AI Governance Policy Template for Belgian SMBs
Most Belgian SMBs use AI tools weekly but lack a formal governance policy. This template provides a practical framework you can adapt to your organization, grounded in EU AI Act requirements and real-world governance principles.
How to use this template: Copy each section below and customize the placeholder text for your organization. The template covers the key areas the EU AI Act expects deployers to address: AI inventory, human oversight, data handling, vendor management, and monitoring. Adapt the scope and detail to match your actual AI usage.
Why your SMB needs an AI governance policy
The EU AI Act creates specific obligations for organizations that deploy (use) AI systems. Even if you only use AI tools built by others, you are a "deployer" with responsibilities for:
- AI literacy Art. 4: Ensuring staff understand the AI tools they use
- Human oversight Art. 26: Keeping humans in the loop for consequential decisions
- Transparency Art. 50: Informing people when they interact with AI
- Proper use Art. 26: Using AI systems according to vendor instructions
A written policy documents how your organization meets these obligations. It also helps staff understand what is expected and provides evidence of good faith compliance if questions arise.
For detailed guidance on deployer obligations, see EU AI Act Deployer Guide for Belgian SMBs.
The template
The following sections form a complete AI governance policy. Copy and customize each section for your organization.
Section 1: Purpose and Scope
This AI Governance Policy establishes guidelines for the responsible use of artificial intelligence tools and systems at [Organization Name].
Purpose
This policy aims to:
- Ensure AI tools are used responsibly, ethically, and in compliance with applicable law
- Protect our organization, clients, and stakeholders from AI-related risks
- Establish clear expectations for staff using AI tools
- Document our approach to EU AI Act deployer obligations
Scope
This policy applies to:
- All employees, contractors, and partners who use AI tools in their work for [Organization Name]
- All AI-powered software, services, and features used in business operations
- Both dedicated AI tools and AI features embedded in other software
Customization guidance
Replace [Organization Name] with your business name. Adjust the scope section if your policy should exclude certain roles or systems.
Section 2: AI Inventory
[Organization Name] maintains an inventory of AI tools and systems in use. This inventory is reviewed [quarterly / semi-annually / annually].
Current AI tools in use
[List your AI tools here. Examples:]
- ChatGPT / Claude / other LLM: Used for drafting text, research assistance, and brainstorming. Risk classification: minimal.
- Microsoft Copilot: Used for document editing and email drafting. Risk classification: minimal.
- Accounting software AI features: Used for invoice categorization and anomaly detection. Risk classification: minimal.
- [Add your specific tools]
Risk classification
Each AI tool is classified according to EU AI Act risk categories:
- High-risk: AI used for employment decisions, credit scoring, access to essential services, or other Annex III categories. Requires additional safeguards.
- Limited-risk: AI that interacts directly with natural persons. Requires transparency disclosures.
- Minimal-risk: Most business productivity tools. No specific legal requirements beyond general good practice.
Customization guidance
List every AI tool your organization actually uses. Include AI features in existing software (e.g., accounting software with AI categorization). Most SMB tools will be minimal-risk. If you use AI for hiring, performance evaluation, or creditworthiness assessment, those are high-risk and require additional documentation.
Section 3: Human Oversight
AI tools at [Organization Name] support human decision-making; they do not replace it. Staff must maintain meaningful oversight of AI outputs.
General principles
- AI-generated content must be reviewed by a human before being sent to clients, published externally, or used for consequential decisions
- Staff must not blindly accept AI outputs; they are responsible for verifying accuracy and appropriateness
- AI tools should not be used as the sole basis for decisions that significantly affect individuals
Review requirements by use case
- Client communications: All AI-drafted emails, letters, or reports must be reviewed and approved by the responsible staff member before sending
- Financial analysis: AI-generated calculations or categorizations must be verified against source documents
- Published content: All AI-assisted content for website, social media, or marketing must be reviewed for accuracy before publication
- [Add use-case-specific requirements for your organization]
Escalation
If AI output appears incorrect, biased, or inappropriate, staff should:
- Not use the output
- Report the issue to [designated person or role]
- Document the issue for review
Customization guidance
Specify review requirements for your actual use cases. If you use AI for high-risk applications (hiring, credit decisions), add stricter oversight requirements. Designate a real person or role for escalation.
Section 4: Data Handling and Privacy
When using AI tools, staff must protect confidential and personal data in accordance with GDPR and client confidentiality obligations.
Prohibited data inputs
The following must NOT be entered into external AI tools without explicit authorization:
- Personal data of clients, employees, or third parties (names, addresses, financial details, health information)
- Confidential business information belonging to clients
- Trade secrets or proprietary information
- Data subject to legal privilege or professional secrecy
Permitted uses
AI tools may be used with:
- Anonymized or aggregated data that cannot identify individuals
- Publicly available information
- Internal working documents that do not contain personal or confidential data
- Hypothetical scenarios and general questions
Data retention
Staff should be aware that data entered into external AI tools may be retained by the provider. Consult vendor documentation for data retention policies.
Customization guidance
Adjust prohibited and permitted categories for your industry and data types. If you use enterprise AI tools with stronger data protection (e.g., Azure OpenAI with data processing agreements), you may have more flexibility. If your organization handles particularly sensitive data (legal, medical, financial), consider stricter restrictions.
Section 5: Vendor Selection and Management
AI tools used at [Organization Name] must be evaluated for compliance and suitability before adoption.
Selection criteria
Before adopting a new AI tool, consider:
- Data processing location: Where is data processed and stored? EU/EEA processing is preferred for GDPR compliance.
- Vendor documentation: Does the vendor provide clear instructions for use, including limitations and prohibited uses?
- Data protection: What are the vendor's data retention and security practices? Is a Data Processing Agreement (DPA) available?
- Risk classification: What risk category does the tool fall into under the EU AI Act?
Approval process
New AI tools must be approved by [designated person or role] before use in business operations. Shadow AI (unauthorized AI tool use) is not permitted.
Ongoing monitoring
AI vendors should be reviewed periodically for continued suitability. Significant changes to vendor terms, data practices, or tool capabilities should trigger a review.
Customization guidance
Designate who approves new AI tools. For small organizations, this may be the owner or managing partner. For larger organizations, consider an IT or compliance review process. Adjust the approval process formality to match your organization's size and risk profile.
Section 6: AI Literacy and Training
In compliance with EU AI Act Article 4, [Organization Name] ensures that staff using AI tools have appropriate understanding of those tools.
Minimum competencies
Staff using AI tools should understand:
- What the AI tool does and what it is designed for
- The tool's limitations and potential for errors
- How to interpret AI outputs critically
- When human review or escalation is required
- Data protection requirements when using the tool
Training approach
AI literacy is addressed through:
- Onboarding materials for new staff
- This policy document and related guidance
- Practical guidance from experienced colleagues
- [Additional training resources your organization provides]
Ongoing learning
AI tools evolve rapidly. Staff are encouraged to stay informed about changes to tools they use and to share relevant learnings with colleagues.
Customization guidance
AI literacy requirements should be proportionate to how your organization uses AI. If AI is central to operations, more formal training may be appropriate. For occasional use of productivity tools, informal guidance and this policy may suffice.
Section 7: Transparency and Disclosure
[Organization Name] is transparent about AI use where appropriate.
Client-facing AI
When AI systems interact directly with clients or the public:
- Chatbots and automated assistants are clearly identified as AI
- AI-generated content that could be mistaken for human-authored work is disclosed as AI-assisted where appropriate
Internal transparency
Staff are informed about:
- Which AI tools are approved for use
- How AI tools are used in business processes
- Any AI systems that process employee data
Customization guidance
If you use AI chatbots for customer service, specify exactly how they are disclosed. If you do not use client-facing AI, you may simplify this section. Consider whether your industry has specific transparency expectations.
Section 8: Monitoring and Review
This policy and the AI tools inventory are reviewed [annually / semi-annually] or when significant changes occur.
Triggers for review
- Significant changes to EU AI Act requirements or guidance
- Adoption of new AI tools or significant changes to existing tools
- AI-related incidents or near-misses
- Changes to business operations affecting AI use
Responsibility
This policy is maintained by [designated person or role].
Version history
| Version | Date | Changes |
|---|---|---|
| 1.0 | [Date] | Initial policy |
Customization guidance
Set a realistic review cadence. Annual review is typically sufficient for most SMBs. Designate who owns the policy. Maintain version history as you update the document.
Next steps
- Copy the template: Use the sections above as a starting point
- Inventory your AI tools: List every AI tool and AI feature your organization uses
- Customize each section: Replace placeholder text with your organization's specifics
- Review with stakeholders: Share the draft with relevant colleagues for input
- Publish internally: Make the policy available to all staff
- Train staff: Ensure staff understand the policy and their responsibilities
- Schedule review: Set a calendar reminder for periodic policy review
See Mue's governance in action
This template synthesizes governance principles that Mue applies to its own operations. You can inspect the reference implementation:
- Agent charters: How each AI agent is scoped and constrained
- Constraints: The 40+ rules the site must satisfy
- Audit log: Weekly compliance checks and violation tracking
- Autonomous governance: How the constraint-audit-fix loop works
- AI transparency: Disclosure of all AI systems in use
Related resources
- EU AI Act Deployer Guide for Belgian SMBs: Detailed guidance on deployer obligations
- EU AI Act Compliance Self-Assessment: Interactive tool to assess your compliance status
- Trust and Transparency: How agent.mue.app builds trust through verifiable operations
This template provides general guidance for AI governance. It does not constitute legal advice. Consult qualified legal counsel for compliance decisions specific to your business.
Want help implementing AI governance? Get in touch to discuss how constraint-driven AI operations could work for your organization.