Perspective

The twelve questions an AI use policy has to answer

Kristina Agustin
July 17, 2026
~5 min read
Back to Chart Room
Share
Author: Kristina AgustinPublished by: Southern Sky AI

A professional indemnity renewal form now carries a question that was not there two years ago: where is AI being implemented within your business? Insurers have put it in writing. Procurement teams send their own version before contracts close. Auditors put it to accountable officers, and clients ask it of the firms that hold their information.

Whoever asks, the answer they expect is a document. And the document is read by one person at a time, on a particular day, for a particular reason. That reader decides whether your position is credible, and they read policies for a living.

This article sets out what that reader is looking for. It works as a test for any draft, whether a template started it, a consultant wrote it, or it grew inside the business one incident at a time.

01

Who asks to see an AI use policy?

Four readers arrive most often, and each brings a different eye.

The insurer reads at renewal, usually through a professional indemnity or cyber questionnaire, and looks for evidence that the risk they are pricing is managed. The auditor reads against a framework, whether that is an internal audit plan, a government AI policy, or a certifier's checklist, and looks for the paper trail behind each claim. The client, often through procurement, reads for their own exposure: their information inside your tools, their name on your outputs. And in maritime operations, the flag state and the port state read whatever touches the safety management system, because the SMS is a legal document and the vessel answers for it.

A policy written for a filing cabinet satisfies none of them. A policy written for the day it is handed over can satisfy all four at once.

02

What does an AI use policy need to include?

Twelve questions, in the order the reader tends to ask them. A draft that answers all twelve is ready for the person asking. A draft that answers most of them now has a to-do list.

1

1. Who owns it? A named person, a date of adoption, and a date of last review. An unsigned, undated policy tells the reader no one is carrying it.

2

2. Which tools does it cover? Including the AI already inside software the business runs every day: Microsoft 365 Copilot, the practice management system, the booking platform, the document tools. AI often arrives first as a feature inside something the business already pays for.

3

3. What information stays out of external tools? Client identities, guest and medical details, financial records, contract-controlled specifications, anything under a confidentiality agreement. This is the line the whole team has to know by heart, so the policy states it plainly.

4

4. Where does a person check the machine's output before it leaves? Named checkpoints: before a client reads it, before it enters a safety document, before it is filed with a regulator. This single question carries more weight than any other on the list, because every reader eventually asks who was accountable for the words.

5

5. Who may use what, for which tasks? Roles and permissions in plain language. A junior drafting internal notes and a manager preparing client advice sit at different checkpoints, and the policy says so.

6

6. What happens when an output is wrong? The correction step, the record of the correction, and who is told. Errors are a certainty in any system; the reader wants to see the response, in writing, decided in advance.

7

7. Which existing obligations does it connect to? Privacy law in each jurisdiction you touch, professional duties, the safety management system, the contracts already signed. An AI policy stands on obligations the organisation already carries, and it names them.

8

8. Does it describe the way the team works in practice? A policy that matches practice is one the team can follow and one a director can sign. Where the document and the day-to-day differ, the reader will find the gap in one conversation.

9

9. What records does it keep? What is retained, where it lives, and who can produce it on request. Questions about AI use arrive with a date on them; records are how the answer survives.

10

10. How does training connect to it? Each person able to point to the standard they were trained against, with the training recorded. This is the difference between a policy the organisation has and a policy the organisation runs.

11

11. Who keeps it current? Tools change monthly and the rules are moving on published timetables. The policy names the person and the review cycle, so currency is a system rather than an intention.

12

12. Would it satisfy the specific person asking? The final test is the simplest one. Read the draft once as the insurer, once as the auditor, once as the client, and see what each of them finds.

These twelve travel as a one-page checklist, built to be printed and worked through with a pen. It is at southernsky.ai/resources/ai-policy-checklist.

03

Can a template do this?

A template can start the drafting, and a good one saves real time on structure. The finished policy answers for your organisation: your tools, your jurisdictions, your clients' expectations, your obligations, with your names at the checkpoints and your dates on the reviews. That is the part no document written for everyone can carry, and it is the part the reader came for.

The nearest model is one maritime organisations already trust. A safety management system works because it names who checks what, before which step, and stays current as the vessel and the rules change. An AI use policy earns its keep the same way: it exists so the business can move fast without breaking things, with a defensible record behind every step.

04

Where to start

The starting point is knowing which of the twelve questions your organisation can already answer. The AI Baseline Report reads your position in about five minutes: the kinds of AI risk as they reach your business, the regulations that already apply to you, and the moves that matter most, ranked from the top. It is at southernsky.ai/baseline.

And if a questionnaire, an auditor, or a client has already asked and you need the answer in writing, that is a conversation I have often. I would like to hear where the question found you.

Read your position

Where does your organisation sit on the map right now?

The AI Baseline reads your current position in about five minutes and shows you the next plain move.

Get your baseline

Prefer weekly reading? Join the Chart Room Dispatch.