Free Template

EU AI Act Policy + Inventory Templates

Free starter templates aligned with Article 4 of the EU AI Act. A short policy document and a companion inventory spreadsheet for solo consultants and small practices.

14 May 2026 · 4 min read · By Sophie Kazandjian

The EU AI Act has applied to every consultancy using AI in client work since 2 February 2025. The Article 4 obligation, on AI literacy for anyone using AI on your behalf, is the easiest part of the law to meet, and the one most small practices have not yet addressed. For most of us, a short written policy and a list of which tools you use is enough to demonstrate proportionate compliance.

Writing a policy from a blank page is the slow part. These two templates are designed to give you a working starting point, editable in Word and Excel, ready to adopt as your own.

Download 01

AI Use Policy

Word doc · 11 sections + 2 annexes · A4 · fillable

A plain-language policy covering practice details, tool inventory snapshot, permitted and not-permitted uses, client disclosure, vendor due diligence, GDPR overlap, literacy, incident response, and an acknowledgement signature block. Annexes cover high-risk obligations and the directory of national authorities.

Download the policy

Download 02

AI Tool Inventory

Excel · 10 columns · 30 blank rows + reference sheet

A companion spreadsheet for tracking each AI tool: provider, country, purpose, data inputs, EU residency, training opt-out, risk classification, last review. Three placeholder example rows show the shape. Reference sheet covers risk classifications, vendor due diligence, GDPR overlap, and the directory of national authorities.

Download the inventory

What is in the policy

The policy template is eleven numbered sections plus two annexes, designed to be readable in one sitting rather than to look like a fifty-page document. You fill in the fields for your business and have anyone using AI on your behalf sign the acknowledgement. The annexes are optional and only apply if you operate a high-risk AI tool or need to look up your national supervisory authority.

  1. Practice details. Who this policy belongs to, who is responsible for AI use, when it was last reviewed, when it is next due.
  2. Inventory snapshot. A small table for listing each AI tool, its purpose, EU residency status, training opt-out status, and risk classification. The companion spreadsheet is for ongoing maintenance.
  3. Permitted uses. What AI is used for in your practice, in your own words. Specific permissions create specific accountability.
  4. Not permitted (Article 5). The Article 5 prohibitions are listed in plain language, with space to add your own additional restrictions.
  5. Disclosure (Article 50). Transparency obligations covering chatbots, AI-generated content, and deepfakes.
  6. Vendor due diligence (Article 13). A checklist for each tool, including retention of Article 13 transparency information where the provider supplies it. Refreshed quarterly.
  7. GDPR overlap. Where the AI Act sits alongside data protection: lawful basis, records of processing, DPIAs, transparency, data subject rights, and the rule that the stricter obligation wins.
  8. Literacy (Article 4). What anyone using AI on the practice's behalf needs to understand.
  9. Incident response (Article 73). What to do if an AI tool produces a serious incorrect, harmful, or unexpected output, including the 15-day reporting requirement for high-risk system incidents.
  10. Acknowledgement. A signature block for name, role, date, and signature.
  11. Review rhythm. Quarterly, or sooner if something material changes.

Annex A: If you have a high-risk AI tool. The additional deployer duties under Articles 26 and 27 (human oversight, monitoring, log retention, employee notification, fundamental rights impact assessment), with guidance on when to seek legal advice.

Annex B: National supervisory authorities. A directory of EU member state authorities for incident reporting, vendor disputes, and general guidance, plus the UK ICO for UK-applicable matters and the European AI Office for cross-border issues.

How to use the two together

The policy is the static artefact. It states what the practice does and does not do with AI, and gets signed off by everyone who uses AI on the practice's behalf. Date it, store it, revisit it quarterly.

The inventory spreadsheet is the live document. It changes whenever you add or remove a tool, or when a provider's terms change. The policy's inventory section is a snapshot of the live spreadsheet at the time of signing, not a separate record to maintain.

For a one-person practice with three or four AI tools, the policy on its own is enough. For an associate-led practice with five or more tools and contractors using AI on client work, the spreadsheet starts to earn its place.

One caveat worth knowing. These templates are a starter framework, not legal advice. For high-risk AI use cases (Annex III: HR screening, credit decisions, education assessment, biometric identification, essential public services, critical infrastructure, law enforcement, migration, justice), the policy is a useful foundation but you will need a lawyer in addition. The Commission also continues to publish guidance via the AI Pact, and the Digital Omnibus simplification proposal may yet extend some Annex III deadlines. This version reflects the law as of May 2026 and will be revised when the picture changes.

The longer article walks through the August 2026 deadline and what is and is not in scope for a small practice: The EU AI Act for Small Consultancies: A Plain-Language Guide to the August Deadline.

The downloads are free and the links above go directly to the files. There is no email gate. Both templates are unbranded, with only a single discreet attribution line at the foot of each file, which you are welcome to remove.

Back to Resources