# Policy and Controls Starter Kit

## Purpose

This kit helps organizations move from vague concern to first-version control design.

## Components

### Acceptable Use Policy starter points

- define approved tool categories
- define prohibited uses
- define restricted data categories
- define output review requirements
- define escalation path
- define exception approval process

### Minimum control set

- owner named
- approved tool list maintained
- restricted data list published
- human review required for external or consequential use
- incidents documented
- training completed for AI users
- periodic review scheduled

## Signs your current controls are too weak

- the approved tool list does not exist
- policy does not mention data classes
- managers cannot explain the review requirement
- incidents would be handled ad hoc
- exceptions are common and undocumented