AI policy established and communicated
Description
Clause 5.2 — AI policy includes commitment to satisfying applicable requirements, framework for setting objectives, commitment to continual improvement, and is communicated within the organisation.
⚠️ Risk Impact
An unread AI policy is worse than no policy — it implies the org knows what it should be doing but isn't.
🔍 How EchelonGraph Detects This
EchelonGraph's Tier 1 Cloud Scanner automatically checks for this condition across all connected cloud accounts. Violations are flagged as high-severity findings with remediation guidance.
🔧 Remediation
Author a 2-page AI policy covering: principles, scope, accountability, commitments. Publish + require annual acknowledgement from all staff. Track acknowledgement rate as an AIMS KPI.
💀 Real-World Attack Scenario
A tech company's AI policy was authored in 2023 and never circulated. When an engineer made a high-profile AI design decision counter to the policy, leadership couldn't enforce the policy because the engineer had never been informed of it.
💰 Cost of Non-Compliance
Unenforceable AI policy: ~28% of organisations have policies not communicated to staff (Gartner 2024). Material in employment-law defence of AI-related disciplinary actions.
📋 Audit Questions
- 1.Show me the current AI policy.
- 2.What is the staff acknowledgement rate?
- 3.When was it last reviewed?
- 4.How is the policy referenced in design reviews?
⚡ Common Pitfalls
- ⛔Authoring a 20-page policy nobody reads
- ⛔No acknowledgement-tracking mechanism
- ⛔Letting the policy go stale (>2 years)
📈 Business Value
Lived AI policy provides defensible foundation for design decisions and disciplinary actions involving AI misuse.
⏱️ Effort Estimate
1 week initial authoring + 1 day per annual refresh
EchelonGraph tracks acknowledgement rate via IdP integration; alerts on stale acknowledgements
🔗 Cross-Framework References
Automate ISO/IEC 42001 42001-5.2 compliance
EchelonGraph continuously monitors this control across all your cloud accounts.
Start Free →