Resources · Worked example 2

AI policy

Worked example · fictional company (Vesta Mutual Insurance AS) · free PDF · CC BY 4.0

A policy earns its place when it tells a specific person what they may and may not do, and names who answers for it. This one runs to twelve sections, but two lines do the heaviest work.

First, the prohibited uses. The AI Act bans a short list of practices outright, and two of them are still being sold to companies like Vesta: emotion recognition in the workplace (pitched for interviews and call-centre coaching) and social scoring. The policy names them so nobody buys one by accident. It then adds company-prohibited uses that go beyond the law: client personal data in unsanctioned tools, customer messages sent without a human reading them, and any fully automated claim denial.

Second, the line between confident use and quiet risk. Staff get four sanctioned generative-AI tools and three duties: verify before you rely, keep client data out of unapproved tools, and disclose AI assistance where a recipient would expect to know. Unsanctioned tools go through intake, never straight into use. Around that sit the parts an auditor checks: a named owner for every system, the Article 26 checklist for the two high-risk models, transparency duties for the chatbot, six procurement questions for AI vendors, and the Article 4 literacy record. The policy treats that training record as an audit artifact in its own right: who was trained, on what, when, by whom.

Legal references: EU AI Act Article 5 (prohibited practices) · Article 50 (transparency) · Article 4 (AI literacy).

What's inside

  • Purpose, scope, and the five governing principles
  • Governance roles, from the board sponsor to the works-council interface
  • Classification and intake, screened against the Article 5 prohibited list
  • Prohibited uses: the Article 5 bans plus company-specific red lines
  • Rules for high-risk systems (Article 26 deployer and Article 16 provider duties)
  • Generative-AI acceptable use, transparency duties, and AI procurement questions
  • AI literacy (Article 4), incidents, exceptions, and framework mapping

Download the PDF

Worked example for portfolio and training purposes. Vesta Mutual Insurance AS is a fictional company; all data, metrics, and names are invented. Prepared by Erik Bernath, Furioso AI Consulting OÜ. Licensed CC BY 4.0: reuse freely with attribution. Informational, not legal advice.

The other four examples

Need this documented for your own company before August 2?

That's what the literacy and governance workshop produces: your own governance documents and the training record behind them.

See the workshop Book a call