Why your AI policy isn’t working

Written By Marcus Hall

Most organisations now have an AI policy. I’m pretty sure most employees have never read it. 

Here is my take. Someone senior panicked, and a document was produced. It was shared via email, filed somewhere on the intranet nobody visits, and referenced in a meeting once. Job done. Policy: in place.

A policy without understanding is just a document. And a document nobody reads, written in language nobody fully understands, governing tools nobody has been properly trained to use, the last time I checked, isn't a solid policy. It's the illusion of protection. Which, if anything, is more dangerous.

Here's the part that should concern leadership. Regulators are no longer satisfied with documentation. The EU AI Act doesn't ask whether your policy exists. It asks whether your people can demonstrate they understand it and apply it. There's a significant difference between the two.

This is where my philosophy background becomes relevant again. In ethics, we've always made a distinction between knowing the rules and understanding the reasoning behind them. A student who memorises that lying is wrong hasn't developed ethical thinking. A student who can explain why, and can recognise cases where it gets complicated, has. The same applies here with AI.

An employee who knows the policy says "don't input client data into AI tools" is following a rule. An employee who understands the why: data exposure, confidentiality breach, regulatory consequence etc. will make better decisions in the moments the policy didn't anticipate. And there will always be moments the policy didn't anticipate.

That's not a policy failure. That's just the nature of fast-moving technology. Which is exactly why comprehension has to sit alongside compliance.

The good news, again, is that this is a solvable problem. Policies need people who can translate them, not just distribute them. Someone who can sit with a team and ask the questions that turn a document into a practice.

That's not a legal skill. It's an education skill.

If your organisation has a policy but isn't confident your people truly understand it, that's the conversation worth having. Feel free to reach out.

Marcus Hall
Previous

Change-making isn't an easy skill. And it's the one your AI strategy is missing.
Next

Tools without understanding is just expensive confusion