What Is an Internal AI Usage Policy Under the EU AI Act?
AI Law · Compliance Guide
What Is an Internal AI Usage Policy and What Must It Cover Under the EU AI Act?
Article 4 has been in force since February 2025. Your internal AI policy is the document that proves compliance — and protects your IP, data and contracts.
1
Why you need one now
Article 4 · Shadow AI · IP + GDPR
2
8 sections your policy must include
Complete compliance checklist
3
What to cover by company stage
Startup · Scale-up · Enterprise
4
Does your company comply?
3-question self-assessment
5
Get your policy drafted
WCR Legal · AI Governance & Risk
6
Common questions
Article 4 · Shadow AI · Contractors
Section 1
Why You Need One Now
An auditor asks to see your internal AI usage policy. You do not have one. That is not merely an administrative gap — it is a breach of Article 4 of the EU AI Act, which has been in force since February 2025 and requires all deployers to ensure a demonstrable level of AI literacy across their organisation. Beyond regulatory exposure, the absence of a policy leaves you vulnerable to shadow AI: employees using personal ChatGPT accounts or Midjourney for work tasks, feeding confidential data into external training pipelines and generating content with unclear IP ownership.
An internal AI usage policy closes all three gaps at once: it satisfies Article 4, controls data flow, and establishes IP and copyright rules for AI-generated outputs. Our AI Governance & Risk practice helps companies draft and implement internal AI policies built to survive audit. Below, we set out what every policy must contain.
A4
Article 4 · In force Feb 2025
EU AI Act requires documented AI literacy
You cannot prove compliance without a written policy
All deployers must ensure that staff involved in AI system operation possess an appropriate level of AI literacy. Without a documented policy, you cannot prove this obligation is being met — regardless of whether informal training has taken place. The requirement applies from February 2025.
Inspectors and auditors will ask for the policy document. Verbal assertions are not evidence of compliance.
SAI
Shadow AI · Data Risk
Employees using personal AI tools create company liability
Personal ChatGPT = your confidential data in OpenAI’s pipeline
When a staff member uses a personal ChatGPT account to process a client brief, your confidential data may enter OpenAI’s training pipeline. Your company bears responsibility for that data transfer — not the employee.
An explicit approved-tools list and shadow AI prohibition, documented in writing, is the only way to manage this risk at the organisational level. An unwritten rule is not enforceable and will not satisfy a regulator.
IP
GDPR · IP Exposure
AI outputs without a policy leave ownership unresolved
Unclear IP + missing DPA = compounding exposure
AI-generated content produced without a policy has no clear IP ownership framework. Who owns it — your company, the employee, the AI provider? Without rules, you cannot answer that question in a contract dispute or acquisition review.
Personal data entered into AI tools without a DPA in place constitutes a GDPR violation. See our AI Risk & Liability services for a full assessment of your current exposure.
Important — Timeline
Article 4 has been in force since February 2025 — not August 2026. If your company uses AI in any capacity and has no documented AI literacy measures, you are already in breach. The August 2026 deadline applies to high-risk system obligations under Annex III. It does not delay Article 4.
Section 2
8 Sections Your Internal AI Policy Must Include
A compliant internal AI usage policy is not a one-page memo. It is a structured document covering eight distinct obligations. Work through each section — gaps in any one create exposure that will surface in an audit, an incident, or a counterparty review.
Eight mandatory sections — each addresses a distinct legal obligation
Article 4 EU AI Act + GDPR + IP — all addressed in a single document
8 sections
1
Scope — who and what does the policy cover?
Foundation of the entire document
Define who is covered: all employees, contractors, freelancers, and temporary staff who use AI tools in the course of their work for the company. Specify which AI tools and systems the policy applies to, including a reference to the approved-tools list in Section 2. The scope must be drafted broadly enough to capture tools used on personal devices for work purposes — device ownership is irrelevant if the activity serves the company.
2
Approved and prohibited tools — the shadow AI control
Primary shadow AI mitigation measure
Maintain an explicit list of approved AI tools, updated as tools are evaluated and authorised. Any tool not on the approved list is prohibited by default. Include the process for requesting approval of new tools: who submits the request, what technical and legal review is required, and the expected response timeline.
Shadow AI — the use of unapproved personal AI tools for work tasks — must be explicitly prohibited by name. A general “use approved tools only” instruction is insufficient. Name the prohibition directly.
3
Data classification rules — what cannot go into AI tools
GDPR Article 5(1)(b) · Purpose limitation
Specify categories of data that must not be entered into AI tools under any circumstances: personal data of clients or employees, confidential client information, legally privileged communications, and trade secrets. Define what constitutes “confidential” under your internal classification scheme.
Where AI tools are approved for use with certain data types, document the technical controls and DPA requirements that must be in place first. The rule must be specific enough for an employee to apply it without consulting a lawyer for every query.
4
AI literacy requirements — the Article 4 evidence trail
Article 4 EU AI Act · Mandatory since Feb 2025
Set the minimum training requirements that satisfy Article 4. Define which roles must complete AI literacy training, the required content (capabilities, limitations, risks, legal obligations), and how completion is documented. Undocumented training does not satisfy the regulation — records are mandatory evidence, not optional housekeeping.
Specify the review cycle for training materials and how new joiners are brought into compliance. Staff who join after the policy is issued must be covered within a defined timeframe.
5
Human oversight requirements — where automation must stop
EU AI Act Article 14 · Human in the loop
Identify which AI-assisted decisions or outputs require mandatory human review before use or implementation. At minimum, any decision that directly affects a person — a hiring recommendation, a credit assessment, a performance rating, a medical triage — must have a defined human review step with a named accountable role.
Fully automated consequential decisions about individuals are prohibited under both the EU AI Act and GDPR Article 22. Document the oversight process explicitly. “Someone checks it” is not a process.
6
IP and copyright rules — who owns what AI generates
Copyright · Work for hire · Disclosure
Establish who owns AI-generated content produced in the course of work, how human authorship is documented for copyright purposes, and what review is required before AI-assisted content is published or submitted externally. Employees must not represent AI-generated content as entirely original work without appropriate disclosure or review.
For companies aligning with established frameworks, these rules should be consistent with NIST AI RMF and ISO 42001 requirements where your sector requires it.
7
Incident reporting — what to do when AI goes wrong
Data breach readiness · Regulatory exposure
Define what constitutes a reportable AI incident: a material error in an AI output that was acted upon, a data exposure through an AI tool, confirmed use of a prohibited tool, or suspected bias in an AI-assisted decision. Specify who must be notified, within what timeframe, and what investigation and remediation process follows.
A named incident owner and a clear escalation path are mandatory — not optional. Without this section, your organisation is incident-blind and unable to demonstrate regulatory responsiveness when something goes wrong.
8
Review and update cycle — keeping the policy current
Ongoing compliance · Living document
The policy is a living document. Mandatory review triggers include: a new AI tool being approved or prohibited, material changes to the EU AI Act or Commission guidance, a reportable incident, or a significant change in how the company uses AI. The base cycle should be at minimum annual.
Assign a named policy owner responsible for initiating reviews and maintaining version control with dated revision history. A policy with no owner is not enforced — it is decoration.
Need help drafting your internal AI policy? A complete, audit-ready document from WCR Legal covers all 8 sections and is tailored to your company’s AI tools and risk profile.
Book a consultation →
Section 3
What Your Policy Should Cover by Company Stage
All companies using AI must satisfy Article 4 — but the depth and formality of the required policy scales with company size, risk profile, and regulatory exposure. Here is what is expected at each stage.
1 — 50 employees
Startup
Minimum viable compliance through to first audit
Minimum required · Article 4
Approved tools list
1-page AI literacy statement
Explicit shadow AI prohibition
Recommended · Risk mitigation
Basic data classification rules
IP ownership clause in employment contracts
Contractor compliance requirement
Enterprise-grade · Audit-ready
Full 8-section policy document
Version control + annual legal review
Training completion records
50 — 250 employees
Scale-up
Structured compliance with documented oversight
Minimum required · Article 4
All startup minimums
Data classification rules
IP rules for AI outputs
Incident reporting process
Quarterly review cycle
Recommended · Risk mitigation
Human oversight requirements
DPA audit for approved AI tools
Designated AI policy owner
Enterprise-grade · Audit-ready
AI governance committee
FRIA for high-impact use cases
ISO 42001 alignment
External audit trail
250+ employees
Enterprise
Full governance programme with board-level visibility
Minimum required · Article 4
Full 8-section policy
Human oversight framework
Named policy owner + documented review cycle
Recommended · Risk mitigation
Fundamental Rights Impact Assessment
AI vendor risk assessments
Board-level AI risk reporting
Enterprise-grade · Audit-ready
Dedicated AI governance officer
Continuous monitoring programme
Regulatory change tracking
EU AI Act database registration readiness
This is the minimum
The minimum column reflects what Article 4 currently requires — not what an auditor, acquirer, or enterprise customer will ask for. In practice, any company that has received Series A investment or serves enterprise clients is expected to operate at the recommended level or above. See our guide on how to build an AI governance framework for the full programme.
Section 4
Does Your Company Have What’s Required?
Answer three questions to get an immediate read on your compliance position under Article 4 of the EU AI Act.
3-question Article 4 compliance assessment
Takes under 60 seconds — results are immediate
Self-assessment
Question 1 of 3
Does your company have a documented AI usage policy?
Yes — comprehensive, covering all key areas
Yes — basic or partial document
In progress — being drafted
No — we do not have one
Question 2 of 3
Have all employees who use AI tools been trained, and is this training documented?
Yes — trained and documented
Partially — some trained, not fully documented
No — no formal training programme
Question 3 of 3
Do you have written rules on what data employees can enter into AI tools?
Yes — written data classification rules exist
No — no rules in place
Assess my risk →
Put Your Internal AI Policy in Place
WCR Legal drafts internal AI usage policies that satisfy Article 4, survive audit, and protect your IP and data from day one. We work with companies at every stage — from a first policy document to a full AI governance programme.
Section 5
Common Questions on Internal AI Policies
Frequently asked questions
5 questions — what legal and compliance teams ask most
5 questions
1
Does every company using AI need an internal AI usage policy under the EU AI Act?
+
Yes, if you use AI in any professional capacity and have EU operations or EU users. Article 4, which requires demonstrable AI literacy across your organisation, has been in force since February 2025. An internal AI usage policy is the primary document used to prove compliance. Without it, you cannot demonstrate that your staff have the required level of AI literacy — even if training has taken place.
2
What is shadow AI and why is it a regulatory risk?
+
Shadow AI refers to employees using AI tools — such as personal ChatGPT accounts, Midjourney, or Copilot — outside approved company channels. The risk is threefold: confidential data may enter AI training pipelines, personal data may be processed without a DPA in breach of GDPR, and generated content may create unclear IP ownership. Your internal AI policy must explicitly address approved and prohibited tools and name the shadow AI prohibition directly.
3
Does the AI usage policy need to cover contractors and freelancers?
+
Yes. Any person working with your data or on your behalf who uses AI tools in that context is within scope. Your policy should explicitly include contractors, freelancers, and temporary staff. Your contracts with those parties should also require compliance with your AI usage policy — a policy that does not bind contractors is incomplete. This is particularly important where contractors handle confidential client data or produce content on your behalf.
4
How often should the internal AI policy be reviewed?
+
At minimum annually, and additionally whenever: a new AI tool is approved or prohibited, EU AI Act guidelines are updated, a significant incident occurs, or your company’s AI use changes materially. The AI Act is not static — the Commission continues to issue delegated acts and guidance. See our AI Governance & Risk practice for ongoing monitoring support, and our guide on how to build an AI governance framework for a full programme overview.
5
Is an internal AI policy enough for EU AI Act compliance if we also deploy high-risk AI systems?
+
No. If your systems fall under Annex III, the internal policy is one layer of a larger compliance programme that includes risk management systems, technical documentation, conformity assessment, and EU database registration. See our EU AI Act high-risk classification guide and AI Governance & Risk services for the full compliance framework.
Post Comment