.
No. Starkhorn is an independent technology consultancy. We do not sell AI products, we do not certify, we do not sell insurance, and we take no commission on any of them. We help boards and leaders design and run the governance behind their AI. This generator is free and exists to give you a credible starting point.