About the framework

Why this framework exists

Most current AI policy templates treat AI compliance as a parallel track, separate from the human rights due diligence work an organization already does. That fragmentation produces gaps. Workers, supply chain workers, customers, and affected communities can be harmed by AI systems in ways that are not addressed by AI-specific compliance frameworks, because the harm is not technical — it is a human rights impact.

This framework's central argument is straightforward: AI-related impacts on people are a category of human rights risk. They belong inside the methodology your organization already applies to other human rights matters — the UN Guiding Principles methodology of identify, assess, integrate, track, communicate, and remediate. They should not be assigned to a separate AI ethics function that operates outside your sustainability, legal, HR, and risk management systems.

Treating AI this way is not just methodologically cleaner. It is also more honest about what AI systems do. They make decisions about people — who gets hired, who gets monitored, who gets credit, who gets recommended a product. Those decisions belong under the same accountability discipline your organization applies to every other decision that affects people.

What the tool produces

Running the assessment produces three artefacts:

• A Human-AI Policy, drafted as an executive document of approximately 2,500 words across ten sections, board-approvable and suitable for public posting.
• A suggested addition to your Code of Conduct, written in the voice of the existing document and designed to slot into your existing ethical framework rather than stand apart from it.
• A suggested addition to your Own Workforce Policy, using CSRD and ESRS S1 terminology so the artefact reads natively to organizations already reporting under that framework.

All three artefacts are calibrated to the organization that runs the assessment. The legal regimes named in the policy are the regimes that actually apply. The affected groups discussed are the ones the organization has identified. The ambition tier — Foundational, Aligned, or Leading — sets the ceiling above the legal floor.

How it adapts

The framework is built to work across organizations of different sizes, sectors, and regulatory contexts. Three things vary:

• Regulatory exposure. Which binding instruments apply — the EU AI Act, GDPR, CSDDD, Norwegian Transparency Act, German LkSG, French Loi de Vigilance, US state-level AI and privacy laws — depends on where the organization operates and what it does. The framework derives this from the questionnaire rather than asking the user to self-assess.
• Ambition. The legal floor — what an organization must do under binding law — is immovable. Ambition determines the ceiling above the floor: whether to meet the legal baseline, adopt emerging best practice, or commit publicly to leading positions including published impact assessment summaries and third-party algorithmic audits.
• Existing policy infrastructure. The framework extends the policies an organization already has — Code of Conduct, Whistleblowing procedure, Supplier Code, Own Workforce Policy — rather than replacing them. Where foundational policies are absent, the framework surfaces that as a structural gap to address rather than working around it.

Frameworks and standards

The framework integrates and aligns with:

• The UN Guiding Principles on Business and Human Rights
• The OECD Guidelines for Multinational Enterprises on Responsible Business Conduct
• The International Labour Organization Declaration on Fundamental Principles and Rights at Work
• The Council of Europe Framework Convention on Artificial Intelligence
• The EU AI Act, GDPR, CSRD, and CSDDD
• The Norwegian Transparency Act (åpenhetsloven), the German Supply Chain Due Diligence Act (LkSG), the French Loi de Vigilance, and other national HRDD statutes
• US state-level AI, privacy, and biometric laws including NYC Local Law 144, Illinois BIPA, the Colorado AI Act, and the California CCPA/CPRA
• ISO/IEC 42001 and emerging international AI standards

Honest scope and limitations

The framework reflects fifteen years of work on sustainability governance and the sensitive human rights questions that arise inside organizations adopting new technologies. It is a starting point for serious work, not a substitute for it.

A few things to be clear about:

• This is not legal advice. Organizations adopting policies generated from this framework should obtain qualified legal review before adoption, particularly for binding obligations under the AI Act, GDPR, CSDDD, national HRDD instruments, and sector-specific regulation.
• Version 1.0 is executive-only. The Human-AI Policy is the executive document — approximately 2,500 words across ten sections, designed for board approval and public posting. The full operational detail (procurement specifications, audit cadences, escalation thresholds) is deferred to a later release.
• Generator output is a draft. The artefacts produced are intended as a starting point for company-specific refinement, not as a final adoptable text without internal review. They reflect the framework's positions and methodology; they cannot reflect knowledge of the organization that only the organization holds.

The framework is released under the Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0). It is free to use, adapt, and redistribute under the same license.