AI Strategy & Policy | Digital Bricks

Section 0

Executive summary

General information and purpose of this AI strategy & policy document.

Company name

Industry / sector

Document version

Prepared by

Date

Purpose statement

Scope description

Section 1

AI system inventory

Central register of all AI tools deployed or planned within the organisation.

AI system / tool	Purpose / use case	Department	Risk class	Data processed	Owner	Status

Section 2

Risk classification methodology

Decision framework for classifying AI systems under the EU AI Act risk tiers.

Classification decision tree

1

Does the AI system perform any prohibited practice?

Yes → Prohibited No → Continue

2

Is the AI system used in an Annex III high-risk domain?

Yes → High-risk No → Continue

3

Does the AI system interact directly with natural persons?

Yes → Limited risk No → Minimal risk

Annex III high-risk domains

AI systems in these domains are classified as high-risk under the EU AI Act.

Biometric identification & categorisation

Critical infrastructure management

Education & vocational training

Employment & worker management

Essential private & public services

Law enforcement

Migration, asylum & border control

Administration of justice & democracy

Additional classification criteria

Section 3

Prohibited AI practices

Practices explicitly banned under the EU AI Act. Confirm your organisation does not engage in any.

Confirmation statement

Name

Role

Date

Section 4

AI literacy programme

Structured training to ensure all staff understand AI capabilities, limitations, and obligations.

Legally required since Feb 2025

Training calendar

Audience	Q1	Q2	Q3	Q4

Additional literacy requirements

Section 5

Transparency obligations

How the organisation ensures users and stakeholders are informed about AI use.

Template disclosure text

Transparency notice placement

Section 6

Human oversight requirements

Decision matrix defining where and how human oversight applies to AI-assisted processes.

Decision type	AI involvement	Human oversight	Escalation path

General human oversight policy

Section 7

Data governance & GDPR alignment

How AI data processing aligns with GDPR and the organisation's data governance framework.

Data processing locations

Data retention

Cross-border transfers

Are transfers outside EU/EEA involved?

No

Data Protection Impact Assessment (DPIA)

DPIA status

Data minimisation

Related documents: Privacy policy, DPIA report, Data processing agreement

Section 8

Incident reporting procedures

Structured response process for AI-related incidents, from detection through resolution.

Incident response workflow

Severity definitions

Critical AI system causes harm, data breach, or discriminatory outcome

High AI system produces significantly incorrect output affecting decisions

Medium AI system underperformance, user complaints

Low Minor issues, cosmetic errors

Key contacts

AI Governance Owner

Data Protection Officer

Technical Lead

External reporting obligations

Section 9

Monitoring & audit cadence

Scheduled activities to ensure ongoing compliance and system performance.

Activity	Frequency	Responsible	Method

Monitoring tools and dashboards

Audit trail requirements

Section 10

Accountability structure

RACI matrix and role definitions for AI governance within the organisation.

RACI matrix

Area	Board / Exec	AI Gov Owner	Dept Heads	Tech Lead	DPO	End Users

Key role definitions

Section 11

Document approval

Version history, sign-off, and next review date.

Version history

Version	Date	Author	Changes
1.0		Digital Bricks	Initial draft

Approval signatories

CEO / Managing Director

Name

Date

AI Governance Owner

Name

Date

Data Protection Officer

Name

Date

Next review date

Document is compliant with EU AI Act (Regulation 2024/1689)