Artificial intelligence has moved, in less than three years, from a topic Nigerian boards discussed in the abstract to a technology Nigerian businesses are deploying in production — for customer service, credit decisioning, fraud detection, content generation, document processing and internal productivity. The deployment has, in most cases, run ahead of the governance. The result is exposure that the board often does not see until something fails: a regulator query under the NDPA 2023, a customer complaint about an automated decision, a leak of confidential data into a public model, or a reputational incident triggered by AI-generated output.
An AI governance policy is the document that closes the gap between deployment and oversight. This is a practical guide to drafting one for a Nigerian organisation — what it must contain, where Nigerian law constrains the choices, and how to make the policy a working instrument rather than a filing-cabinet artefact.
Why this policy, why now
Three forces make an AI governance policy a current obligation, not a future one.
First, the Nigeria Data Protection Act (NDPA) 2023 and the NDPC General Application and Implementation Directive together create enforceable obligations around automated decision-making, data-subject rights and the processing of personal data. AI systems that touch customer data — and most do — fall inside that perimeter. Regulators expect to see governance, not just deployment.
Second, sector regulators are moving. The CBN's expectations of risk management for technology, the SEC's interest in algorithmic trading and the NCC's posture on AI-enabled services all imply that boards will be asked, in regulator interviews, how they govern AI use in their organisation.
Third, the practical risks are real. Confidential information has been leaked into public AI tools by well-meaning employees. AI-generated outputs have been used in customer-facing communication without review. Vendor contracts have included AI clauses that few legal teams have noticed. A policy is the instrument that addresses each of these.
The architecture of an AI governance policy
A workable policy contains nine sections. Each is short — the policy is not a strategy document; it is a control document.
1. Purpose and scope
State why the policy exists, what AI means in the policy (a workable definition includes machine learning systems, large language models and any system that produces outputs from learned patterns rather than explicit rules), and to whom and to what the policy applies. Include third-party AI used through cloud services, embedded AI in software the organisation already licenses, and any AI developed in-house.
2. Principles
A short set of principles the organisation commits to. Most Nigerian organisations will land on: lawful and proportionate use, human oversight of consequential decisions, fairness and non-discrimination, transparency to affected individuals, data protection and confidentiality, and accountability through documentation. Principles matter less for their content than for the discipline they impose on the sections that follow — every later section should be traceable to one or more principles.
3. Permitted, restricted and prohibited use
The most useful section of the policy. State explicitly the categories of use that are permitted (for example, internal productivity tools approved by IT, summarisation of non-confidential text), restricted (for example, processing of customer personal data, generation of customer-facing content, automated decision-making affecting customers) and prohibited (for example, entering personal data, financial information, trade secrets or unpublished financial results into public AI tools; using AI to generate identity documents or signatures; using AI to make final decisions in disciplinary or credit-denial matters without human review).
Restricted uses require an approval workflow — typically the data protection officer plus the function head, with escalation to the executive committee for high-risk cases. Prohibited uses are prohibited; the policy should make that unambiguous.
4. Approved tools and procurement
List the AI tools the organisation has approved for use, the conditions on each, and the process by which new tools are added. The IT function should own this list and review it quarterly. The policy should require that any AI procurement — whether a dedicated AI vendor or AI features in existing software — goes through a defined assessment: data flows, training data, retention, model location, vendor security posture, and contractual protections.
5. Data protection and NDPA alignment
The section the NDPC will want to see. State that all AI use involving personal data must be assessed against the NDPA — lawful basis, purpose limitation, data minimisation, accuracy, storage limitation, integrity and accountability. Require a Data Protection Impact Assessment (DPIA) for any AI processing likely to result in a high risk to data subjects (the NDPA threshold). Address cross-border data transfer where the AI tool processes data outside Nigeria. Address the data subject's rights, including the right not to be subject to automated decision-making with legal or similarly significant effects.
6. Human oversight and accountability
For each category of AI use that affects decisions about customers, employees or counterparties, require a defined human oversight model — who reviews, when, with what authority to overturn the AI output. The policy should be clear that the accountable human is the function head, not the system. AI outputs that are used unmodified are still the organisation's outputs.
7. Transparency and disclosure
State the circumstances in which the organisation will disclose, to customers or other affected parties, that AI was involved in a decision or communication. The NDPA requires disclosure for automated decision-making with significant effects; many organisations choose to go further for trust reasons.
8. Training and culture
Require all staff who use approved AI tools to complete a short training module — the policy itself, the permitted-restricted-prohibited categories, and the practical do-not list. Repeat annually. New joiners complete it during onboarding.
9. Incident response and review
State how AI incidents are reported — data leakage into a model, an inappropriate output published, a regulator query, a customer complaint — and who investigates. The policy should be reviewed at least annually by the body that owns it, and re-approved by the board or executive committee.
Who owns the policy
In most Nigerian organisations, the AI governance policy should be co-owned by the Chief Information Officer (or head of technology), the Data Protection Officer and the Chief Risk Officer or General Counsel. A named owner sits with one of them. The board approves the policy on first adoption and on any material amendment; the audit committee or risk committee monitors compliance through quarterly reporting.
A short implementation sequence
Adoption is the easy part. The work is in implementation. We use the following sequence with advisory clients.
Weeks 1–2: discover. Survey, with the heads of function, what AI tools are already in use, official and unofficial. The list is almost always longer than the executive expects.
Weeks 3–4: draft. Draft the policy. Run it past the DPO, CIO, CRO and a small group of practitioners who will have to live with it. A policy drafted only by legal rarely survives contact with the operating teams.
Week 5: approve. Board or executive approval. Communicate the policy to the whole organisation. Publish the permitted-restricted-prohibited table prominently.
Weeks 6–8: enable. Stand up the approved tools list, the DPIA process for AI, the procurement assessment and the training module. The policy is only as strong as the operational scaffolding around it.
Quarterly: review. Compliance reporting to the executive committee, with escalation to the board where issues warrant.
Common drafting traps
Policies that prohibit all AI use — unenforceable and pushed underground within weeks. Policies that permit everything — provide no control. Policies that delegate AI governance to IT alone — miss the data protection, risk and legal dimensions. Policies drafted from international templates that do not engage with the NDPA — leave the most important Nigerian risk uncontrolled. Policies that are not retired and replaced as the technology evolves — become a defence to do nothing.
How Outliers can help
The Outliers Data & AI Centre publishes a working AI Governance Policy designed for Nigerian organisations and aligned to the NDPA 2023, NDPC guidance and the operating realities of mid-market and listed Nigerian businesses. It is the starting point our advisory clients use to draft the policy that fits their own organisation.
If you are preparing to adopt or refresh AI governance, the Data & AI Centre is the right place to start. The full Data & AI resources library hosts the policies, assessments and frameworks Nigerian organisations need, and the AI Governance Policy itself is the document to download and adapt first.
Most AI risk is not exotic. It is the everyday risk of people doing sensible things with powerful tools in the absence of a clear policy. The policy is the cheapest control the organisation can put in place — and the one regulators will look for first.