The organization's top management should establish an AI policy that is appropriate for the organization's purpose and the nature of its AI systems. This policy should provide a framework for setting AI objectives and include commitments to fulfill applicable AI-related requirements (e.g., legal, regulatory, ethical) and to continually improve the AI management system. The policy should be documented, maintained, and made available to all relevant personnel within the organization. Where appropriate, it should also be accessible to other interested parties and refer to other relevant organizational policies.

The organization must formally define and document its internal processes that govern the responsible use of AI systems by its personnel.

The purpose of these documented processes is to provide clear, actionable rules and guidance to ensure that all use of AI within the organization is ethical, safe, and aligned with legal requirements and organizational policies.

These processes should specify, for example:

• How to ensure the AI system is only used for its intended purpose as described in the user documentation.
• Rules for handling input and output data, especially personal or sensitive information.
• The procedures for human oversight, intervention, and decision verification that operators must follow.
• Steps for identifying and reporting unexpected behavior, incidents, or potential misuse of the system.