The AI policy your firm wrote in March is already aging. The one your competitor's lawyer drafted last week names three specific tools. By next quarter, two of them will have changed their pricing model, the third will have shipped a feature that violates the policy as written, and a fourth tool nobody's heard of yet will be running quietly on three of your PMs' desktops.
Policies that name tools fail. Policies that govern decisions don't.
That's the entire move.
Write Around Decisions, Not Technology
Every six months a new model lands. Every twelve months a new platform reshapes a workflow. The decisions your firm has to make about scope, price, schedule, and safety don't change at the same speed.
Anchor your policy to the decisions, not the technology underneath them. Define what AI can support. Define what requires a human owner. Define what AI must never make alone.
A serviceable example, written for a construction firm: AI may draft proposal language, communications, summaries, and internal documentation. Humans must approve any output that creates contractual, financial, or safety exposure before it leaves the firm. AI may not independently commit the firm to scope, price, or contract terms.
That sentence outlives every model release between now and 2030.
Separate Automation From Authority
Two different things. AI executes. Humans hold authority.
AI can prepare. Analyze. Suggest. Draft. Flag. None of those are the same as approve, certify, sign, or finalize. The policy should say this in plain language. Not legal theory—working language. Your PE on year one should be able to read it once and know what the rule is.
If the policy reads like a CLE outline, nobody will follow it.
Risk Tier the Work
Vague language is the killer. "AI should be reviewed when appropriate" is not a policy. It's an opinion that creates a hundred different interpretations across the company.
Three tiers, written explicitly:
Low risk. Internal scheduling, summaries, drafts of internal notes, formatting tasks. AI can operate with minimal oversight. The PE doesn't need approval to use AI to format a meeting agenda.
Medium risk. Client-facing emails, scope descriptions, marketing language, narrative on a status report to the owner. AI drafts. A human reviews before it goes out. The reviewer is named—not "the team."
High risk. Contracts. Pricing. Safety documentation. Regulatory submissions. Anything that creates a binding commitment. AI may assist. A qualified human owns the work end-to-end and signs.
This framework scales as the technology improves. The tiers don't change. What gets shifted between tiers might.
Govern the Data, Not the Prompts
Policies that try to micromanage prompts fail in week three. The PE writes a useful prompt. It's not in the approved list. They use it anyway. Now the policy is dead.
What matters is data. What's allowed in. Where outputs can live. Who validates.
A workable rule set: confidential client data does not go into public consumer AI tools. Pricing, drawings, and contract documents only go into company-approved environments. Humans remain responsible for accuracy regardless of AI involvement. Anything labeled confidential by an owner stays out of any AI tool unless the contract explicitly permits it.
That covers 95% of the actual exposure.
Make It Model-Agnostic
The worst phrase in any AI policy: "Employees may use [specific product, specific version]."
Better phrasing: "AI systems used by the firm must support auditability, role-based access controls, and human review before external delivery." That sentence does not care whether it's Copilot, ChatGPT Enterprise, Claude, an Azure OpenAI deployment, or whatever ships next month.
Model-agnostic language buys time. It also prevents the political fight about which vendor's product gets the official stamp.
Assign Ownership
A policy without a name attached is theater.
Three named roles, minimum: who approves new AI use cases (typically a small committee with operations, IT, and legal), who monitors misuse (operations or risk), and who updates the policy when reality shifts (a single named person, not a committee).
Operations should be in the room. The mistake firms make is letting Legal write the policy alone. Legal will protect the firm. Legal will not understand why the daily report automation is worth keeping.
The Evolution Clause
The most useful sentence to write into the policy itself:
"This policy governs outcomes and responsibilities, not specific tools, and will be reviewed quarterly as AI capabilities evolve."
That single line buys you flexibility, credibility with employees, and the ability to update without a full rewrite.
The Working Test
A good AI policy doesn't slow AI down. It doesn't try to control every prompt. It clarifies who is responsible, what requires human judgment, and where authority sits.
Write for the decisions, not the software. The policy survives. The firm doesn't end up rewriting it four times in eighteen months because somebody released a new model.