Operations
Policy Refresh
Keeping AI governance policies current as technology, regulation, and your organization evolve.
Why Refresh
AI technology moves fast. Policies written for traditional ML may not cover generative AI. Regulations are evolving (EU AI Act timelines, US executive orders, sector-specific rules). The organization itself changes: new business lines, new geographies, new risk appetite. A policy that is not refreshed becomes an irrelevant artifact.
Refresh Triggers
Refresh policies when:
- Scheduled: Annual review at minimum
- Regulatory change: New law, regulation, or enforcement action relevant to AI
- Technology change: Adoption of a new AI capability (e.g., agentic AI, multimodal systems)
- Incident: A significant incident reveals a policy gap
- Organizational change: Merger, new business line, new geography, leadership change
- Feedback: Champions or teams report that a policy is unclear, impractical, or missing
What to Review
| Artifact | Review Frequency |
|---|---|
| Charter | Annually |
| Principles | Annually (or when values/strategy change) |
| Risk tiering criteria | Every 6 months |
| Intake and review templates | Every 6 months |
| Pre-approved patterns list | Quarterly |
| Security review checklist | Every 6 months (or on new threat emergence) |
| Training materials | Annually |
Refresh Process
- Chair flags the review: puts it on the council agenda
- Owner drafts updates: the artifact owner (e.g., security lead for security checklist) proposes changes
- Council reviews: discusses and approves changes
- Communicate: updated artifacts are published and champions are briefed
- Archive: previous version is archived with a change log