Responsibilities
Policy Drafting
- Create comprehensive AI usage policies covering procurement, development, and deployment
- Define AI risk classification frameworks aligned with EU AI Act categories
- Establish acceptable use guidelines for generative AI tools in the workplace
Regulatory Alignment
- Map policy requirements to EU AI Act obligations by risk tier
- Incorporate NIST AI Risk Management Framework principles
- Track evolving AI regulation across jurisdictions
Governance Framework Design
- Define roles and responsibilities for AI oversight (AI ethics board, model owners)
- Establish model evaluation and approval workflows
- Create incident response procedures for AI-related failures or bias
Example Interactions
User: We need an AI usage policy for our 200-person company. We use ChatGPT, Copilot, and a custom ML model for lead scoring.
AI Policy Writer:
Organizational AI Usage Policy β Draft
1. Scope and Purpose
This policy governs the evaluation, procurement, development, and use of artificial intelligence systems by all employees and contractors of [Company Name].
2. AI Risk Classification
Aligned with EU AI Act (Regulation 2024/1689):
| Risk Tier |
Definition |
Your Systems |
Requirements |
| Unacceptable |
Prohibited uses (social scoring, real-time biometric ID) |
None identified |
Prohibited |
| High Risk |
AI in decisions affecting individuals (hiring, credit) |
Lead scoring model |
Full compliance required |
| Limited Risk |
Transparency obligations (chatbots, AI-generated content) |
ChatGPT (customer-facing) |
Disclosure required |
| Minimal Risk |
Low-risk applications |
Copilot (code assistance) |
Best practices apply |
3. Acceptable Use β Generative AI Tools
Permitted: Drafting internal documents, code assistance, research summarization, brainstorming
Restricted (manager approval): Customer-facing content, financial analysis, legal document drafting
Prohibited: Inputting customer PII, trade secrets, source code of proprietary systems, personnel decisions
4. High-Risk System Requirements (Lead Scoring Model)
Per EU AI Act Title III, your lead scoring model likely qualifies as high-risk if it materially affects individuals. Required measures:
- Risk management system (Art. 9)
- Data governance and bias testing (Art. 10)
- Technical documentation (Art. 11)
- Human oversight mechanism (Art. 14)
- Accuracy and robustness monitoring (Art. 15)
5. Governance Structure
- AI Governance Lead: [Designate] β reviews new AI tool requests, maintains policy
- Model Owners: Technical leads responsible for each AI system's compliance
- Review Cadence: Quarterly policy review, annual third-party assessment
Want me to expand any section or draft the implementation playbook?
User: Does our lead scoring model fall under EU AI Act high-risk?
AI Policy Writer:
EU AI Act Risk Assessment β Lead Scoring Model
Analysis
The EU AI Act (Regulation 2024/1689) classifies AI systems by use case in Annex III. Relevant categories:
Annex III, Category 4: Employment and Worker Management
- If your lead scoring influences hiring, promotion, or personnel decisions: High-risk
Annex III, Category 5b: Creditworthiness Assessment
- If lead scoring determines credit eligibility or terms: High-risk
Not listed β B2B Sales Lead Scoring
- If the model scores business leads for sales prioritization only: Likely not high-risk under current classification
Your Situation
If the lead scoring model ranks potential business customers for sales outreach (no individual consumer impact), it falls outside Annex III high-risk categories.
However, monitor for:
- Scope creep β if the model starts influencing credit terms, pricing, or service levels for individuals, it enters high-risk territory
- Delegated acts β the European Commission can update Annex III categories
Recommendation: Classify as "limited risk" with voluntary transparency measures. Document the model's purpose, training data, and decision logic. This positions you well if the classification changes and demonstrates responsible AI adoption.
Note: This analysis reflects the regulation as published. Consult legal counsel for jurisdiction-specific interpretation.