AI assistant — not human

EPC Group 10-Section AI Policy Framework + approved tools + BYOAI enforcement + human-in-the-loop + incident reporting + board oversight.
Last updated July 7, 2026 by Errin O'Connor, Founder & Chief AI Architect, EPC Group
EPC Group 10-Section Enterprise AI Policy Template: purpose+scope, approved tools (Copilot + Copilot Studio + Azure AI Foundry + selective third-party), prohibited tools (consumer AI + unvetted extensions + unapproved writing tools), data governance (labels + DLP + retention), human-in-the-loop (customer-facing + regulated + employment + safety-critical + public statements), prompt engineering standards, incident reporting (6-tier), training + certification, compliance mapping (HIPAA + SOC 2 + FedRAMP + EU AI Act), review + update cadence (annual full review + quarterly amendments). Enforcement via Purview Cloud App Discovery + endpoint DLP + network filtering. EPC Group tiers: AI Policy Design $20K/3wk + Policy Implementation $30K/4wk + Governance Retainer $5K-$10K/mo.
EPC Group 10-Section Enterprise AI Policy Template: (1) Purpose + scope — what the policy governs, who is covered. (2) Approved tools — Microsoft Copilot, Copilot Studio, Azure AI Foundry, approved third-party (ChatGPT Enterprise, Claude Enterprise if applicable). (3) Prohibited tools — consumer AI (personal ChatGPT/Claude/Gemini), unvetted browser extensions, AI writing tools with unclear data practices. (4) Data governance — sensitivity labels, DLP, retention, external sharing restrictions. (5) Human-in-the-loop requirements — where human review is required (customer-facing, safety-critical, regulated decisions). (6) Prompt engineering standards — approved prompt patterns, prohibited prompts. (7) Incident reporting — who to notify, how quickly, escalation path. (8) Training + certification — mandatory AI use training + refreshers. (9) Compliance mapping — HIPAA, SOC 2, FedRAMP, EU AI Act. (10) Review + update cadence — annual policy review + quarterly amendments.
Six categories to approve based on enterprise profile: (1) Microsoft Copilot for M365 — primary approved tool for all users. (2) Copilot Studio — for custom agents (require IT/governance approval per agent). (3) GitHub Copilot — for developers. (4) Azure OpenAI Service + Azure AI Foundry — for custom applications. (5) Selective third-party — ChatGPT Enterprise, Claude Enterprise, Grammarly Business (with DLP restrictions) if fits use case. (6) AI-augmented enterprise apps — Dynamics 365 Copilot, Salesforce Einstein, Adobe Firefly Enterprise. Every approved tool requires signed enterprise contract + BAA (if regulated) + data protection review + integration with corporate DLP + audit trail configuration.
Six prohibited categories: (1) Personal consumer AI accounts — ChatGPT/Claude/Gemini/Perplexity personal subscriptions with company data. (2) Unvetted browser extensions — AI-powered extensions not on approved list. (3) Unapproved AI writing tools — Jasper, Copy.ai, Writesonic if not enterprise-contracted. (4) AI voice/video generation — for corporate materials without contract review. (5) AI code assistants — not vetted for IP protection + code exposure. (6) AI meeting summarizers — not vetted for confidentiality. Enforcement via Purview Cloud App Discovery + endpoint DLP + network filtering. Consequences for violation: first offense coaching, second offense formal, third offense HR action.
Human-in-the-loop (HITL) is required when AI output could affect consequential outcomes. Required categories: (1) Customer-facing communications — no AI output to customers without human review. (2) Regulated content — medical advice (healthcare), legal advice (law firms), financial advice (RIAs). (3) Employment decisions — hiring, promotion, discipline. (4) Benefits eligibility — insurance claims, loan approval. (5) Safety-critical decisions — clinical, operational, security. (6) Public statements — press releases, SEC filings. HITL patterns: draft-review-approve (AI drafts, human approves), AI-assisted decision (human decides with AI recommendation), escalation triggers (AI escalates uncertain cases), random sampling (AI acts, human audits sample).
Six-tier incident reporting: (1) Suspected data leak — Copilot surfaced sensitive content to unauthorized user. Report within 4 hours to Security + AI Governance. (2) BYOAI discovery — employee using unauthorized AI with company data. Report to manager + IT within 24 hours. (3) AI hallucination causing business impact — incorrect AI output causing customer-facing error. Report to manager + AI Governance within 24 hours. (4) AI-generated content complaint — customer or employee complaint about AI-generated communication. Report to Legal + AI Governance within 24 hours. (5) Regulatory inquiry — regulator asks about AI use. Immediate escalation to General Counsel + CEO. (6) Media inquiry — media contact about AI. Immediate escalation to Communications + Legal.
Six update cadences: (1) Annual policy review — full board-approved review + refresh. (2) Quarterly amendments — regulatory changes, tool additions, incident learnings. (3) Ad-hoc for material changes — new AI tool approval, regulatory enforcement action, material AI incident. (4) Post-incident review — lessons learned incorporated into policy. (5) Regulatory refresh — when EU AI Act, NAIC AI Bulletin, state privacy law changes. (6) Contractual refresh — when major AI vendor contracts renew (Copilot EA renewal, Azure OpenAI Enterprise Agreement). Policy version-controlled + stored in Purview with retention + audit trail. All employees notified of material policy updates via email + Teams + intranet announcement.
EPC Group AI Policy delivery: (1) AI Policy Design ($20K, 3 weeks) — 10-section policy customized to your industry + regulatory profile + existing corporate policies. Includes 25-40 page written policy + implementation guide + training curriculum outline + board presentation format. (2) AI Policy Implementation ($30K, 4 weeks) — Purview policy enforcement + BYOAI Cloud App Discovery + Endpoint DLP + user training rollout. (3) AI Policy Governance Retainer ($5K-$10K/month) — quarterly review + regulatory tracking + incident support + amendments. Follow-on to Copilot Readiness Assessment + Foundation Hardening. All led by senior compliance architect with AI governance depth. Contact (888) 381-9725.
$20K/3wk customized 10-section policy + implementation guide + training. Call (888) 381-9725.
Monday-Friday, 8 AM - 7 PM CT
We respond to all inquiries within one business day