“What’s your AI policy?”Have the answer before they ask.
The AI Governance & Acceptable Use Starter Kit is six editable documents — an AI Acceptable Use Policy, employee usage guidelines, data-handling SOPs, a vendor evaluation rubric, a client-facing AI disclosure template, and an incident response playbook — built for the 5 to 200 employee company that just got asked the question by an enterprise prospect, an insurer, a board member, or an auditor. Starting templates, not legal advice. Customize for your jurisdiction and industry, and run them past counsel before deployment.
You can draft the policy after they ask. Or you can have it ready.
Most 5 to 200 employee companies don’t have an AI policy. Not because they don’t care — because the structural drafting is a one-to-two week project that competes with everything else on the ops calendar.
Then a question lands. An enterprise prospect’s procurement team. A cyber insurance renewal application. A board member who just read an article. A SOC 2 auditor expanding scope. Suddenly the missing policy is in the critical path of a deal, a coverage decision, or an audit finding.
The kit ships the structural draft — six editable documents that get you past the blank-page problem. You still need to customize for your business and route them through counsel. You don’t need to start from zero.
- 01A Slack thread from six months ago that mentioned writing an AI policy
- 02A Notion page titled “AI policy (DRAFT)” with two bullet points
- 03A copy of someone else's policy borrowed from a friend at another company
- 04A vague verbal understanding among leadership about “how we use ChatGPT”
- 05A growing list of employees using AI tools in ways nobody's documented
- 06An enterprise questionnaire on the COO's desk with a 10-day response window
Six editable documents. Designed to be customized for your business.
AI Acceptable Use Policy
The master policy document — purpose, scope, approved tools, permitted uses, prohibited uses, data classification rules, training requirements, enforcement. The clause-by-clause document your prospect or insurer is asking for.
Employee AI Usage Guidelines
The human-readable internal-comms version of the policy. Quick-reference card, FAQ for common employee questions, do/don't examples drawn from real workflows. Built to actually get read.
Data-Handling SOPs
Operational procedures for AI + sensitive data: customer PII, employee data, financial information, internal IP. Step-by-step flowcharts and decision trees for the moments employees are most likely to make a mistake.
Vendor & Tool Evaluation Rubric
Scorecard for vetting third-party AI tools before approval — data residency, training-on-input policies, security certifications, contract terms, EU AI Act risk classification awareness. Notion database + PDF version.
Client-Facing AI Disclosure Template
Transparency-facing document for customers and partners — where you use AI, what data flows through it, how outputs are reviewed, what choices customers have. The kind of document procurement teams increasingly require.
Incident Response Playbook
What to do when something goes wrong — data inadvertently submitted to an AI tool, model hallucination affects a customer, vendor breach involves your data. Runbook, contact tree, notification templates, postmortem framework.
All six documents are starting templates designed to be customized. Each ships with inline annotations marking core clauses, scope-dependent clauses, and optional add-ons. Run them past your own counsel before deployment.
When this kit pays for itself many times over.
The Enterprise Security Questionnaire
A B2B prospect's procurement team sends a vendor security review with an AI controls section. Without a documented policy, you stall a six-figure deal at the security gate. With one, you respond same-week with attached PDFs.
The Cyber Insurance Renewal
Your carrier adds AI-use questions to the renewal application. Coverage scope and premium increasingly depend on documented controls. “We’re working on it” lengthens the underwriting cycle. “Here’s our policy” shortens it.
The Board or Leadership Ask
Your COO, GC, or a board member surfaces the question — often after a data-leak incident in the news, an employee accidentally pasting customer data into ChatGPT, or a customer asking how you handle their information.
The Auditor's New Section
SOC 2 Type II, ISO 27001, and industry-specific audits increasingly include AI controls in scope. The auditor wants to see written policies, operational SOPs, vendor risk assessments, and an incident response plan. “We don’t have those yet” becomes a finding.
Sample excerpt from the AI Acceptable Use Policy. Annotations show how clauses map to real questionnaire items.
§ 3. Acceptable Use of AI Tools
§ 3.1 Approved AI Tools
The following AI tools are approved for company use under this policy:
- (a) Claude (Anthropic) — content drafting, analysis, code generation;
- (b) ChatGPT (OpenAI) — general productivity assistance;
- (c) [Customize: list your approved tools and their permitted use cases].
§ 3.2 Permitted Uses
Employees may use approved AI tools for:
- (a) Drafting first-pass content for internal review;
- (b) Analyzing publicly available information or appropriately classified data;
- (c) Generating code, subject to security review prior to merge;
- (d) Preparing customer-facing communications, subject to § 4 disclosure rules.
§ 3.3 Prohibited Uses
Employees may NOT use AI tools for:
- (a) Processing customer PII without explicit consent and applicable agreements;
- (b) Generating final-form legal, financial, medical, or regulated advice;
- (c) Submitting confidential company data to non-approved tools;
- (d) [Industry-specific prohibitions — customize for healthcare, finance, etc.].
Informed by the standards your auditors and counterparties reference.
The templates draw structural language and risk concepts from established frameworks. This kit does not certify, attest, or guarantee compliance with any of them — that’s work your auditors, counsel, and operating practices do. What the kit gives you is documentation that speaks the same vocabulary your counterparties expect.
Risk-management vocabulary, the Govern / Map / Measure / Manage functions, and the Generative AI Profile.
Structural management-system language for organizations operating AI in a governed way.
Trust Services Criteria language now increasingly applied to AI use in service delivery.
Risk-tier vocabulary referenced in the vendor evaluation rubric. Specialized counsel required for EU posture.
State and international AI regulations continue to evolve. The kit is updated when major frameworks ship material changes. Existing buyers get those updates included.
What this kit is. What it isn’t. So you can decide cleanly.
- Six editable starting templates informed by published frameworks.
- Documentation infrastructure most enterprise questionnaires expect to see.
- A structural draft that saves the 1–2 week blank-page problem.
- Annotated for clarity on which clauses are core vs. scope-dependent.
- A foundation you customize, deploy, and operate consistently with.
- Not legal advice. Run everything past your own counsel before deployment.
- Not certification. Does not make you compliant with GDPR, HIPAA, SOC 2, EU AI Act, or any other regulation or framework.
- Not a substitute for industry-specific overlays (HIPAA BAAs, FedRAMP, GLBA, etc.).
- Not turnkey. Templates require customization for your business, industry, and risk profile.
- Not the finish line. Documentation alone doesn’t constitute compliance — your actual practices do.
We say this loudly because the failure mode in this category is buyers treating template policies as if they were certifications. Documentation gets you past the blank-page step. The work that actually reduces risk is operating consistently with the policies, having counsel review the customizations, and updating the documents as your practices and the regulatory landscape evolve.
Be honest with yourself before you click buy.
- You’re a 5–200 employee company and you don’t have an AI policy yet.
- You’ve recently been asked for one by a prospect, insurer, or auditor.
- You have someone (ops lead, COO, GC, CISO, technical founder) who can customize.
- You have counsel you can route the customized drafts past.
- You want a credible structural draft, not blank-page paralysis.
- You want a certified or audited policy as the deliverable.
- You expect the kit to make you compliant with a specific regulation.
- You can’t get the customized drafts past counsel.
- You’re in a heavily regulated industry without specialized counsel involvement.
- You want a vendor-managed service, not a kit to own and customize.
Start the policy, then deepen and maintain it.
This is the starter set; go deeper when you’re ready. The AI Usage Policy Kit is the comprehensive single-document policy, the AI Acceptable-Use Policy Builder tailors the rules to your stack, and the AI Governance Maintenance Plan keeps it current as the tools and the law shift.
The questions buyers actually ask before customizing and routing past counsel.
No. The AI Governance & Acceptable Use Starter Kit is not legal advice and is not a substitute for counsel. The templates are editable starting points informed by published frameworks like NIST AI RMF 1.0 and ISO/IEC 42001, plus the questions that show up on enterprise vendor security questionnaires and cyber insurance applications. Have your own counsel review the policies for your specific jurisdiction, industry, and risk profile before you deploy them. The kit exists to save you the structural drafting week — not the legal review step.
No — and any product promising that is selling fiction. Compliance is determined by your actual practices, your auditors, and your regulators, not by template documents. What the kit does provide is the documentation infrastructure that audits and questionnaires expect to see: written policies, SOPs, vendor evaluation processes, and an incident response plan. You'll still need to operate consistent with the policies, customize for your industry, and run the policies past counsel. The kit is the documentation foundation. Compliance is the work you do on top of it.
All editable. Word documents (.docx) for the policies and the client-facing disclosure template. A Notion-importable database for the vendor evaluation rubric. PDFs of the printable quick-reference cards for employee distribution. Google Docs versions included for teams that work in Drive. No proprietary or locked formats.
Fully editable, designed to be customized. Each document includes inline annotations marking which clauses are core (don't remove), which are scope-dependent (customize based on your industry, size, and risk profile), and which are optional add-ons (include only if relevant). The annotations also flag the clauses that typically answer specific questions on enterprise vendor questionnaires.
The kit references EU AI Act risk-classification language where relevant — specifically in the AI Acceptable Use Policy and the Vendor Evaluation Rubric. It does not claim to make you EU AI Act compliant. Your actual EU AI Act posture depends on your role in the AI value chain (provider, deployer, importer, distributor), your applicable risk tier, and your specific deployments. If you market AI products into the EU, this kit is a starting point — you need specialized counsel for the full compliance posture.
The kit is a structural starting point, not an industry-specific framework. Healthcare buyers will need to layer in HIPAA-specific controls (BAAs with AI vendors, PHI handling rules). Finance buyers will need to align with GLBA, NYDFS, or applicable supervisory expectations. Government contractors need FedRAMP, FISMA, or sector-specific overlays. The kit gives you a more credible starting point than a blank page. It is not the finish line for regulated industries.
Typically the head of ops, COO, general counsel (if you have one), CISO or IT lead, or technical co-founder at a 5 to 200 employee company. Especially relevant for B2B SaaS companies in vendor-security-conscious segments, agencies handling client data, healthcare-adjacent service businesses, and any SMB that has recently been asked AI policy questions by an enterprise prospect or insurer.
The kit is updated when major frameworks change — NIST AI RMF revisions, ISO/IEC 42001 updates, EU AI Act implementing acts, and significant changes from major model providers that affect customer use. Existing buyers get lifetime updates included in the $39. RedHub AI notifies you by email when a material update ships.
30-day no-questions refund. If the kit doesn't save you the structural drafting week your team would otherwise burn, you shouldn't have paid. Email RedHub AI support and the $39 comes back. (The refund is on the kit, not on any legal-review or operational work you've done with the templates.)
Have the answer.
Before they ask.
The AI Governance & Acceptable Use Starter Kit is $39 once. Six editable documents. The structural draft your team would otherwise spend a week and three Slack threads producing.
Starting templates, not legal advice. Customize for your jurisdiction and industry. Run past counsel before deployment.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai