Policies, standards, procedures

A common organizational mistake folds policies, standards, and procedures into a single document on a single review cycle. The result is either a rigid document blocking change, or a loose document where no one knows what to do in an incident. Bizzi separates the three tiers and gives each its own approval body and its own update cadence.

Context

Policies should change slowly. We should commit to them publicly for years. Standards should change at the rate AI technology evolves. About quarterly. Procedures should change at the rate the system itself changes. Sometimes weekly. Forcing all three onto the same approval workflow either calcifies the runbook or quietly drifts the policy.

Principle: The three-tier rule

Policies say what we believe and what we will never do. Standards say what numbers we hit. Procedures say how we execute. Approve and update each at a different cadence.

Tier 1. Policies

Definition. High-level statements of principle. They answer “What does Bizzi believe?” and “What is absolutely prohibited?”

Approval. AI Governance Board. Update cadence. Annually, or when a major regulation changes.

Required policies:

• AI Acceptable Use Policy. What AI is allowed and not allowed to be used for.
• Data Use Policy. Data classification and rules for training and inference.
• Vendor Policy. Selection and evaluation criteria for LLM vendors.
• Incident Response Policy. Severity tiers and escalation paths.
• Customer Disclosure Policy. When and how we notify customers about incidents.

Tier 2. Standards

Definition. Specific technical rules. They answer “What threshold do we clear?”

Approval. AI Center of Excellence. Update cadence. Quarterly.

Representative standards:

• Model Evaluation Standard. Pass/fail thresholds for LLM-as-a-Judge across Accuracy, Groundedness, and Safety.
• Prompt Engineering Standard. Rules for portable, non-vendor-locked prompts.
• RAG Schema Standard. Metadata format for the RAG corpus.
• Logging and Observability Standard. Mandatory observability layer for every LLM call.
• PII Handling Standard. Gateway-level PII redaction rules.
• Confidence Threshold Standard. Green/yellow/red UI thresholds.

Tier 3. Procedures

Definition. Step-by-step instructions. They answer “How do we do this?”

Approval. Squad Tech Lead with the CoE Steward. Update cadence. As needed.

Representative procedures:

• Runbook: ship a new production model.
• Runbook: roll back a model.
• Runbook: trigger the kill-switch.
• Checklist: pre-release security review.
• Checklist: DPIA for a new AI feature.

Why three tiers

If we collapse them, one of two failure modes shows up. Either we re-approve the whole document every time a runbook line changes and approvals become a bottleneck. Or we let runbooks update freely and a procedure quietly mutates a policy we promised to customers. Three tiers let policies stay stable, standards stay current, and procedures stay accurate.

Standards mapping

Standards Mapping

ISO/IEC 42001. A.5.2 (Policy on AI), A.6.2 (Documented information). NIST AI RMF. GOVERN-1 (policies, processes, procedures).