The short version
- AI policy ownership defaults to legal, IT, or no one — and all three fail.
- AI usage is fundamentally a people-and-work question, which puts the Head of People in the room.
- Ownership should be shared: People owns acceptable use, IT owns access, Legal owns risk.
- But a policy without a decision record is unenforceable, because no one can prove what was decided.
- The Head of People should anchor AI policy to a system of record for decisions.
AI policy should be owned jointly, with the Head of People anchoring acceptable use, IT owning access and security, and Legal owning regulatory risk. Most companies default ownership to one function or no one, which produces a policy no one enforces. The role most companies miss is People, because AI use is fundamentally a question about how work gets done.
Who AI policy defaults to — and why it fails
When a company decides it needs an AI policy, ownership lands in one of three places, each with a predictable failure mode:
| Default owner | What they produce | Why it fails |
|---|---|---|
| Legal | A risk-averse prohibition list | Ignored because it blocks useful work |
| IT / Security | Tool access controls | Governs access, not behavior or judgment |
| No one | Shadow AI use everywhere | Unmanaged risk, no shared norms |
Each owner solves a real slice of the problem and misses the center: how employees should actually use AI in their daily work, what good judgment looks like, and where the line sits.
Why the Head of People belongs in the room
AI usage is a work-design and culture question before it is a legal or technical one. How AI changes roles, what counts as acceptable use, how to disclose AI-assisted work, how to train people to use it well — these are People domains. The Head of People owns the answer to "how do we work here?", and AI is now a load-bearing part of that answer.
Leaving People out produces policies that are technically and legally sound but culturally inert. The policy that gets followed is the one written by the function that understands how the work actually happens. This mirrors the broader pattern in the chief of staff guide to decision infrastructure: the right owner is the one closest to the work, not the one with the most authority on paper.
A shared ownership model
AI policy should not have a single owner; it should have a single accountable convener with clearly divided domains:
- Head of People (convener and acceptable-use owner). Defines how employees may use AI, disclosure norms, training, and the cultural line between augmentation and abdication.
- IT / Security (access owner). Controls which tools are approved, how data flows, and what is blocked at the network and account level.
- Legal (risk owner). Owns regulatory exposure, IP and confidentiality rules, and contractual constraints.
- CTO (grounding owner). Ensures internal AI tools are grounded in real decisions, not hallucinating — see what CTOs get wrong about AI rollout.
The Head of People convenes the others and owns the document, because the document is fundamentally about people and their work.
Why policy needs a decision record
Here is the part almost everyone misses: a policy you cannot prove you decided is a policy you cannot enforce. When an employee asks "are we allowed to use this tool for that?", the answer must point to a recorded decision — owner, rationale, authority, date — not to someone's recollection of a Slack thread.
Without that, every enforcement conversation becomes a re-argument, and every audit becomes an archaeology project. Anchoring AI policy to a system of record for decisions makes the policy queryable and defensible. This is why AI governance starts with decision governance: the policy is only as real as the record behind it.
The Head of People AI policy playbook
- Claim the convener role. Do not wait for AI policy to land in Legal by default. The Head of People is the natural owner of acceptable use.
- Divide domains explicitly. Write down who owns access, risk, grounding, and use — and record that division as a decision, not an assumption.
- Define acceptable use in terms of work, not tools. "Disclose AI-assisted analysis to your reviewer" outlasts any specific product ban.
- Record every policy decision. Each rule gets logged with its rationale and authority so it is enforceable and revisable.
- Make the policy queryable. Employees and internal AI tools should be able to look up the current rule without asking a human.
- Review on a cadence. AI capability moves fast; treat the policy as a living decision record, not a one-time document.
Common Questions
Who owns AI policy in a company?
AI policy is best owned jointly, with the Head of People convening and owning acceptable use, IT owning access and security, and Legal owning regulatory risk. The Head of People is the role most companies miss, because AI usage is fundamentally a question about how work gets done.
Why shouldn't Legal or IT own AI policy alone?
Legal tends to produce prohibition lists that get ignored, and IT governs tool access rather than behavior or judgment. Neither addresses the central question of how employees should actually use AI in their work, which is a People domain.
What makes an AI policy enforceable?
Enforceability requires a recorded decision behind each rule — owner, rationale, authority, and date. A policy anchored to a system of record for decisions is queryable and defensible; one that lives in memory or a stale doc is neither.
How often should AI policy be reviewed?
Treat AI policy as a living decision record reviewed on a regular cadence, because AI capability and risk shift quickly. Each revision should be logged with its rationale so the policy's evolution is auditable.
Get async handoff insights in your inbox
One email per week. No spam. Unsubscribe anytime.
Ready to eliminate your daily standup?
Distributed teams use StandIn to start every shift with full context — no standup required. Engineers post a 60-second wrap. The next shift wakes up knowing exactly what to work on.