Your AI Policy Is Built on Sand. Here Are 20 Questions That Fix It.

Leaders proudly hand me their AI policy. I read it. I ask the obvious next question.

“What is this built on?”

The room goes quiet, sometimes there’s a shrug, and once, memorably, I got a slow blink and the answer, “The legal team wrote it.”

Cool. So your AI policy is built on legal’s anxiety. That’s going to hold up beautifully the first time someone on your team needs to make a real decision on a Tuesday afternoon. (Spoiler: it won’t. It’ll bend faster than a paper straw in a hot coffee.)

This is the gap I see in almost every organization right now. Companies have raced to put an AI policy in place, which is good. They’ve put almost no time into the principles underneath it, which is the problem. And it shows up in the way teams use AI, the decisions they avoid, and the workarounds that quietly multiply behind the scenes.

The 3 Ps, in the order they actually work

The AI 3 Ps go in a specific order. Principles, then Policies, then Playbooks.

Principles are what you believe. Policies are what you require. Playbooks are how you operationalize both. Most companies skipped straight to the middle one because legal asked or HR pushed, and now they’re trying to write playbooks against a policy that was never anchored to a belief system in the first place. (Which is a bit like trying to decorate a house before anyone’s poured the foundation. Lovely curtains. No walls.)

The data is messier than the headlines suggest. According to a recent McKinsey article on AI board governance, most companies have drafted something labeled “principles” or “ethics statements,” but fewer than 25% have a board-approved structured AI policy. So technically the principles came first … in name. In practice, they were drafted to satisfy a compliance checklist, parked in a document nobody reads, and never actually used to guide decisions. Then the policy got written without them. (The work of writing something is not the same as the work of meaning it. Ask anyone who has ever produced a mission statement at an offsite.)

Policies aren’t lifting your team. Principles can.

Let’s be honest about what most AI policies actually do. They live in SharePoint, buried three folders deep, next to the flyer for the 2019 holiday party, the parking lot rules from a building you no longer occupy, and a PDF called “Final FINAL v3 USE THIS ONE.” Nobody finds them until something has gone wrong, at which point they get pulled out and read like scripture in a disciplinary meeting.

When they do come out of the cupboard, AI policies tend to get used to beat someone down for what they did, not to lift the team up toward what they could do. They’re written in defensive language, designed to protect the organization from its own people. (Which is a vibe.)

Principles do the opposite. A good set of AI principles is visible, repeatable, and on your team’s side. They live in the language of the company, not the file system. They give people permission rather than restriction. They tell your team what you stand for, not just what you’re scared of.

Think of your AI principles as your AI vision statement. Short. Quotable. Inspiring. Clarifying. Caring. The kind of thing a new hire absorbs in the first week, a leader reaches for in a tough meeting, and a customer would be happy to read if you posted it on your website.

Principles are the AI vision for your company. Policies are the fine print. Guess which one your team will actually remember.

What an actual AI principle sounds like

Here are the eight principles my own company runs on. Borrow them if they fit. Steal them outright if you want. I’m sharing them in the hope they’re useful to you, not because you need to invent something completely original from scratch with a whiteboard and a stack of Post-it notes:

• AI handles the mechanical. We do the meaningful.
• If we can’t explain it, we can’t delegate it to AI.
• We use AI when it raises the bar, not when it lowers it.
• We are the strategy. AI is the execution.
• AI does the work. We are accountable for it.
• We are honest about how we use AI.
• Ordinary is our enemy. We use AI to sound more like us, not like everyone else.
• We own judgment, creativity and connection.

The lovely thing about principles is that they guide, they don’t define. Even if your company adopted my exact list word for word, your business would still look completely different from mine. The principles set the direction. The decisions, the people, the customers, and the work bring them to life in ways that are entirely yours. (Same recipe, different kitchen, different cook. Trust me, the casserole will not turn out identical.)

Notice what they are. They’re short enough to quote in a meeting, clear enough that a new team member could absorb them in five minutes, inspiring enough to set direction, and caring enough to put people, not policies, at the center. They tell my team what we’re building toward, not just what we’re avoiding.

And yes, they also work as decision lenses. Every one of them helps someone on my team say no to something on a Tuesday afternoon. That’s the bonus. The bigger job they do is point everyone in the same direction in a way that feels lifting rather than limiting.

The 20 questions that actually unlock your principles

Most companies sit down to “write the principles,” stare at a blank document, and three hours later have something that sounds vaguely like a press release nobody asked for, which is useless.

Working principles come out of working questions. Below are twenty I use with leadership teams. Some are big and philosophical, some are small and tactical, all of them are designed to surface what you actually believe rather than what you think you should say.

Before you start, do one thing. If you already have an AI policy, set it aside for the next hour. Don’t peek at it. Pretend you’ve never seen it. We’ll come back to it shortly, and the comparison will be a lot more useful if you haven’t been sneaking sideways glances. (Yes, I see you scrolling up to find the link. Don’t.)

What AI is actually for in our work

• What is AI for in our business? Speed, quality, capacity, distinction, or something else entirely?
• If AI saved every person on our team ten hours a week, what would we do with that time?
• What would we never use AI for, even if it could technically do the job well?
• Are we using AI to raise our bar, or to lower the cost of staying at the same bar?
• What does “great work” look like here, and does AI help us produce it or dilute it?

Where the human stays

• Where does our customer expect a human, and how do we actually know?
• What decisions in our business can only a human make?
• What’s the difference, in our work, between AI doing the task and AI doing the thinking?
• When AI gets something wrong, who owns the consequence?
• If we removed every human touchpoint, what would our customers actually lose?

What kind of company we want to be

The questions in this cluster are the ones leadership teams squirm through the most. (Squirming is good. It means you’ve found something honest.)

• If our customer saw exactly how we used AI in their work, would we be proud of it … or quietly hope they didn’t notice?
• What does “ordinary” look like in our industry right now, and are we drifting toward it or away from it?
• Are we honest with our customers and our team about how AI shows up in our work?
• What do we want our people to feel when they use AI? Permission, pressure, fear, curiosity, something else?
• Whose voice do we want our outputs to sound like? Ours, or AI’s?

How we know it’s working

• How will we measure whether AI is making us better, not just faster?
• What would we have to see for us to deliberately scale back our AI use somewhere?
• Who in our business gets to say “stop” and have it actually mean something?
• What would we be comfortable telling our team about every AI tool we use?
• What’s the cost of getting this wrong, and who pays it?

You don’t need to answer all twenty. Pick ten. Ten honest answers will give you more clarity than three hours of corporate brainstorming with sticky notes, a flip chart, and a facilitator named Brad.

Now go back to your policy

Once you’ve worked through the questions and drafted your principles, the next step is the diagnostic. Pull your AI policy back out and read it through the lens of what you just wrote.

Look for three things. Does the policy line up with what you said you believe, or does it counteract it? Are there rules in there nobody can explain the reason for? (Usually yes. Usually copy-pasted from a template called “AI Policy Template v2.docx.”) And are there things you said you believed in the questions that don’t appear anywhere in the policy?

Most leaders find at least one contradiction. Some find a lot. (One client found their policy explicitly banned a workflow they’d just publicly announced as a product. Awkward.) That’s not a failure, it’s a finding, and it’s the most valuable thing this exercise will produce. You now know exactly where your policy needs to be rewritten, expanded, or quietly retired. There is no shame in retiring a policy that was never doing the job. Better than pretending it was.

A policy your team would describe as “buried in SharePoint” is a policy your team is quietly ignoring. Principles change that.

Why your team will thank you for doing this

The part most leaders miss when they look at this exercise and groan is that this work isn’t another item on the AI to-do list. It’s the thing that changes how your team feels about AI in the first place.

When your principles are clear and visible, your people stop second-guessing every use of AI. They stop hiding their AI work in incognito tabs, like they’re up to something illegal. They start using AI with intention instead of guilt. And when they hit a grey area, they have something to reach for that sounds like you rather than something to fear that sounds like legal.

The functional benefits follow naturally. Saying no to a vendor pitch gets faster, because you point to the principle rather than your gut. Onboarding a new hire becomes easier, because they absorb the lens rather than memorize the fence. Updating your policy when the world shifts becomes simpler, because the principles stay stable even when the rules need to change.

Five to ten principles is the sweet spot. Fewer than five and you’ve left too much unsaid. More than ten and nobody will remember them, which means nobody will use them. Aim for the number your team can recall in conversation, not the number that looks impressive on a slide deck nobody asked for.

And yes, this applies whether you lead a billion-dollar enterprise or a five-person consultancy. The math is exactly the same. Small investment now, compounding clarity forever.

The foundation everything else gets built on

There’s a reason I keep coming back to this work with leadership teams, and it’s not because principles are fashionable. It’s because principles are the slab.

You can’t build a second story on sand. (People have tried. The houses fall down. It’s a whole thing.) Every organization I work with that’s getting somewhere genuinely interesting with AI has a clear, visible, lived set of principles underneath everything else. They built the foundation first. That’s what made it possible to redesign their work in real ways, extend into new spaces, and lead the build with confidence rather than anxiety.

Your AI policy is not your foundation. Your AI tools are not your foundation. Your principles are. Everything you do above the floor depends on whether you’ve done this layer well.

Your homework

• Block sixty minutes. With your leadership team if you have one. With a notebook and coffee if you don’t.
• Pick ten of the twenty questions and answer them honestly, especially the uncomfortable ones.
• Turn what you find into 5 to 10 short principles your team could remember without looking, then pull your policy back out and see what lines up.

If you want help running this with your leadership team, that’s exactly the kind of work I do with organizations. Drop me a note and we’ll talk about whether it’s the right fit.