Does Your Company Need an AI Policy? A Guide for IR and Comms Teams

A few years ago, "do we have an AI policy?" was a question for the IT department. Today it lands on the desks of company secretaries, heads of investor relations and comms directors, usually right before an analyst call or a proxy season. If your company uses AI in any way that touches customers, employees or financial reporting, you probably need a public policy.

Do listed companies actually need an AI policy?

A 2026 review of the S&P 100 found that just over half of those companies disclose board-level oversight of AI. Fewer than a third disclose both board oversight and a formal AI policy. Considering the full universe of US-listed companies, only about 8% disclose any board-level oversight of AI at all, even as reported AI incidents keep climbing.

Adoption has raced ahead of governance. Almost every large company is now using AI somewhere. Far fewer can show how they govern it. 

Why stakeholders are asking about AI governance

As AI rapidly grows in use, stakeholders from investors to regulators are increasing the scrutiny of AI. In the United States, the SEC's Investor Advisory Committee recommended in late 2025 that companies define what they mean by AI and explain how their boards oversee it. On top of that, AI questions have been popping up across ESG rating agencies. 

If your company takes part in the S&P Global Corporate Sustainability Assessment (the questionnaire behind the Dow Jones Sustainability Indices and the S&P Global ESG Scores), AI governance is now part of the assessment. 

For the 2026 cycle, S&P added a dedicated Responsible Artificial Intelligence criterion, split into two scored questions — a Responsible Artificial Intelligence Policy question and a Responsible Artificial Intelligence Program question — so your answers now feed directly into your ESG score. Questions you may see: 

• Do you have a public policy or commitment on responsible AI, endorsed by the board or executive management? As with other CSA questions, the evidence has to sit in the public domain (the handbook requires listed companies to provide links to public reports or corporate websites), not an internal memo.
• What does that policy actually cover? The assessment looks for specific commitments, such as addressing data privacy and cybersecurity, keeping a human involved in "critical" decisions, ensuring transparency about when and how AI generates an outcome, and ruling out AI that behaves in an exploitative or manipulative way.
• Do you run a responsible AI programme to put the policy into practice, and is your AI management system assured by an independent third party? (S&P routinely awards extra credit for third-party assurance and for publicly available evidence.)
• Do you track the financial side of AI — investment, revenue gains, cost savings and return on AI investment over recent fiscal years?

You can see these questions in context in S&P's CSA Methodology Handbook.

What a credible AI policy looks like

Plenty of listed companies, across sectors and markets, have already published policies about AI. Below is a set of examples to consider with the list of companies with policies rapidly growing. We recommend leveraging policy examples below as a starting point: 

•          Microsoft sets out its Responsible AI principles and approach around fairness, reliability and safety, privacy and security, inclusiveness, transparency and accountability, supported by a wider Responsible AI hub.

•          Alphabet (Google) publishes its AI Principles, covering bold innovation, responsible development and a commitment to human oversight, with annual progress reporting.

•          IBM anchors its approach in Principles for Trust and Transparency and a wider Responsible AI framework, backed by a long-standing Responsible Technology Board.

•          Salesforce publishes its Trusted AI Principles and a set of generative AI guidelines, overseen by its Office of Ethical and Humane Use.

•          SAP bases its AI ethics policy on the UNESCO Recommendation on the Ethics of AI and runs it through a dedicated AI Ethics Office across ethics, security and compliance.

•          Mastercard has run a responsible AI governance programme since 2019, evaluating every AI system it builds or buys for fairness, efficacy and transparency.

•          Telefónica was one of the first companies anywhere to adopt ethical AI principles, back in 2018, and added a formal AI governance model in 2023 that reaches its suppliers and partners.

•          Orange adopted a Data and AI Ethical Charter and set up an independent Data and AI Ethics Council to scrutinise its use of the technology.

•          Unilever describes its Responsible AI Principles and assurance process, including a firm rule that no decision with a major impact on a person's life is left fully to a machine.

•          Novartis publishes its commitment to the ethical and responsible use of AI, built on four principles and an AI Risk & Compliance Management Framework that mirrors the EU AI Act's risk tiers.

This policies often anchor to recognised external frameworks such as the OECD AI Principles and UNESCO's Recommendation on the Ethics of AI. They name who owns the issue internally, often a board or executive committee. And they extend the commitments down the supply chain rather than stopping at the company's own front door.

What the EU AI Act means for your company

The EU AI Act took effect on 1 August 2024 as the world's first comprehensive AI law, and most observers expect it to set the template that other regulators copy. Its rules arrive in waves rather than all at once.

Bans on "unacceptable risk" uses and new AI-literacy duties started applying in February 2025. Rules for providers of general-purpose AI models followed on 2 August 2025, with the European Commission's power to investigate and fine those providers switching on from 2 August 2026. Most obligations for high-risk systems were originally pinned to August 2026, though the "Digital Omnibus" package under negotiation through 2026 proposes pushing the deadline for certain high-risk systems back to December 2027.

Where to start

Legal and risk should map where AI is used and against which rules, from EU AI Act deployer duties to data-privacy and sector-specific law. The board should decide where oversight sits and put it in writing. Comms and IR then turn that framework into plain, public-facing language: a principles statement, a short governance description, and a line in the annual or sustainability report. For a listed company in 2026, an AI policy has quietly become part of the basic governance story investors expect to see.

Sources: EU AI Act implementation timeline; DLA Piper on the latest wave of AI Act obligations; Harvard Law School Forum on Corporate Governance: US AI Oversight Through Three Lenses; PRI on AI investment risks and opportunities; SEC Investor Advisory Committee AI disclosure recommendation (D&O Diary); S&P Global CSA Methodology Handbook – Software & Services (SOF); S&P Global CSA methodology (all industry handbooks); S&P Global CSA 2026 Responsible AI methodology document; Microsoft Responsible AI; Google AI Principles; IBM Principles for Trust and Transparency; Salesforce Trusted AI; SAP AI Ethics; Mastercard responsible AI; Telefónica AI positioning; Orange Data and AI Ethical Charter; Unilever on the EU AI Act; Novartis commitment to responsible AI.