Hypergility
    Back to News
    AI Safety Build it

    The 5-Page AI Policy That Gets Startups Through Procurement

    Tuli Faas May 9, 2026

    Two years ago enterprise vendor onboarding asked about ISO 27001 and GDPR. Today it asks about your AI policy, your model providers, your training data and your incident process. Most startups respond with a 30-page document copied from a Big Four template, full of language nobody at the buyer's end will read. The five-page version gets approved faster.

    What enterprise security teams actually want to know

    • Which AI systems you use, from which providers, for what purpose
    • What customer data, if any, is sent to those providers and under what terms
    • Whether customer data is used to train any model
    • What happens if the AI gets it wrong — human oversight, escalation, redress
    • How you keep the policy current as you add new AI features

    The 5-page structure

    Page 1 — Purpose, scope and ownership. What this policy covers, what it does not, who owns it, when it was last reviewed, who must comply. One paragraph each. Named individual as owner.

    Page 2 — AI systems inventory. A table: system name, purpose, provider/model, data flows in, data flows out, customer data involved Y/N, training Y/N. This single page answers 80% of procurement questions.

    Page 3 — Data handling and provider terms. Confirm that customer data is not used to train provider models. Confirm encryption in transit and at rest. State data retention. Confirm sub-processor list is published.

    Page 4 — Risk and oversight. How you classify AI risk. Where humans are in the loop. How errors are detected and corrected. Disclosure to end users.

    Page 5 — Incidents and governance. How AI incidents are reported, escalated and disclosed. Annual review by leadership. Mapping to ISO 42001 Annex A or NIST AI RMF. Sign-off.

    Tone and style

    Write it as if a senior engineer at the buyer is going to read it on a Friday afternoon and decide whether you pass. Plain English. Specific commitments rather than aspirational language. No marketing copy. If you cannot say it true, do not say it.

    What to do with it

    Publish the policy at hypergility.com/ai-policy (or equivalent). Link to it from your trust centre, your DPA, your master services agreement, and the security section of your website. Buyers look for the public link before they ask you for the document.

    Hypergility is ISO 42001 certified and the products we build for clients ship with this discipline already in place. If you want a build partner that already passes enterprise procurement, talk to us.

    Talk to Hypergility

    Hypergility is ISO 42001 certified and helps clients through gap analysis and implementation. If you want to know whether the standard is right for your stage, book a call.

    Talk to Hypergility

    We Are Certified

    ISO 9001 Badge

    ISO 9001

    Quality Management
    ISO 27001 Badge

    ISO 27001

    Information Security
    ISO 42001 Badge

    ISO 42001

    AI Management System

    Cyber Essentials

    UK Cyber Security

    We use cookies to improve your experience and analyse site traffic. You can manage your preferences or read our Privacy Policy.