The ICRC published its AI policy in November 2024. Eight pages. Grounded in the Fundamental Principles of humanity, impartiality, neutrality and independence. Anchored in the 2024–2027 Institutional Strategy. Peer-reviewed by external experts. Cited by researchers, referenced in governance briefings, and downloaded by humanitarian organisations across the sector. It is, by any measure, a serious and generous piece of work — and the ICRC deserves real credit for publishing it at all, in a sector where many organisations are still deciding whether to acknowledge that their staff are using AI.
And yet, it doesn't tell any ICRC staff member which tools they're allowed to open on Monday morning.
That observation isn't a criticism. The ICRC is explicit about this: "By making this policy public, the ICRC wants to abide by our continuous commitment to be transparent and accountable for our actions." Publishing a values-anchored public statement is exactly the right use of this kind of document. What this article is about is a gap that affects nearly every organisation in the humanitarian, development and peacebuilding space, not because of carelessness, but because nobody has clearly articulated that two very different documents are needed, and that one cannot substitute for the other.
A public AI policy is a statement of commitments, addressed to the outside world. An internal AI governance framework is an operational instruction set, addressed to staff. Both matter. Both are necessary. They just do completely different things — and understanding that distinction is one of the most practical steps an organisation can take right now.
What the ICRC Policy Is Designed to Do
The ICRC policy is transparent about its own scope and limits, which is itself a mark of good governance thinking. The document states directly: "The guidance provided in this document is aspirational and general in nature and cannot address all possible strategic, technical or operational questions." And further: "More detailed policy and operational guidance for specific tools and use cases will be developed by departments as the need arises."
This isn't a gap in the document — it's an honest acknowledgement that a public-facing policy cannot and should not try to govern the day-to-day operational choices of 20,000 staff working across 100 countries. The ICRC knows that more documents are needed. The policy is one of them.
What the policy does exceptionally well is establish the values architecture that should underpin any operational decisions. Its six guiding principles — proportionality, precaution and do-no-harm; safety and security; transparency and explainability; responsibility and accountability; an enabling and learning approach; and competence and capacity building — are sound, sector-appropriate, and aligned with the UNESCO Recommendation on the Ethics of AI, the OECD AI Principles, and the Alan Turing Institute's Understanding Artificial Intelligence Ethics and Safety. These principles are the right foundation. They just aren't, on their own, the complete structure.
What a Governance Framework Does Differently
The public-facing policy and the internal governance framework aren't in competition. They operate at different levels of the organisation, speak to different audiences, and serve genuinely different purposes. The policy builds trust with the outside world. The framework protects staff, beneficiaries and the organisation from the inside.
The ICRC policy itself points toward what a framework must contain. Its responsibility and accountability section states that "competent and qualified staff and organizational entities are appointed and equipped to ensure good governance and effective enforcement and compliance with this policy." That sentence describes what a governance framework does — it just doesn't specify who those staff are, what their mandate covers, or what the enforcement mechanism looks like. The framework is where those specifics live.
In practice, an internal AI governance framework answers the questions that staff actually face in the field: which tools are approved for use, at which data classification level, and for which processes? Who is the named AI focal point when something feels uncertain? What is the escalation pathway if a model produces an output that seems harmful or inaccurate? What counts as a reportable AI incident, and what's the notification timeline? What must a staff member complete before accessing a particular class of tool? What contractual clauses apply when procuring from an AI vendor?
To make this concrete: the ICRC policy describes the principle of data minimisation and references the organisation's Rules on Personal Data Protection. A governance framework translates that into something a staff member can actually apply — for instance: "Microsoft Copilot may be used to draft donor reports and translate operational guidance between English and Arabic. It may not be used to process any data classified as Sensitive, Confidential or Strictly Confidential under the ICRC Data Classification Framework. Staff must not input beneficiary names, case reference numbers, location data, health information, or protection case details into any commercial AI tool not on the approved list."
One of those formulations is something a staff member can act on at the moment of decision. The other provides the values context that makes acting on it meaningful. Both are necessary.
The Three Documents an Organisation Actually Needs
The first is the public AI position statement — the kind of document the ICRC has published. Two to three pages. Anchored in the organisation's principles and values. Written for its stakeholders - in this case donors, partners, affected communities and regulators. Updated every two to three years, or when the regulatory environment shifts substantially. The ICRC's policy is a genuine reference point for producing this document well.
The second is the internal AI governance framework. Typically ten to fifteen pages. Operationally specific. Written for staff, volunteers and contractors. Built around an approved tool register, a process classification matrix, named roles and responsibilities, a protocol for onboarding new tools, an incident response process, a training minimum standard, reference to a prompt management library, and a vendor due-diligence checklist. This document doesn't go on the website. It sits in the internal policy library alongside the data protection policy and safeguarding framework, which is the governance tier it belongs to.
The third is the staff quick-reference card — one page, practical, unambiguous. "Can I use this tool for this task? Yes / No / Escalate." A named contact. A clear escalation route. This is the document most staff will actually reach for when they're uncertain at the end of a long day. It's derived from the internal governance framework, not from the public-facing policy.
The ICRC policy quietly anticipates all three of these. Its governance section notes that "awareness-raising, training and compliance efforts are made to ensure that ICRC staff and users do not input any critical humanitarian information, other confidential and/or strictly confidential information, or any proprietary information protected by intellectual property rights when using external or commercial online AI services." That is, in effect, a training programme and a reference-card requirement, embedded in a principles document. Delivering on it requires the framework and the card to exist.
Why This Matters for Compliance and Accountability
This distinction has practical consequences beyond the organisational. It affects how organisations meet their compliance obligations to donors and regulators. And, it is relevant to many jurisdictions.
Under the EU AI Act, Article 4 has required providers and deployers of AI systems to ensure their staff possess "an adequate level of AI literacy" since 2 February 2025. A public AI policy is not evidence of compliance with that obligation. A training programme, documented in a governance framework with completion records and defined minimum standards, is.
Under GDPR Article 35, and its equivalents in the Jordan Personal Data Protection Law (Law 24/2023), the UAE Federal Decree-Law No. 45/2021, and Bahrain's Law No. 30/2018, Data Protection Impact Assessments are required for high-risk processing. A governance framework specifies which AI use cases trigger a DPIA, who commissions it, and who signs it off. A public policy that commits to carrying out "systematic data protection impact assessments" creates the expectation without providing the mechanism.
For organisations working with FCDO, USAID or the European Commission's ECHO directorate, donor expectations around responsible AI use are becoming more explicit in grant frameworks. A public policy communicates intent. When a programme manager asks what specific controls prevent field staff from processing beneficiary data through unapproved tools, the answer has to come from the governance framework: the approved tool register, the data classification rules, the training records.
The ICRC's Neutrality and Independence section identifies a particular procurement risk: AI providers "directly engaged in activities contributing to armed conflict or closely associated with military activities of parties to conflict." Honouring that commitment in practice requires a vendor due-diligence checklist applied at the point of procurement, a tool that lives in the governance framework, not in the principles statement.
The Principle That Runs Through All of This
Looking across these gaps - the approved tool register, the named focal point, the incident escalation pathway, the DPIA trigger criteria, the vendor exclusion process - a single principle connects them. Values without procedures are intentions, not governance.
The ICRC policy is a genuine and generous contribution to humanitarian AI governance thinking. It is principled, sector-specific, and more carefully grounded than comparable documents from organisations many times its size. Its authors are honest that it is aspirational and general in nature. The policy sets the direction. The framework maps the terrain.
Many organisations in the humanitarian and development space are navigating this for the first time, under significant time and resource pressure, in environments where AI is already in use whether or not formal governance exists. Starting with a values document is the right instinct. The next step is the framework that gives those values teeth, not to add bureaucracy, but to protect the people and communities that the work is for.
About QualitaX
QualitaX builds practical AI capability by delivering AI systems, governance frameworks and AI training to organisations worldwide. By integrating policy, technology, and human capability from day one, we help organizations move beyond experimentation to deliver practical, scalable, and ethical AI that drives real impact.