Every Company Needs an AI Strategy and Policy — Here's the Framework and a Template

We are past the point where AI governance is optional. Every major corporation — and increasingly, every mid-market company — is deploying AI in some form, whether through internally developed models, third-party SaaS platforms, or simply employees using ChatGPT at their desks during lunch. The question is no longer whether your company uses AI. The question is whether your company governs its AI use, or whether it is flying blind into a rapidly hardening regulatory environment.

I have spent just about 25 years in patent law and IP strategy, including roles as in-house counsel at Qualcomm and Red Hat, and I have watched this pattern before. A transformative technology emerges. Companies race to adopt it. The legal and governance frameworks lag behind — until they don't. And when the regulatory hammer drops, the companies without documented policies, governance structures, and compliance frameworks are the ones writing the largest checks to plaintiffs' lawyers and regulators.

That moment is arriving now for AI. The EU AI Act is in force. Colorado's AI Act takes effect in 2026. New York City already requires bias audits for automated employment decision tools. The FTC has made clear it views deceptive or unfair AI practices as enforcement priorities. China has enacted algorithmic recommendation, deep synthesis, and generative AI regulations. And dozens of additional state, federal, and international AI laws are in various stages of enactment.

To help companies navigate this landscape, I have developed a comprehensive template AI Corporate Strategy and Policy document — a 70+ page framework designed as a superset of every governance provision a large international corporation might need. This article explains what that document contains, how to use it, and what I believe every company must and should be doing right now.

What This Document Is — and What It Is Not

Let me be direct: the document is not legal advice. It is not a fill-in-the-blank template that any company can adopt wholesale. It is a comprehensive menu — an intentionally exhaustive collection of provisions, clauses, frameworks, and governance structures from which an adopting organization should select, modify, and tailor only those elements that fit its particular circumstances.

Think of it as a master pattern book. A boutique SaaS company with 50 employees deploying a single customer-facing chatbot does not need the same governance architecture as a Fortune 100 multinational with AI embedded in credit underwriting, medical device software, autonomous vehicle systems, and employee hiring tools across 40 countries. But both companies need something — and both need to make deliberate, documented choices about what they are doing, why, and how they are managing the risks.

The document spans 17 substantive parts and six appendices, covering governance structure, strategic planning, ethical AI principles, risk management, data governance, the AI development lifecycle, procurement and third-party AI, intellectual property, regulatory compliance, workforce impact, security, generative AI, customer-facing AI, environmental sustainability, audit and reporting, and policy administration.

How to Use This Framework

The document is designed for modular adoption. Here is the process I recommend:

First, assess your organization. Before selecting any provisions, you need to understand your company's AI footprint. What AI systems are you developing internally? What third-party AI tools are your employees using — including the ones nobody in the C-suite knows about? What data are you feeding into these systems? What decisions are being influenced or automated by AI? What jurisdictions are you operating in? What industry-specific regulations apply? You cannot govern what you have not inventoried.

Second, engage legal counsel. This is non-negotiable. AI governance sits at the intersection of data privacy law, employment law, intellectual property law, consumer protection, securities regulation, sector-specific compliance, and emerging AI-specific legislation. No template — no matter how comprehensive — can substitute for jurisdiction-specific legal analysis by qualified counsel. The regulatory landscape is not merely complex; it is evolving on a monthly basis across dozens of jurisdictions simultaneously.

Third, select and tailor. Using the comprehensive framework as your starting point, identify which sections, subsections, and specific provisions are relevant to your organization's size, industry, geographic footprint, AI maturity, risk profile, and strategic objectives. Delete what does not apply. Modify what needs to be adapted. Supplement where your particular circumstances require additional provisions. The goal is a policy that is both comprehensive enough to provide real governance and practical enough that people will actually follow it.

Fourth, implement with governance teeth. A policy document sitting in a SharePoint folder that nobody reads is worse than useless — it creates a false sense of compliance. The governance structures described in the framework (board-level oversight, an AI Governance Committee, a Chief AI Officer, an AI Ethics Board, business unit AI leads) exist because AI governance requires active, ongoing, cross-functional management. You need people with authority, accountability, and resources.

Fifth, review and update continuously. This is a living document. The regulatory environment, the technology landscape, and your organization's AI activities will all change. Build a formal review cycle — at least annually, and more frequently for organizations with high-risk AI applications or operations in jurisdictions with active AI legislative agendas.

What Every Company Must Do

Certain AI governance obligations are no longer discretionary. They are legal requirements, and non-compliance carries enforcement risk, litigation risk, and reputational risk. While the specific requirements vary by jurisdiction and industry, the following are emerging as baseline legal obligations for any company deploying AI in a meaningful way:

1. Comply with data protection laws as applied to AI. The GDPR, CCPA/CPRA, LGPD, and their counterparts worldwide apply to AI systems that process personal data. This includes requirements for lawful basis, data minimization, purpose limitation, data subject rights (including the right to contest automated decisions under GDPR Article 22), data protection impact assessments, and cross-border transfer mechanisms. If your AI systems process personal data — and nearly all of them do — you are already subject to these requirements.

   
   

2. Conduct bias audits where required by law. New York City's Local Law 144 requires annual bias audits for automated employment decision tools. Colorado's AI Act will require impact assessments for high-risk AI systems. The EU AI Act imposes extensive conformity assessment requirements for high-risk AI. These are not suggestions. They are legal mandates with enforcement mechanisms and penalties.

   
   

3. Disclose AI use to affected individuals where required. Multiple jurisdictions now require disclosure when individuals are interacting with AI systems or when AI materially influences decisions affecting them. This includes the EU AI Act's transparency obligations, state-level automated decision-making disclosure requirements, and sector-specific rules such as the FTC's expectations around AI-driven consumer interactions.

   
   

4. Comply with employment and anti-discrimination laws. Using AI in hiring, promotion, performance management, or termination decisions implicates Title VII, the ADA, ADEA, and their state and international equivalents. The EEOC has made clear that employers are liable for discriminatory outcomes produced by AI tools, even when those tools are developed by third-party vendors. Illinois, Maryland, and other states have enacted specific requirements for AI in hiring.

   
   

5. Maintain appropriate records and documentation. Under the EU AI Act, providers and deployers of high-risk AI systems must maintain extensive technical documentation, quality management records, and logs. Even absent AI-specific requirements, general recordkeeping obligations under securities, financial services, healthcare, and employment regulations extend to AI-related activities and decisions.

   
   

What Every Company Should Do

Beyond strict legal compliance, there are governance practices that every company deploying AI should implement as a matter of sound business judgment, risk management, and stakeholder trust — even if not yet legally required in every jurisdiction:

1. Establish clear governance structures with named accountability. Every AI system should have a human being who is accountable for its compliance, performance, and ethical implications. This is not bureaucracy for its own sake; it is the mechanism by which organizations maintain control over increasingly autonomous systems. The framework describes a multi-tiered structure — board oversight, a Chief AI Officer, an AI Governance Committee, an AI Ethics Board — that can be scaled to fit organizations of different sizes.

   
   

2. Create and maintain an AI system inventory. You cannot govern what you do not know about. Shadow AI — employees using unauthorized AI tools with company data — is one of the most significant and underappreciated risks facing organizations today. A centralized registry of all AI systems in development, procurement, and production is foundational to every other governance activity.

   
   

3. Classify AI systems by risk. Not all AI applications carry the same risk. A model that optimizes internal meeting room scheduling is fundamentally different from one that influences credit decisions or medical diagnoses. Risk classification drives proportionate governance — more oversight, more testing, more documentation, and more human review for higher-risk applications. This approach is consistent with both the EU AI Act's risk-based framework and the NIST AI Risk Management Framework.

   
   

4. Address generative AI specifically. The proliferation of large language models and other generative AI tools has created a new category of risk that most existing corporate policies do not adequately address. Companies need clear rules about what data employees can and cannot input into these tools, how AI-generated outputs must be reviewed and disclosed, and what uses are prohibited. The risk of confidential data leakage, hallucinated outputs presented as fact, and copyright infringement through AI-generated content is real and immediate.

   
   

5. Build IP governance into your AI strategy. AI creates novel intellectual property challenges that most companies have not yet addressed. Who owns the output of an AI system? Can AI-generated inventions be patented? What are the copyright implications of training models on third-party content? What happens to your trade secrets when they are ingested by a third-party AI platform? These questions require deliberate policy decisions informed by legal counsel — not after-the-fact scrambling when a dispute arises.

   
   

6. Prepare your workforce. AI will transform roles, eliminate some positions, and create others. Companies that approach this transformation with transparency, investment in reskilling, and genuine attention to the human impact will retain talent and maintain trust. Companies that deploy AI as a blunt cost-cutting instrument without workforce planning will face labor relations challenges, reputational damage, and — in jurisdictions with consultation requirements — legal exposure.

   
   

7. Think about environmental impact. Training large AI models consumes enormous amounts of energy. As ESG reporting requirements expand and stakeholders increasingly scrutinize corporate environmental claims, the carbon footprint of AI operations will face growing scrutiny. Companies should measure, report, and optimize the environmental impact of their AI activities.
   

The Bottom Line

AI governance is not an IT project. It is not a compliance checkbox. It is a strategic imperative that touches every function of the organization — legal, finance, HR, operations, product, marketing, security, and the board itself.

The companies that build thoughtful, comprehensive AI governance frameworks now will be positioned to deploy AI confidently, manage risks proactively, comply with regulations as they emerge, and maintain the trust of customers, employees, investors, and regulators. The companies that do not will be playing catch-up — and the cost of catching up always exceeds the cost of getting it right from the start.

The framework I have published is designed to give organizations a head start. It is comprehensive by design, because the cost of omitting a critical provision is far greater than the cost of reviewing a provision and deciding it does not apply. Take it, work with your legal counsel, adapt it to your circumstances, and put real governance behind your AI ambitions.

The technology is moving fast. Your governance needs to keep pace.

Erick Robinson is a patent litigation partner at Cherry Johnson Siegmund James, PC, with more than 25 years of experience in technology, AI, patent law, IP strategy, and litigation. He has been recognized as one of the Leading 300 IP Strategists Worldwide by IAM since 2014. He publishes at PatentLitigation.blog and hosts the Litigation Funding Podcast and the PTAB Podcast.

Disclaimer: This article is provided for informational and educational purposes only and does not constitute legal advice. The information contained herein reflects the law as of the date of publication and is subject to change. Readers should consult with qualified legal counsel regarding specific legal questions or circumstances. The views expressed in this article are those of the author and do not necessarily reflect the views of Cherry Johnson Siegmund James, PC.

Additionally, the AI Corporate Strategy and Policy framework referenced in this article is available for download here:

It is provided for informational purposes only and does not constitute legal advice. Organizations should consult qualified legal counsel before adopting any provisions.