PlaybookTemplates← Back to library
Risk & compliance · AI playbook 03

AI Policy
Review

A controlled first-pass comparison workflow that helps qualified teams locate possible gaps, inconsistencies, and review questions in policy documents.

The outcome

A preliminary issue log with source citations and clearly labeled uncertainty, ready for review by the appropriate legal, compliance, privacy, security, or subject-matter professional.

01 · Workflow

Use AI to prepare review—not provide approval.

The reference framework must be current, authorized, and selected by a qualified person. AI should never be represented as counsel, an auditor, or the final policy approver.

01

Scope

Define the policy, framework, jurisdiction, owner, and review question.

02

Map

Connect policy passages to relevant framework provisions.

03

Flag

Identify omissions, ambiguity, contradictions, and stale references.

04

Escalate

Qualified reviewers assess every flag and determine remediation.

02 · Prompt example

Explicit limits produce safer outputs.

The prompt asks for review questions, not unsupported declarations of compliance.

Comparison prompt

Policy issue finder

Compare the supplied policy only against the supplied reference. Identify passages that may warrant expert review. For each, provide the policy citation, reference citation, reason for review, and uncertainty. Do not state that the policy is compliant or noncompliant.
Expert review

Required checks

  • Confirm the reference is current and applicable
  • Verify every policy and framework citation
  • Discard interpretations outside the stated scope
  • Assign each issue to a qualified owner
03 · Example output

An issue log, not a legal conclusion.

Review questionSource basisStatus
Is the named owner still the accountable role?Policy §2.1; org model changedOwner verification needed
Does the retention period match the approved schedule?Policy §6; schedule reference suppliedExpert comparison needed
Is the exception process sufficiently defined?Policy §8 contains no approval pathDrafting review needed
04 · Guardrails

Designed around escalation.

01

No legal conclusions

Outputs are review aids and must not be described as legal or regulatory advice.

02

Current references

A qualified owner confirms applicability and version before analysis begins.

03

Mandatory expert review

No flagged issue is accepted, rejected, or remediated solely on model output.

Acquisition concept

Make responsible AI adoption tangible.

Acquisition details ↗

Illustrative concept content only and not legal, regulatory, compliance, privacy, security, or audit advice.