The "use common sense" policy is basically no policy, and it tends to get companies into trouble exactly when they need documentation most — during a SOC2 audit or an incident investigation. The specific gap I see most often isn't engineers using AI wrong, it's that there's no way to reconstruct what data went to which model when, so if a customer asks "did my PII go to OpenAI?" you're stuck guessing.

The AI Act angle is trickier than SOC2 because it depends heavily on what the AI is actually doing. Are engineers using it for internal tooling or in anything customer-facing that influences a decision? Most teams I've talked to genuinely don't know where their usage falls on that spectrum, and that uncertainty is exactly what auditors poke at.

What's the split in your context between AI for internal dev productivity vs. AI that touches actual product or customer workflows? That changes what "compliance" even means here.