Section 1: AI Ethics — Asking “Should We Do This?”

Artificial Intelligence (AI) is one of the most powerful tools ever made available to organizations. It can generate insights at scale, automate routine work, and even make decisions that once required human expertise. But with great power comes great responsibility, and nowhere is this truer than in the domain of AI ethics.

The ethical use of AI begins not with data, algorithms, or technology—it begins with leadership. Leaders must intentionally create a framework for asking the most important question: Not “can we do this?” but “should we do this?”

Without this mindset, AI becomes just another efficiency tool, with organizations chasing speed and cost savings while ignoring the broader impacts on people, society, and trust. Ethical AI adoption means looking beyond the short-term gains and ensuring that every use of AI aligns with the values and responsibilities of the organization.

Download the AI Ethics & Compliance Policy

At Tempest, we believe AI adoption must be intentional, transparent, and responsible. That’s why we’ve developed the AI Ethics and Compliance Policy (2025 Edition)—a practical guide that sets clear expectations for how AI should be used across our organization.

This policy is more than a document—it’s a safeguard. It ensures that AI is used as a partner, not a replacement for human judgment, and that every project complies with legal, ethical, and professional standards. Inside, you’ll find guidance on:

• Ethical standards for AI-assisted content creation

• Mandatory disclosure and transparency requirements

• Prohibited uses to prevent misuse of AI tools

• Compliance with data privacy, cybersecurity, and evolving AI laws

• Training, monitoring, and reporting responsibilities for all staff

We encourage all employees, partners, and stakeholders to download this policy and use it as a living reference. Because AI capabilities evolve quickly, this policy is designed to be regularly reviewed and updated, helping us stay ahead of new opportunities and emerging risks.

Leadership and the Role of an AI Ethics Committee

AI ethics cannot be left to IT teams or assumed to be “built into” the technology. It is a leadership responsibility. Every organization—whether a small business, nonprofit, or government agency—should designate an AI Ethics Lead or form an AI Ethics Committee.

The purpose of this body is not to slow down innovation but to ensure that innovation is sustainable, trustworthy, and aligned with the organization’s mission. The committee should be empowered to:

• Ask whether proposed AI use cases are appropriate.

• Evaluate potential harm to employees, customers, or stakeholders.

• Assess the social and reputational risks of deploying AI.

• Establish ethical guidelines and ensure they are followed.

This group becomes the conscience of AI adoption, balancing opportunity with responsibility.

Developing an AI Ethics Policy

The next step is to create a written AI ethics policy. This is not just a box-checking exercise. A well-crafted policy gives staff clarity, sets expectations, and makes accountability possible.

An AI ethics policy should include:

1. Purpose and Principles

   • Why the organization is adopting AI.

   • The guiding values: fairness, accountability, transparency, human oversight, and respect for privacy.

2. Scope of AI Use

   • The types of AI systems covered (e.g., chatbots, predictive analytics, facial recognition).

   • The limits of use (what AI will not be used for).

3. Employee Responsibilities

   • Every employee must understand their role in ethical AI use.

   • Training should emphasize that humans remain responsible for AI outputs.

4. Oversight and Governance

   • Who approves AI projects.

   • How decisions are reviewed.

   • Processes for raising ethical concerns.

5. Continuous Review

   • Acknowledging that AI is evolving.

   • Committing to regular updates of the policy as new risks and capabilities emerge.

This policy should not live in a drawer. It should be distributed to all employees, incorporated into onboarding, and revisited at least annually.

Asking the Hard Questions

Ethical AI use is about asking the right questions before deploying new tools. Some of the key questions every organization should build into its review process include:

• Could this AI application unintentionally discriminate against certain groups?

• Does this use of AI respect user privacy and informed consent?

• Are we transparent about when someone is interacting with AI versus a human?

• What happens if the AI system makes a mistake? Who is accountable?

• Does this use of AI align with our mission and values?

By institutionalizing these questions, organizations prevent “ethics by accident” and instead move toward “ethics by design.”

Building a Culture of Responsible AI

Policies and committees are important, but true ethical AI adoption requires cultural change. Every employee must see themselves as a steward of responsible technology use. Leaders must model ethical behavior by:

• Being transparent about how AI is being used.

• Prioritizing fairness and equity in decision-making.

• Acknowledging mistakes when AI fails and committing to improvement.

Training is critical. Employees should be taught not only how to use AI tools, but also how to recognize bias, challenge questionable outputs, and escalate ethical concerns.

Transparency as an Ethical Imperative

One of the most significant ethical risks of AI is the “black box” problem: AI systems often produce outputs without explaining how they reached their conclusions. This lack of transparency can erode trust and create accountability gaps.

Organizations must commit to transparency by:

• Clearly disclosing when AI is in use.

• Providing explanations of how decisions are made (to the extent possible).

• Ensuring that users have recourse if they disagree with an AI-driven outcome.

Transparency is not just a technical issue—it is a moral and reputational issue. Customers, students, and citizens must know that AI is being used in ways they can understand and challenge.

Protecting Privacy

Ethical AI cannot exist without privacy protections. AI systems often require large datasets, which may include personal or sensitive information. Leaders must ask:

• Do we have consent to use this data?

• Are we storing and securing it responsibly?

• Are we minimizing the data collected to reduce risks?

Failing to safeguard privacy can undo years of trust-building in a single breach or scandal.

Conduct a risk assessment with the free Business Navigator Risk Assessment Toolkit, download now!

Section 2: AI Compliance — Staying Ahead of the Rules

If ethics is about asking “should we do this?”, compliance is about ensuring “are we allowed to do this—and are we doing it properly?”

As Artificial Intelligence evolves, so does the legal and regulatory environment surrounding it. Governments, industry bodies, and professional associations are moving quickly to develop rules that govern how AI can and cannot be used. For organizations—whether businesses, schools, nonprofits, or government agencies—compliance is not optional. It is a requirement for sustainability, credibility, and survival.

Compliance ensures that AI adoption is not just responsible, but also legal and enforceable. Failing to address compliance risks not only fines and lawsuits, but also reputational damage that can permanently harm trust.

Leadership and Ownership of AI Compliance

Just as with ethics, AI compliance begins with leadership. An organization must assign clear responsibility for overseeing AI compliance—whether that is a Chief Compliance Officer, a data protection lead, or a dedicated AI Governance Committee.

The key is ownership. Without a designated owner, compliance becomes fragmented and reactive. With ownership, compliance becomes proactive, consistent, and aligned with strategic goals.

This individual or group should:

• Stay current with evolving AI regulations in the jurisdictions where the organization operates.

• Maintain internal documentation that proves compliance.

• Oversee audits of AI systems and their data sources.

• Ensure staff are trained on compliance obligations.

Developing an AI Compliance Policy

Compliance begins with a written AI compliance policy. This policy differs from an ethics policy in that it focuses on what the law, regulators, or contracts require—while ethics focuses on what is “right.”

A strong compliance policy should include:

1. Regulatory Awareness

   • Summaries of relevant laws and regulations (e.g., EU AI Act, U.S. data protection laws, sector-specific rules).

   • Updates as these laws change.

2. Data Governance

   • How data used for AI is collected, stored, and processed.

   • Compliance with data privacy laws (e.g., GDPR, HIPAA, FERPA depending on sector).

3. Documentation and Audit Trails

   • Keeping records of AI training data, testing processes, and decision-making logic.

   • Ensuring that decisions can be explained if regulators or courts demand it.

4. Vendor and Third-Party Oversight

   • Ensuring AI tools purchased from vendors meet compliance standards.

   • Requiring contractual guarantees for compliance in procurement.

5. Reporting and Accountability

   • Clear mechanisms for reporting compliance issues.

   • Assignment of responsibility to individuals or teams.

Understanding the Regulatory Landscape

AI compliance is particularly challenging because the regulatory landscape is fragmented and fast-moving. Leaders must accept that the rules are not static. They vary by country, by industry, and by use case.

• United States: While there is no comprehensive AI law yet, regulators like the FTC have made clear that deceptive or unfair AI use will be prosecuted. Sector-specific laws like HIPAA (healthcare), FERPA (education), and financial regulations also apply to AI.

• European Union: The EU AI Act (expected to come into force in 2026) creates a risk-based framework, with strict rules for “high-risk” AI systems such as biometric identification or systems used in employment and education.

• Other Jurisdictions: Countries like Canada, the UK, and Singapore are also drafting AI laws, while China already enforces rules on recommendation algorithms and generative AI.

For global organizations, compliance means not only tracking domestic rules but also ensuring international operations meet local requirements.

Data Privacy as the Cornerstone of Compliance

The heart of AI compliance lies in data privacy. Most AI systems rely on large datasets, many of which include personal information. Mismanaging this data creates both legal and ethical risks.

Organizations must ensure:

• Data collection complies with privacy laws and is limited to necessary information.

• Consent is obtained where required.

• Data is anonymized or pseudonymized when possible.

• Retention schedules are followed (data is not kept indefinitely).

• Data subjects (customers, students, citizens) can exercise their rights (access, correction, deletion).

Failure to comply with privacy laws can lead to multimillion-dollar fines—as seen under GDPR—and lasting reputational damage.

Documentation and Audit Readiness

One of the most overlooked aspects of AI compliance is documentation. Regulators, courts, and partners increasingly expect organizations to provide evidence of how AI systems were developed, tested, and deployed.

This means keeping:

• Records of training datasets used.

• Logs of AI system decisions and outcomes.

• Records of human oversight and intervention.

• Documentation of risk assessments conducted before deployment.

Good documentation is not just about avoiding penalties—it also strengthens internal governance and trust with stakeholders.

Vendor and Third-Party Risk Management

Most organizations will not build AI systems from scratch. They will purchase tools or services from vendors. This creates a new layer of compliance risk: if your vendor violates the law, you may still be liable.

To address this:

• Require vendors to provide compliance certifications.

• Include AI-specific compliance clauses in contracts.

• Conduct due diligence before procurement.

• Continuously monitor vendor performance and updates.

Vendor oversight ensures that your organization is not blindsided by compliance failures in your supply chain.

Why Compliance Matters Beyond Avoiding Penalties

Some organizations view compliance as a burden or a cost of doing business. In reality, compliance can be a competitive advantage. Organizations that demonstrate compliance build trust with customers, students, donors, and citizens.

Being able to say “we are fully compliant with AI regulations” signals professionalism, responsibility, and maturity. In markets where AI trust is fragile, this reputation can be more valuable than any single technological edge.

Section 3: Pulling Compliance and Ethics Together

The Fluid Nature of AI Ethics and Compliance

Unlike traditional business policies, an AI ethics policy must be seen as fluid and adaptive. AI capabilities are changing rapidly, and new ethical challenges emerge almost daily—from deepfakes to synthetic voices to algorithmic hiring systems.

Leaders should commit to revisiting their ethics policy regularly. Annual reviews may not be enough—quarterly check-ins may be necessary to stay current. The goal is not perfection, but continuous improvement.

Employee Training and Awareness

Ethics and Compliance policies are only effective if employees understand them. Training programs should ensure that staff:

• Know the legal limits of AI use in their role.

• Understand data handling and privacy obligations.

• Are aware of reporting mechanisms for compliance concerns.

• Recognize the difference between ethical questions and compliance requirements.

Compliance must become part of the organizational culture—not just a legal department checklist.

Why Ethics and Compliance Comes First

Ethics and compliance is not just one part of AI adoption—it is the foundation. An organization can have the best cybersecurity and compliance programs in the world, but if it uses AI in ways that are unfair, opaque, or harmful, it will lose the trust of its people and stakeholders.

By starting with ethics, organizations build a north star that guides every decision about AI adoption. The committee, the policy, the culture—all of these ensure that the organization is asking not just “Can we do this?” but “Should we do this?”

Ethics and compliance are different but deeply connected. Ethics asks “should we?”, while compliance asks “must we?”. Both questions must be answered for AI adoption to be successful.

Ethics without compliance risks being aspirational but unenforceable. Compliance without ethics risks being legal but untrustworthy. Together, they create a framework that ensures AI is not only powerful but also fair, lawful, and trusted.

AI adoption cannot succeed on technology alone. It must be built on the twin foundations of ethics and compliance: ethics to ensure we are asking “should we?” and compliance to ensure we are meeting “must we.” Together, these create a framework of trust, accountability, and resilience. And critically, neither can exist in isolation—without strong AI Cyber Defense, even the most ethical and compliant AI systems remain vulnerable. By approaching all three pillars simultaneously, organizations can embrace the promise of AI while protecting their people, their data, and their reputation.