Dieser Artikel ist derzeit auf Englisch verfügbar.
AI Ethics Policy: What It Is, Why It's Not Enough, and What You Need Alongside It
An AI ethics policy is valuable — but organisations that believe their ethics policy is their AI governance are making a dangerous mistake. What AI ethics policies do well, what they cannot do, and what operational governance must accompany them.
Key Takeaways
An AI ethics policy is a statement of values — it tells people what the organisation cares about and aspires to. It is not governance — it does not tell people what to do, who is accountable, or what happens when things go wrong.
The fundamental limitation of AI ethics policies: they rely on individual ethical judgment to translate principles into actions in specific situations. This is an unreliable mechanism — the same principle ('AI should be fair') leads different people to different operational decisions.
An AI ethics policy is valuable as the values foundation of AI governance — but it must be accompanied by operational policies (what to do), accountability structures (who decides), and enforcement mechanisms (what happens when the rules are not followed).
The most effective AI ethics framework has three layers: values (ethics policy), rules (operational AI policy and risk framework), and structures (AI governance roles, review processes, and accountability mechanisms). Each layer is necessary; none is sufficient alone.
Regulators and courts do not assess AI governance by examining ethics policies — they examine evidence of operational governance. An ethics policy with no operational implementation provides almost no protection in a regulatory investigation or litigation.
"Nur zu Informationszwecken. Dieser Artikel stellt keine rechtliche, regulatorische, finanzielle oder professionelle Beratung dar. Konsultieren Sie einen qualifizierten Spezialisten für spezifische Beratung."
What an AI ethics policy is and why small businesses need one
An AI ethics policy is a document that sets out how your business uses AI systems — what principles guide your use, what uses are permitted and prohibited, who is responsible for AI-related decisions, and how you handle concerns or errors. It is distinct from a technical AI policy (which covers system configuration, security, and deployment) and from a compliance checklist (which covers specific regulatory requirements). An AI ethics policy addresses the values and governance framework that sit above specific rules.
Small businesses need an AI ethics policy for three converging reasons. First, regulatory requirements: the EU AI Act's Article 4 requires anyone using AI professionally to ensure sufficient AI literacy — a documented policy is the primary evidence of how you have met this. The EU AI Act's transparency obligations require customer-facing AI disclosures. Australia's Privacy Act will require ADM transparency from December 2026. These are not optional. Second, commercial pressure: enterprise customers, investors, and supply chain partners are increasingly requiring AI governance documentation as part of due diligence, procurement, and ESG reporting. Third, risk management: documented AI use policies reduce the risk of employees using AI tools in ways that breach client confidentiality, privacy law, professional duties, or your own contractual commitments to customers.
What a practical AI ethics policy for a small business should cover
Purpose and scope. What AI tools does your business use and for what purposes? This should be a brief inventory — not a comprehensive technical register, but a clear statement of the AI systems your business relies on and the categories of use (e.g. customer service chatbot, document drafting assistance, marketing content, code generation, data analysis). Scope should also define who the policy applies to: employees, contractors, and any third parties acting on your behalf.
Principles. State the principles that guide your AI use. Common principles for small businesses include: human oversight (a person reviews and is accountable for AI-assisted outputs before they are delivered to customers or used in decisions); transparency (you disclose to customers when AI has been materially involved in a service, product, or decision that affects them); fairness (you do not use AI in ways that discriminate against people on the basis of protected characteristics); accuracy (you verify AI-generated outputs before relying on them); and privacy (you do not input personal information about customers, employees, or third parties into AI tools without appropriate authorisation and controls).
Permitted and prohibited uses. Be specific about what employees may and may not do with AI tools. Permitted uses might include: drafting internal documents for human review; generating ideas and outlines; summarising research; coding assistance. Prohibited uses — especially critical for professional services businesses — typically include: inputting client confidential information into third-party AI tools without explicit client consent; using AI to generate advice or recommendations delivered to clients without human review and sign-off; using AI in ways that breach your sector's professional conduct rules; using AI to generate content that impersonates real people or creates misleading information.
Data and privacy rules. State clearly what data may and may not be input into AI systems. At a minimum: personal information about identifiable individuals should not be entered into AI tools unless the tool has a contractual data processing agreement confirming the data will not be used for training and will be handled in compliance with applicable privacy law. Client confidential information should not be entered without client consent and confirmation that the AI vendor's data practices are consistent with your confidentiality obligations. Sensitive categories of data (health information, financial account details, biometric data) require additional controls.
Accountability. Name who is responsible for maintaining the AI ethics policy, reviewing AI tool adoption, handling complaints about AI use, and reporting AI-related incidents. In a small business this may be the owner or a designated manager. The point is that accountability is explicit and named.
Review. State how frequently the policy will be reviewed (at minimum annually, and whenever you adopt a new AI tool or a significant regulatory change occurs). AI regulation is moving fast — a policy that was adequate in 2024 may be insufficient in 2026.
Transparency with customers — the specific disclosure requirement
Several jurisdictions now require businesses to disclose when AI has materially influenced a decision or output that affects customers. Under the EU AI Act Article 50 (from 2 August 2026), businesses using chatbot interfaces must disclose that users are interacting with AI. Under Australia's Privacy Act (from 10 December 2026), businesses must disclose in their Privacy Policy when personal information is used in substantially automated decisions with significant effects on individuals. Under GDPR in the EU (already in force), businesses must inform customers about automated decision-making that produces legal or similarly significant effects.
Your AI ethics policy should reference how you meet these disclosure requirements and link to your Privacy Policy or customer-facing notices where the disclosures appear. Do not rely on generic disclaimers buried in terms of service — regulators expect meaningful, accessible disclosure.
Further reading: ISO 42001