← seanbair.ai
AI Policy Library

How to use these

Each policy is self-contained. Copy the ones you need, paste them into your own document, and adapt the bracketed sections. Start with the Master AI Use Policy; it is the umbrella the rest hang from. The tool-specific policies (report writing, facial recognition, license plate readers) sit on top of it for the systems that carry the most risk. Building an AI product for public safety? These work as an internal governance checklist too. That is exactly how I use them at SWORN.

Foundation

Every agency should have both.
Foundation

Master AI Use Policy

The umbrella every other policy hangs from. If your agency adopts nothing else, adopt this. It follows the Policing Project's ten provisions, the closest thing the field has to a consensus starting point.

Purpose

This policy governs the [AGENCY NAME]'s use of artificial intelligence (AI) so that AI supports public safety while protecting civil rights, civil liberties, and public trust.

Scope and Definitions

"AI" means a machine-based technology that infers from the input it receives how to generate outputs, including content, decisions, predictions, or recommendations.

This policy covers AI used to (a) investigate, detect, deter, or respond to criminal activity or other public safety incidents, or (b) create or help create police reports or investigative records. It does not cover purely administrative tools such as scheduling or spell-check. Covered examples include facial recognition, person-based predictive systems, automated license plate readers, and threat-detection systems.

Chief AI Officer

The Agency shall designate a Chief AI Officer (CAIO), who advises leadership on AI use; oversees compliance with this policy; ensures each AI system is evaluated before deployment, including available evidence of accuracy and impact on civil rights and civil liberties; ensures personnel are trained, including how to verify system outputs; responds to grievances from people who believe an AI system harmed them; and manages and can revoke personnel access. The role may be assigned to an existing member or shared among several.

Human Oversight

AI may inform decisions. It does not make them. An AI output is a lead or an aid, never the sole basis for an arrest, a search, a use of force, or any other enforcement action. A trained person reviews and verifies AI output before it is relied upon.

Prohibited Use

No personnel shall use an AI system to target a person or group based on race, ethnicity, religion, or other protected characteristic, unless that characteristic is part of a specific suspect description; or based on expressed or perceived beliefs, absent a plausible basis that the person or group advocates conduct threatening public safety. Any decision to target a geographic area for AI deployment must rest on a sound, nondiscriminatory, evidence-based justification.

Data: Collection, Use, and Retention

For each AI system that collects or analyzes personally identifiable information (PII), the Agency shall document whose data is collected and the conditions under which personnel may access or query it, including any required predicate such as reasonable suspicion or probable cause. The Agency shall retain such data for the shortest practicable period consistent with operational needs and applicable law.

Data Sharing

Before sharing AI data with another agency, the CAIO shall execute a written agreement specifying the data shared, the purpose, the retention period, and any use limits. In exigent circumstances involving a threat to life or serious bodily harm, data may be shared without a prior agreement if the disclosure is documented.

Transparency and Disclosure

The CAIO shall publish an annual AI Inventory (see the Community Transparency policy). When an AI system within scope contributes to an investigation that results in a prosecution, its use shall be disclosed in the casefile submitted to the prosecutor, including the system name and a brief description of its role, so prosecutors can meet their obligations under Brady v. Maryland and state discovery law.

Generative Content

Any report or investigative record created in whole or in part by a content-generating AI system shall carry a disclaimer that it contains AI-generated content and a certification by the submitter that they reviewed it for accuracy (see the Generative AI Report-Writing policy).

Training

No member shall operate a covered AI system before completing training on its proper use, its limits, and how to verify its output.

Auditing and Enforcement

The CAIO or designee shall audit AI system logs at least annually for compliance. Any use of an AI system, or data derived from it, in violation of this policy shall be referred to [Internal Affairs / the head of the Agency] and may result in sanctions up to and including termination.

Review

This policy shall be reviewed at least annually and updated as technology, law, and best practices change.

Adapted from the Policing Project's "Police AI Policies: Ten Key Provisions to Include" (NYU School of Law). Verify against your state law before adopting.

Foundation

AI Procurement & Vendor Evaluation Standard

Most AI problems are bought, not built. This is the gate: what you demand before a tool ever touches a case.

Purpose

To ensure the [AGENCY NAME] evaluates any AI system for accuracy, bias, security, and civil-liberties impact before acquisition, and holds vendors to enforceable standards.

Scope

Applies to the purchase, trial, pilot, donation, or renewal of any AI system covered by the Master AI Use Policy. No covered AI system, including free trials or donated pilots, may be deployed operationally without review under this standard.

Pre-Acquisition Review

Before acquisition, the Chief AI Officer shall document:

  • The specific problem the system is meant to solve and the use cases authorized.
  • Available independent evidence of the system's accuracy and error rates, including performance across demographic groups.
  • A civil rights and civil liberties impact assessment.
  • Whether a less intrusive alternative would meet the need.

Required Vendor Disclosures

The vendor shall provide, in writing:

  • A description of the system's function, its training data at a general level, and its known limitations.
  • Independent or third-party testing results where they exist; for facial recognition, results from NIST testing.
  • Documented error rates and the conditions under which accuracy degrades.
  • Notice of material model changes or updates before they take effect.

Contract Requirements

Every contract shall require:

  • Audit logging of all system activity, with logs accessible to the Agency.
  • Agency ownership of its data, and a prohibition on the vendor using Agency data to train models without written consent.
  • Security controls meeting the FBI CJIS Security Policy wherever criminal justice information is involved.
  • Breach notification within [X] hours.
  • Return or verified deletion of Agency data on termination.

Ongoing Monitoring

The Chief AI Officer shall reassess each system at least annually for accuracy, misuse, and continued fit, and shall suspend any system that fails to meet the standards in this policy.

Approval

No covered AI system shall be acquired or deployed without the written approval of the Chief AI Officer.

Informed by the NIST AI Risk Management Framework and OMB acquisition guidance (M-25-21, M-25-22). Verify against your procurement rules and state law.

Tool-Specific

For the systems that carry the most risk.
High Risk

Generative AI Report-Writing Policy

The one moving fastest, and the one a defense attorney will ask about first. California and Utah already require disclosure and an audit trail. Write it down before you turn it on.

Purpose

To govern AI systems that draft or help draft police reports or investigative records, for example tools that generate a narrative from body-worn camera audio or officer notes, so reports stay accurate, verifiable, and admissible.

Scope

Applies to any AI system that generates or drafts the content of a report or investigative record.

Authorized Use

A member may use an approved generative AI tool to produce a draft narrative. The draft is a starting point, not a finished report.

Mandatory Review and Certification

Before submitting, the member shall read the entire report, correct every error and omission, and confirm it reflects their own account of events. The member shall certify in the record that they reviewed it for accuracy. The submitting member is fully responsible for the report's content, exactly as if they had written every word.

Disclosure

Any report created in whole or in part by generative AI shall include a disclaimer stating that it contains AI-generated content.

Prohibited Use

  • Submitting an AI-drafted report without full review and correction.
  • Using AI to draft reports for [use-of-force incidents, officer-involved shootings, or other categories the Agency designates], which shall be written by the member unaided.
  • Entering information into the tool that the member cannot personally verify.

Records and Audit Trail

The Agency shall retain the source material, for example the body-worn camera audio and the initial AI draft, and a record that AI was used, for at least as long as the report itself is retained, so the process can be audited and disclosed in discovery.

Training

No member shall use a generative report-writing tool before training on its use, its failure modes, and this policy.

California and Utah require AI-use disclosure and an audit trail for AI-assisted reports; other states are following. Confirm your state's current law. Based on the Policing Project generative-AI provision.

High Risk

Facial Recognition Governance Policy

The highest-stakes tool in the building. The rule that keeps agencies out of the headlines is simple: a match is a lead, never the arrest.

Purpose

To govern the [AGENCY NAME]'s use of facial recognition technology (FRT) so it supports investigations without producing wrongful stops or arrests.

Scope

Applies to any use of FRT to identify or attempt to identify a person.

Authorized Use

FRT may be used only to generate an investigative lead in connection with [a specific case or reasonable suspicion of a crime]. An FRT result is a potential lead and nothing more.

An FRT Result Shall Never Be

  • The sole basis for an arrest, detention, search, or any enforcement action.
  • Treated as a positive identification or as probable cause on its own.

An FRT lead must be independently corroborated through traditional investigation before any enforcement action.

Human Review

Every candidate result shall be reviewed by a trained examiner. Personnel shall be trained that FRT accuracy can vary across demographic groups and that a returned candidate may be wrong.

Prohibited Use

  • Real-time or live mass surveillance of public spaces [unless separately authorized and lawful].
  • Identifying people engaged in First Amendment-protected activity based on that activity.
  • Immigration enforcement [absent a specific lawful basis and written authorization].
  • Personal, harassing, or non-case use.

Logging and Disclosure

Every FRT query shall be logged with the user, date, associated case number, and purpose. FRT use in an investigation leading to prosecution shall be disclosed in the casefile.

Vendor Standards

Systems should be independently tested, for example through the NIST Face Recognition Vendor Test, and the Agency shall document known accuracy and error rates.

Reflects the emerging consensus across IACP, the Policing Project, and state facial-recognition statutes. Several states restrict or ban specific FRT uses; verify your state and local law.

High Risk

Automated License Plate Reader (ALPR) Data Policy

Cameras that read every plate that passes build a map of where people go. The policy is mostly about how fast you forget.

Purpose

To govern the collection, use, retention, and sharing of automated license plate reader (ALPR) data.

Scope

Applies to all ALPR systems operated by or accessed by the [AGENCY NAME].

Authorized Use

Personnel may query ALPR data only in connection with [a specific investigation, active case, or legitimate law enforcement purpose with a documented nexus]. Each query shall record the user, the case or reason, and the date.

Prohibited Use

  • Querying or tracking a person based on race, religion, or First Amendment-protected activity.
  • Personal use, or use to monitor any person absent a legitimate law enforcement purpose.

Retention

Detection data that is not linked to an active investigation or a hit shall be retained no longer than [30 / 60 / 90] days, then purged. Data tied to an investigation follows the applicable evidence-retention schedule.

Access and Audit

Access shall be limited to trained, authorized personnel. All queries are logged and audited at least annually by the Chief AI Officer.

Data Sharing

ALPR data shall be shared with another agency only under a written agreement specifying the data, purpose, retention, and use limits. [The Agency does not share ALPR data with federal immigration authorities absent a lawful basis and written authorization.]

Built on the Policing Project data-collection, retention, and sharing provisions. ALPR retention limits are set by statute in several states; verify yours.

Medium Risk

Staff Generative AI Use Policy

Your people are already pasting things into ChatGPT. This decides what they can, and what would put case data on someone else's server.

Purpose

To govern personnel use of public or commercial generative AI tools, for example ChatGPT, Copilot, or Gemini, for work other than official report writing.

Scope

Applies to all [AGENCY NAME] personnel using any generative AI tool that is not hosted and controlled by the Agency.

Approved Tools

Personnel shall use only generative AI tools approved by the Chief AI Officer. [List approved tools.]

Prohibited Inputs

Personnel shall never enter the following into a public or commercial AI tool:

  • Criminal justice information (CJI) or criminal history record information, as defined by the FBI CJIS Security Policy.
  • Personally identifiable information about victims, suspects, witnesses, or officers.
  • Case facts, investigative details, or evidence, including body-worn camera content.
  • Anything sealed, protected by law, or otherwise non-public.

Treat anything entered into a public tool as if it were posted publicly and stored permanently.

Acceptable Use

Approved tools may be used for general, non-sensitive work such as drafting training material, summarizing public documents, or general research, provided the member verifies all output before relying on it. AI output is a draft, not a source of truth.

Accountability

Members are responsible for anything they produce with an AI tool. Violations are handled under [the Agency disciplinary policy].

Anchored to the FBI CJIS Security Policy. Confirm your state CJIS requirements and any commercial tool's data-handling terms.

Governance

The parts that make the rest real.
Governance

Community Transparency & Public AI Inventory

Trust is cheaper to keep than to rebuild. Tell the public what you use before someone files a records request and tells them for you.

Purpose

To maintain public trust by disclosing what AI the [AGENCY NAME] uses and why.

Annual Public AI Inventory

At least annually, the Chief AI Officer shall publish a public AI Inventory listing, for each covered AI system:

  • The vendor and product name, if any.
  • A brief description of its function and capabilities.
  • A brief description of the data it collects or analyzes.
  • The purposes for which its use is authorized.

Annual Report

The Agency shall publish an annual summary including aggregate usage, the results of the yearly audit, and the number and disposition of AI-related complaints.

Notice Before Adoption

Before deploying a new high-impact AI technology [such as facial recognition, predictive systems, or real-time surveillance], the Agency shall [provide public notice and an opportunity for community input / seek approval from its governing body], consistent with local law.

Point of Contact

The Agency shall publish a way for the public to ask questions or raise concerns about its AI use, directed to the Chief AI Officer or designee.

Built on the Policing Project AI Inventory provision and community-oversight models such as CCOPS. Some jurisdictions mandate surveillance-technology approval; verify local law.

Governance

AI Audit & Accountability Policy

A policy no one checks is a press release. This is the part that makes the rest real.

Purpose

To verify that the [AGENCY NAME] uses AI in compliance with policy and law, and to correct and disclose failures.

Logging

Every use of a covered AI system shall be logged, capturing at minimum the user, the date and time, the system used, the associated case or purpose, and the disposition of the output.

Annual Audit

At least annually, the Chief AI Officer or designee shall audit AI logs for compliance, review a sample of uses to confirm human verification occurred, and monitor for accuracy and disparate impact across demographic groups.

Incident Disclosure

Errors, misuse, or breaches involving an AI system shall be documented and reported to the Chief AI Officer. Where an AI error may have affected a person's rights or a legal proceeding, the Agency shall disclose it to [the prosecutor and affected parties, as required by law].

Enforcement

Violations shall be referred to [Internal Affairs / the head of the Agency] and may result in sanctions up to and including termination, and revocation of AI system access.

Grievance and Redress

Any person who believes an AI system harmed them may file a complaint with the Chief AI Officer, who shall investigate and take appropriate action. Complaints and their disposition are recorded and reflected in the annual report.

Recordkeeping

Audit records shall be retained for [X years] consistent with the Agency's records-retention schedule.

Built on the Policing Project auditing provision and the NIST AI RMF "Manage" function. Verify against your records-retention schedule and disclosure obligations.

Sources & further reading

These templates are built on public frameworks. Go to the primary sources before you finalize anything.
The backbone of the Master policy: scope, a Chief AI Officer, AI inventory, data collection/use/retention/sharing, a ban on discriminatory use, disclosure of AI use in casefiles, generative-AI disclosure, and auditing.
The govern, map, measure, and manage functions behind the procurement and audit policies, plus content provenance and incident disclosure.
The International Association of Chiefs of Police on cautious AI procurement and technology governance.
Federal guidance on the review-and-verify workflow behind the report-writing policy.
State law and Brady v. Maryland
California and Utah require disclosure and an audit trail for AI-assisted police reports; a dozen-plus states regulate facial recognition and ALPR. AI use that informs a prosecution can trigger disclosure obligations under Brady v. Maryland and state discovery law. Always check your own jurisdiction.
More from Sean
Copied