Govern GenAI Data
GenAI Data Classification Policy
Set clear data rules for every AI tool your team touches
Download Free GuideFeatures List
4
Classification Tiers
5
AI Platforms Covered
6+
Global Regulations Addressed
Why Finance Leaders Use This Guide
Stop Accidental Data Exposure
Most AI data incidents come from employees pasting the wrong data into a prompt, not from external attacks. This policy gives your team a clear decision framework before they type anything into ChatGPT, Claude, or Copilot.
Works Across Five AI Platforms
The policy covers Claude, ChatGPT, Perplexity, Notion AI, and Gemini. One consistent set of rules, applied across every tool your team uses.
Built for Regulatory Compliance
The framework maps to GDPR, PDPA, CCPA, PCI-DSS, and the EU AI Act. Your compliance and legal teams get a defensible starting point without building from scratch.
RAG-Specific Controls Included
Most AI policies skip knowledge base governance entirely. This one includes metadata requirements, ingestion controls, and a maintenance schedule for RAG systems in the Office of the CFO.
Ready to Deploy in Hours
Update the company name, assign the document owner, collect signatures, and it's done. No policy consultant required.
What You Get
-
AI Data Classification Policy (v4.0)
14-page policy covering all four data tiers: Public, Internal, Confidential, and PII/PCI. Includes handling rules, required controls, and prohibited uses for each level.
When to Use This Policy
Pre-AI Deployment Governance Setup
Your organization is about to roll out AI tools to the finance team. This policy defines what data is allowed in and what isn't, so you're covered before anyone starts typing.
Responding to an Audit or Board Request
The board or an external auditor asks how you're managing AI data governance. This gives you a structured, signed-off policy document with clear classification tiers and escalation procedures.
Covering Multiple AI Tools at Once
Your team uses Claude, ChatGPT, and Notion AI across different workflows. This framework applies the same classification rules regardless of which platform is in use.
Protecting Confidential Finance Data
Financial forecasts, pricing data, and M&A information sit in the Confidential tier. The policy specifies which AI use cases require controls and which are prohibited.
The 4-Tier Classification System
| Tier | Definition | Finance Examples | AI Use Cases | Required Controls |
|---|---|---|---|---|
| PUBLIC | Non-sensitive, approved for external use | Marketing materials, press releases, public filings | Direct AI use, RAG, fine-tuning | No additional controls |
| INTERNAL | Business information for internal use only | Internal policies, org charts, training materials | Direct AI use, RAG, limited fine-tuning | Standard access controls |
| CONFIDENTIAL | Sensitive data with significant business impact | Forecasts, strategic plans, customer contracts, M&A | AI use with controls, restricted fine-tuning | TLS 1.3, AES-256, RBAC, audit logging |
| PII / PCI | Personal or payment data. Regulatory risk if mishandled | Names, SSNs, credit cards, health records | Prohibited in raw form in any AI system | Anonymization or prohibition required |
Common Questions
What does this policy actually cover?
Does this work for our specific AI tools?
What regulations does this policy address?
Is this ready to use as-is, or does it need customization?
What's the difference between this and a general data classification policy?
Is this the same as the AI Governance & Risk Control Stack bundle?
One Policy. Five AI Tools. Zero Guesswork
Used by finance and risk teams building governance frameworks for GenAI. Updated for 2026 regulations.