An AI usage policy is the document that turns good intentions about AI into an enforceable standard. In a finance function it is the finance leader’s responsibility to author and own it — not to delegate to IT, and not to leave to whoever happens to be using the tools. This guide sets out how a CFO or Finance Director writes a policy that is short enough to be used and firm enough to matter, and — increasingly the point — one the firm can evidence in operation.
It is written for the finance leader setting the rules, not the team member following them. It covers why the finance leader owns this; what a workable policy contains; why the data rule is the heart of it; how the policy connects to accountability and evidence; and how to keep it alive as tools change. Where a regulated firm is involved, the policy stops being an internal nicety and becomes part of the evidence the firm relies on to show its AI use is governed.
Why the finance leader owns this
AI use in finance carries risks specific to finance: the integrity of the numbers, the confidentiality of financial and personal data, and the accountability that attaches to signed-off work. A generic, company-wide AI policy rarely addresses these well because it is not written by someone who understands them. The finance leader is that person, and so is the natural owner of the finance function’s policy — even where it sits beneath a broader company framework. Across UK businesses, the governance pattern that emerges is consistent: an AI register, a written policy, and a single named accountable owner. In a regulated firm that owner is a senior management function holder; in finance, it is usually the CFO or FD.
What a finance AI usage policy must contain
A usable policy is short — a page or two people actually read, not a document that sits unopened. The content that matters:
- Permitted use. What AI may be used for in the finance function, stated plainly, and what it may not.
- Data rules. What financial or personal data may and may not be entered into AI tools. This is the single most important clause and the most common source of exposure.
- Approved tools. Which tools are sanctioned, and the rule that unsanctioned tools — including consumer AI accounts — are not used on finance data.
- Human review. Where a human check is mandatory before AI-assisted work is used or relied upon, especially anything feeding the numbers, the board or a customer outcome.
- Accountability and escalation. Who owns AI use in the function, and how concerns are raised.
- Evidence. How use, review and overrides are recorded — because a policy that cannot be evidenced in operation is, to a regulator or auditor, close to no policy at all.
The data rule is the heart of it
If a policy achieves only one thing, it should be to stop confidential financial and personal data being entered into tools with no proper data-handling guarantees. Free or consumer AI accounts typically give little control over how data is stored, secured or reused — a confidentiality exposure the finance leader must close. The FCA has been explicit that general-purpose tools such as consumer large language models are not set up to assist with regulated financial decisions and are not designed for that purpose. The policy should be unambiguous: finance data goes only into approved tools with appropriate safeguards, and general-purpose consumer tools are not used on confidential information.
Connecting the policy to accountability and evidence
A usage policy does not stand alone. It is the operational layer beneath board-level oversight and, in regulated firms, senior-manager accountability. The board relies on the policy existing and being enforced; the senior manager relies on it as part of the reasonable steps they can evidence. Auditors, increasingly, expect to see the policy backed by records — a documented inventory of AI tools, validation evidence, change logs and records of human review and override. Writing the policy is the start; being able to show it operates is what gives it weight.
A note on scope creep
Policies fail when they are written for one use case and silently outgrown. As AI tools proliferate — and as agentic tools begin to act rather than merely draft — a policy written for last year’s chatbot may not cover this year’s autonomous workflow. The finance leader should make new use cases pass through the policy before they go live, rather than discovering them after the fact.
A worked example: the one-page finance AI policy, clause by clause
It helps to see what a workable policy actually looks like in outline. The following is not a template to copy blindly — every firm’s risk appetite and tool set differ — but it shows the shape of a policy a finance team would actually read and a board would recognise as adequate.
Clause 1 — Purpose and scope
One short paragraph: this policy governs the use of AI tools within the finance function, applies to everyone in the team, and exists to let us capture the benefits of AI while protecting the integrity of our numbers and the confidentiality of our data. Naming the two goals up front sets the tone: this is about enabling AI safely, not banning it.
Clause 2 — Approved tools
A named list of the AI tools the finance function is permitted to use, with the rule that only these tools may be used on finance data, and that new tools must be approved by the policy owner before use. This is where the consumer-account risk is closed — if a tool is not on the list, finance data does not go into it.
Clause 3 — Data rules
The heart of the policy. What may be entered into approved tools, and what may never be — typically ruling out anything personally identifying, price-sensitive, or client-confidential unless the tool has been specifically cleared for it. If a member of the team is unsure whether data is in scope, the rule is to ask the owner, not to guess.
Clause 4 — Human review
Where a human must check AI output before it is relied upon: anything that feeds the management accounts, the board pack, a regulatory return, an investor communication or a customer outcome. AI drafts; a person owns. The clause should be specific about which outputs are never used without review.
Clause 5 — Accountability and reporting
Who owns AI use in the function, how concerns or incidents are raised, and the commitment that use is recorded so it can be evidenced. In a regulated firm this clause connects the policy to the relevant senior management function.
Five clauses, a page or two, written in plain language. A policy of this shape is enforceable, evidenced and understood — which is worth more than a twenty-page document nobody in the team has read.
Keeping the policy alive
A policy written once and forgotten fails. The finance leader should review it as tools and use cases change, and ensure new use cases are checked against it before deployment. This does not need a heavy process — a named owner and a periodic review is enough — but it must be deliberate. In regulated firms the standard is higher, because the policy becomes part of the defensible governance record the firm may need to produce. The direction of regulatory travel — toward evidence, explainability and human oversight — means a living, evidenced policy is a firmer foundation than a static one.
What owning the policy says about a finance leader
A CFO or FD who can author and own a policy like this — short, enforceable, evidenced, and connected to the wider governance framework — is demonstrating exactly the capability AI adoption now requires. It is a concrete, assessable competence, not a buzzword, and it is one FD Capital looks for when placing senior finance leaders into businesses that are adopting AI.
Call 020 3287 9501 or email recruitment@fdcapital.co.uk to discuss a senior finance appointment where AI governance capability is part of the brief.
FD Capital — CFO and Finance Director Recruitment
Fellow of the ICAEW | Placing finance leaders who can build and own the governance a modern finance function needs, since 2018. We recruit permanent, interim and fractional finance leaders across the UK. 4,600+ network. 160+ placements. Shortlists in 3–7 working days.
Related reading and services
The governance layer the policy underpins.
The data decisions behind the policy’s core rule.
How the policy supports regulatory accountability.
Place a finance leader who can own the policy.
About the author. Adrian Lawrence FCA is the founder of FD Capital Recruitment and a Fellow of the Institute of Chartered Accountants in England and Wales. Adrian holds a BSc from Queen Mary College, University of London and an ICAEW practising certificate in his own name. Before founding FD Capital in 2018 he worked across private, listed, owner-managed and PE-backed businesses, including CFO-level roles. That direct operating experience informs how FD Capital assesses senior finance candidates and briefs clients on what to look for in an appointment. Adrian personally leads every senior finance mandate FD Capital accepts and conducts candidate interviews himself for senior appointments.
Verify ICAEW membership → | FD Capital Recruitment Ltd, Companies House no. 13329383, operated by an ICAEW-registered practice.
This guide is general information for finance leaders and does not constitute legal, regulatory or professional advice. Firms should take their own advice on their specific circumstances. Regulatory positions described are current as at mid-2026 and are developing; readers should check the FCA’s latest publications.




