.docx ✓ Professional Edition Updated Q1 2026

AI Acceptable Use Policy

Your organization’s first line of defense for responsible AI deployment. A ready-to-customize policy covering acceptable use, prohibited activities, enforcement, and compliance obligations. Framework-verified and structured for audit.

Sections

Pages

Frameworks

3–5hr

To Deploy

NIST AI RMF 1.0 EU AI Act 2024 ISO 42001:2023 ISO 27001:2022 OECD AI Principles IEEE Ethically Aligned Design

Build vs. Buy

From scratch

Research 6 frameworks9 hrs = $135

Draft 35 pages10 hrs = $150

Internal review cycle5 hrs = $75

Cross-mapping 6 frameworks5 hrs = $75

29 hours$435

This template

Purchase$15.00

Customize for your org3 hrs = $45

CitationsIncluded

CrosswalkIncluded

3 hours$60

$375 saved

26 hours back | 25:1 ROI on $15.00

At $15/hr — the price of this template as the hourly rate

“What if I use AI to write it?”

AI makes drafting faster — but it doesn’t reduce the total work. You still need the source framework documents, a way to verify what the AI produces, and SME-level expertise to catch what it gets wrong. AI hallucinates article numbers, invents control IDs, and generates crosswalk tables that look authoritative but aren’t. Every citation still has to be checked against the actual standard. The work shifts from writing to verification — and verification takes just as long.

~28hwith AI + expert verification

3hwith this template

139citations verified

6source PDFs read

$15.00

One-time purchase · Instant download

✓Fully editable Word .docx — customize for your organization
✓24 sections across 35 pages including 7 operational appendices. Agentic AI controls, GPAI compliance, AI Use Case Inventory
✓Aligned to 6 frameworks. ISO 42001, EU AI Act Art. 5, NIST AI RMF, ISO 27001, OECD, IEEE
✓EU AI Act Art. 5 prohibited practices with specific article references
✓Every citation verified against the published standard. Not AI-generated.
✓Updated Q1 2026. EU AI Act Art. 50 transparency obligations included

.docx NIST AI RMF EU AI Act ISO 42001 ✦ Q1 2026 v2

Overview

What this template does

1 / 10

Click image or thumbnail to browse · 10 of 35 pages shown

Every organization deploying AI tools needs a clear policy defining what’s allowed, what’s prohibited, and who’s accountable. Without it, you face regulatory exposure under the EU AI Act, liability from unsupervised AI use, and failed compliance audits.

The v2 Enhanced Edition is a complete, professionally structured policy aligned to 6 frameworks: NIST AI RMF, EU AI Act 2024, ISO/IEC 42001:2023, ISO 27001:2022, OECD AI Principles, and IEEE Ethically Aligned Design. It covers every policy element auditors look for — including the EU AI Act Art. 5 prohibited practices enumerated in full, ISO 42001 Clause 5.2 AIMS policy commitment, agentic AI deployment controls, and an AI Use Case Inventory mandate.

The v2 Professional Edition adds sections that no basic policy template covers: GPAI compliance for organizations fine-tuning or deploying foundation models, a 5-control Agentic AI framework with least-privilege and human oversight checkpoints, EU AI Act Art. 50 transparency disclosure requirements, and ISO 42001 A.9.4 intended use compliance obligations. Each section includes framework-specific rationale, cross-references to other governance documents, and italicized customization notes for your organization’s context.

What’s Inside

24 Sections · 35 Pages · Audit-Aligned Structure

Establishes the governance authority, policy owner, and the regulatory context driving this policy. References EU AI Act Art. 4 AI literacy obligations and NIST AI RMF’s Govern function as the foundational mandate for organizational AI governance. Includes the ISO/IEC 42001:2023 Clause 5.2 AIMS policy commitment.

NIST GOVERNEU AI Act Art. 4ISO 42001 Clause 5.2

Defines who the policy applies to — employees, contractors, temporary staff, and third-party vendors with AI system access. Includes scope exclusions, applicability matrix, and organizational boundary definitions for AI governance coverage.

ISO 42001 Clause 4.3Audit Evidence

Defines the AI Governance Committee structure, reporting lines, and accountability assignments. Covers management oversight duties, approval authority for AI tool adoption, escalation paths for policy concerns, and the role-based responsibility matrix for AI governance across the organization.

NIST GOVERN 1.7ISO 42001 A.3.2EU AI Act Art. 26

Mandates a continuously updated inventory documenting every AI system deployed within or on behalf of the organization. Each entry captures: system name and version, vendor, intended use case, data categories processed, risk classification (per Appendix A), deployment status, assigned System Owner, and EU AI Act classification. The AI Governance Committee reviews and certifies the Inventory quarterly. Unregistered AI systems are classified as Shadow AI and subject to immediate deactivation pending review.

ISO 42001 A.9.4EU AI Act Art. 49Shadow AI ControlsQuarterly Audit

Comprehensive rules for approved AI use categories with examples: productivity and writing assistance, data analysis, customer service augmentation, document summarization, and software development tools. Covers employee responsibilities including AI literacy training (EU AI Act Art. 4), approval requirements for new AI tools, output verification obligations, and confidentiality of proprietary information entered into AI systems.

NIST MAPEU AI Act Art. 4ISO 27001 Asset MgmtOECD Principles

Operationalizes EU AI Act Article 50 transparency obligations. Covers three mandatory disclosure duties: informing users they are interacting with an AI system, machine-readable labeling of AI-generated audio, image, video, and text content, and prohibition on presenting AI-generated content as human-authored in formal, regulated, or external-facing contexts. Includes disclosure statement templates for different organizational contexts.

EU AI Act Art. 50August 2025 OperativeLabeling Requirements

Controls for organizations that develop, fine-tune, or deploy General-Purpose AI models. Covers EU AI Act Article 53(1)(c) copyright opt-out compliance, technical documentation requirements for GPAI models with systemic risk under Art. 51, adversarial testing, and incident reporting per Arts. 53–55. Includes a simplification path for organizations solely deploying third-party GPAI tools (ChatGPT, Copilot, Gemini).

EU AI Act Art. 51–55GPAI Systemic RiskCopyright Opt-Out

Five controls governing autonomous agents, multi-agent pipelines, AI coding assistants with tool access, and systems that independently execute multi-step tasks. Covers: Action-Space Bounding & Least-Privilege Access (Singapore MGF §2.1, NIST AI RMF MAP 3.4/3.5), Human Oversight Checkpoints (EU AI Act Art. 14, ISO 42001 A.9.3), Controllability & Stop Mechanisms (ISO 22989 §3.5.6), Agent Identity & Immutable Logging (NIST AI 600-1 MEASURE 2.7), and End-User Transparency & Competency (EU AI Act Art. 50).

Singapore MGF Agentic AINIST AI 600-1EU AI Act Art. 14ISO 42001 A.9.3

Explicit prohibition list covering EU AI Act Art. 5 unacceptable practices: biometric mass surveillance, social scoring, subliminal manipulation, and exploitation of vulnerabilities. Also covers deepfake creation, autonomous high-stakes decisions without human oversight, unauthorized data training on customer/employee data, and academic fraud.

EU AI Act Art. 5NIST GOVERNIEEE E-6.1

Rules on data handling in AI systems: what employee, customer, and organizational data may and may not be entered into AI tools. Covers data minimization principles, prohibits input of personal health data, financial credentials, unpublished IP, and regulated personal data. Includes a data classification matrix for AI input decisions and technical safeguards for AI system deployment.

ISO 27001 A.8EU AI Act Art. 10NIST MAP 5.1

Tiered consequence framework mapped to violation severity: Level 1 (minor, first offense) → mandatory retraining; Level 2 (moderate/repeat) → formal warning + performance plan; Level 3 (serious/deliberate) → termination and legal referral. Includes an HR-ready violation documentation template.

NIST GOVERN 5.2ISO 42001 A.3.3ISO 42001 A.9.8

AI literacy and governance training requirements for all personnel. Covers mandatory onboarding training, annual refresher cycles, role-specific modules for managers and technical staff, and training completion tracking. Aligned to EU AI Act Art. 4 AI literacy obligations and ISO 42001 A.4.2 competence requirements.

EU AI Act Art. 4ISO 42001 A.4.2NIST GOVERN 6.1

Annual scheduled review requirements plus trigger-event review criteria (new AI legislation, significant AI capability releases, incident-triggered reviews). Version control log template, change notification process, and update approval authority matrix. Aligned to NIST AI RMF’s continuous improvement posture and ISO 42001 Clause 10 improvement requirements.

NIST MANAGE 4.1ISO 42001 Clause 10EU AI Act Art. 9

Complete bibliography of all framework source documents cited in this policy: NIST AI RMF 1.0, EU AI Act (Regulation 2024/1689), ISO/IEC 42001:2023, ISO/IEC 27001:2022, OECD AI Principles, IEEE Ethically Aligned Design, and Singapore Model AI Governance Framework. Includes document identifiers and publication dates for audit traceability.

Audit TrailSource Documents

Precise definitions for AI system, generative AI, autonomous decision-making, high-risk AI (per EU AI Act Annex III), prohibited AI practices, and key policy terms. Aligned to EU AI Act Art. 3 definitions to ensure regulatory consistency and prevent interpretation disputes during audits.

EU AI Act Art. 3NIST AI RMF Glossary

Pre-built version control table tracking document revisions, approval dates, change descriptions, and responsible parties. Ready to customize — fill in your organization’s revision history to maintain a complete audit trail from day one.

ISO 42001 Clause 7.5Document Control

Signature and approval tracking table for policy sign-off. Includes fields for approver name, title, department, signature, and date. Pre-configured for multi-stakeholder approval workflows typical in AI governance (CISO, Legal, Compliance, HR).

Audit EvidenceSign-Off

Four-tier risk matrix: PROHIBITED (EU AI Act Art. 5 — no approval pathway; includes social scoring, manipulation engines, real-time public biometric surveillance), HIGH RISK (Annex III systems — conformity assessment required, mandatory human oversight), MEDIUM RISK (Art. 50 transparency obligations, periodic bias assessment), and LOW RISK (standard access controls and annual review). Each tier includes real-world examples and specific regulatory citations.

EU AI Act Art. 5Annex IIINIST AI RMF MAP 5.1

Ready-to-adopt charter template for establishing an AI Ethics Review Committee. Covers committee mandate, membership composition, meeting cadence, decision authority, escalation procedures, and reporting obligations. Structured to satisfy ISO 42001 governance requirements.

ISO 42001 A.3.2OECD Principles

Step-by-step incident response workflow for AI-related emergencies: detection triggers, severity classification, containment actions, notification requirements, investigation procedures, and post-incident review. Cross-references the AI Incident Response & Improvement Playbook template.

NIST MANAGE 4.1ISO 42001 A.9.8

Structured approval process for new AI tool adoption: request submission, risk assessment screening, security review, data privacy evaluation, governance committee approval, and deployment authorization. Includes decision criteria and SLA targets for each stage.

ISO 27001 A.8ISO 42001 A.9.4

Practical guide to applying the risk classification matrix. Walks through the assessment process step by step: identifying AI use cases, determining risk tier, selecting required controls per tier, documenting risk acceptance decisions, and scheduling periodic reassessment.

NIST AI RMF MAPEU AI Act Art. 9

Due diligence requirements for AI vendors: required contract language, data residency and processing limitations, vendor AI incident notification obligations, and ongoing monitoring expectations. Cross-references the AI Procurement Third-Party Risk Assessment template.

NIST MAP 5.1EU AI Act Art. 25ISO 27001 A.15

11-row crosswalk table mapping every major policy section to specific control IDs across NIST AI RMF, EU AI Act, ISO/IEC 42001:2023, and ISO 27001. Use during internal audits, ISO 42001 certification reviews, or regulatory assessments to demonstrate compliance coverage.

Audit EvidenceISO 42001 CertificationCross-Framework Mapping

Audience

Who deploys this template

🛡️

CISO / Security Lead

Establishes the policy foundation for enterprise AI security posture. Pairs with AI Security Policy and Procurement Risk Assessment for a complete security governance package.

⚖️

Compliance Officer

Satisfies EU AI Act Art. 4 AI literacy obligations and NIST AI RMF GOVERN function requirements. Provides audit evidence for framework assessments.

📋

Legal Team

Establishes contractual obligations and disciplinary grounds for AI misuse. Includes disclosure templates meeting EU AI Act transparency requirements for client-facing work.

🎓

HR & Training Lead

Deploys AI literacy training requirements mandated by EU AI Act Art. 4. Manages the employee acknowledgment process, tracks training completion, and enforces the tiered disciplinary framework for policy violations.

Framework Alignment

How this template maps to standards

NIST

NIST AI RMF 1.0

Maps to the Govern function — establishing policies, accountability, and organizational risk culture. Key coverage includes GOVERN 1.0 (policies for AI risk), GOVERN 5.0 (organizational accountability), and GOVERN 6.0 (policies for AI literacy).

GOVERN 1.1GOVERN 5.2GOVERN 6.1

EU AI Act 2024

Addresses Art. 4 AI literacy requirements, Art. 5 prohibited practices, Art. 50 transparency obligations for AI-generated content, and Art. 25 obligations of deployers. Enforcement-ready for 2025–2026 phase-in schedule.

Art. 4Art. 5Art. 25Art. 50

ISO

ISO/IEC 27001:2022

Supports A.6.1 (screening), A.6.4 (disciplinary process), A.8.1 (asset management for AI tools), and A.15 (supplier relationships for AI vendors). Directly supports ISMS documentation requirements.

A.6.1A.8.1A.15.1

42001

ISO/IEC 42001:2023

Fulfills Clause 5.2 requirements by establishing a framework for AI objectives and committing the organization to continual improvement of its AI Management System (AIMS). Controls A.8.3 (External Reporting), A.6.2.6 (Operation and Monitoring), and A.6.2.8 (Event Log Recording) are directly addressed, making this policy a primary audit evidence artifact for ISO 42001 certification.

Clause 5.2A.8.3A.6.2.6A.6.2.8

OECD

OECD AI Principles

Embeds OECD Principle 1.3 (transparency and explainability), Principle 1.4 (robustness and safety), and Principle 1.5 (accountability). Useful for organizations seeking to align with international AI governance norms.

Principle 1.3Principle 1.4Principle 1.5

IEEE

IEEE Ethically Aligned Design

References IEEE EAD transparency principles (T.2), human responsibility (R.1), and avoidance of misuse (E-6.1) for organizations with a mandate to align to IEEE ethical AI standards. Particularly relevant for engineering-led organizations and IEEE member companies.

T.2 TransparencyR.1 Human AgencyE-6.1 Misuse

Value Proposition

Build from scratch vs. use this template

✓ With This Template

✓Ready to customize in about 3 hours. Replace [Company Name], review the scope, adjust for your regulatory context. Done.

✓Every citation was verified against the published standard. Article numbers and control IDs come from the actual documents, not from AI generation.

✓35 pages. 24 sections including 7 operational appendices. Covers every area an auditor is going to look at.

✓Six frameworks already mapped with a crosswalk table ready for audit: NIST AI RMF, EU AI Act, ISO 42001, ISO 27001, OECD, and IEEE.

✓EU AI Act Art. 5 prohibited practices listed with specific article references. Art. 5(1)(a) through 5(1)(h).

✓Current as of Q1 2026. Includes agentic AI controls, GPAI compliance obligations, and Art. 50 transparency requirements.

✗ From Scratch

✗29+ hours of work even if you know what you’re doing. Research, drafting, review, cross-mapping across six standards.

✗The EU AI Act has 113 articles. ISO 42001 has 39 Annex A controls. Getting the right citations in the right context means reading the source documents. There’s no shortcut.

✗Most existing policies don’t cover agentic AI or GPAI obligations. Those requirements are new and they’re not in the templates you’ll find elsewhere.

✗Six frameworks to find, read, and reconcile. NIST, EU AI Act, ISO 42001, ISO 27001, OECD, IEEE. Each one has a different structure and update cycle.

✗Crosswalk tables don’t build themselves. You’re mapping each policy section to specific controls across every framework. It’s tedious and error-prone.

✗The regulatory landscape is still moving. EU AI Act enforcement is phased through 2026. ISO 42001 certification practices are still maturing. What you write today might need updating next quarter.

Already have a policy? Use the crosswalk table (Appendix G) to identify gaps in your current version against ISO 42001, EU AI Act, and NIST AI RMF requirements.

“Why is this only $15?”

I’ve been building governance documentation since 2012. That year I helped my healthcare analytics company earn its first HITRUST certification. Since then I’ve created and managed compliance documentation for SOC 2, PCI DSS, HITRUST, and ISO 27001 programs across enterprise organizations. I have a writing degree and I genuinely like this work.

HITRUST CSF SOC 2 PCI DSS ISO 27001 14 Years in GRC Writing Degree

Credentials don’t explain the price though. This does:

I want AI adopted responsibly. I don’t want my friends, my family, or my kids dealing with threats and risks that come from deploying AI without governance. Organizations will take the path that earns them the most money. That’s how business works. So I feel obligated to put quality documentation out at a price where governance isn’t something only Fortune 500 companies can afford. I don’t need to charge thousands of dollars to make a difference. I care about helping where I can.

You’re building something that matters — documentation that earns trust from your board, your customers, and your team. And it has to be right.

The citations in these templates were checked against the published standards — the actual ISO 42001:2023 PDF, the EU AI Act regulation text, the NIST AI RMF 1.0 document. Control IDs, article numbers, crosswalk mappings. This is practitioner-built documentation from someone who’s sat in the audits, written the remediation plans, and knows what survives a compliance review.

Derrick Jackson // Founder, Tech Jacks Solutions

Related Templates

Often bought together

★ BUNDLE DEAL — SAVE 20%

Get all 3 foundational AI governance documents

The Quick Start AI Governance Bundle includes this AUP plus the AI Governance Charter and AI Risk Management Framework — $40 instead of $50 if purchased individually.

Important

This template is a starting point, not a finished product. It’s designed to accelerate your governance program by giving you a professionally structured foundation with verified framework citations. It doesn’t replace legal counsel, compliance review, or organizational judgment. Every organization is different. You’ll need to customize the content for your specific regulatory context, risk tolerance, and operational environment. We recommend routing your completed policy through your legal, compliance, and governance teams before adoption. What you’re buying is a jumpstart that saves you weeks of research and drafting, not a guarantee of compliance. Framework citations reflect regulations as of Q1 2026. Regulatory frameworks evolve. Check for updates to the EU AI Act, ISO 42001, and NIST AI RMF before your annual policy review. Single organization license. All purchases include a 14-day money-back guarantee — if the template does not meet your needs, contact us for a full refund.