AI Acceptable Use Policy

Customise the bracketed fields and remove any sections that do not apply to your organisation. This template assumes a workforce of knowledge workers; adapt for production / operational contexts as needed.

1. Purpose

This policy defines the acceptable use of AI tools and services at [Company]. AI is a productive technology that also creates specific risks — data leakage, unauthorised sharing, intellectual property exposure, and decisions made on flawed outputs. This policy gives every employee the practical guidance needed to use AI well.

2. Scope

This policy applies to all employees, contractors, and temporary staff. It covers AI tools accessed through company accounts, personal accounts on company devices, and personal accounts on personal devices when used for company business.

3. Definitions

• AI tool: any service that uses machine learning, generative AI, or autonomous decision systems. Includes ChatGPT, Claude, Gemini, Copilot, Cursor, image generators, transcription services, and any product whose vendor describes it as "AI-powered."
• Sensitive data: any data classified as Confidential or Restricted under our data classification policy. Includes [Company customer data, employee data, financial data, intellectual property, source code marked confidential, contracts, etc.].
• Approved AI vendor: a vendor that has completed our AI vendor evaluation and appears on the current approved list maintained by [Security / IT / Procurement].

4. Approved tools

The current list of approved AI vendors is maintained at [link]. Employees should default to approved vendors. Use of an unapproved AI tool for company work requires advance written approval from [Approver role].

5. Data handling rules

5.1 Public data: any public information may be sent to any approved AI tool.

5.2 Internal data: may only be sent to approved AI tools that contractually do not train on customer data and offer reasonable data retention controls.

5.3 Confidential data: may only be sent to approved AI tools with a signed Data Processing Agreement, Zero Data Retention configuration, and approval from [Security].

5.4 Restricted data (PHI, PCI, materially non-public financial information, attorney-client privileged content): may not be sent to AI tools without case-by-case written approval from [Security] regardless of the vendor.

5.5 Customer data: subject to the same classification as above plus any customer-specific contractual obligations. When in doubt, ask before pasting.

6. Specific prohibited uses

6.1 Using AI to make consequential decisions about employees (hiring, promotion, termination, compensation, performance evaluation) without human review and approval.

6.2 Using AI to generate content represented as original human work where the audience has a reasonable expectation of human authorship (e.g. published research, formal legal opinions).

6.3 Using AI to interact with customers, vendors, or external parties without disclosure that they are interacting with an AI system, where such disclosure is required by law or contractual obligation.

6.4 Using AI for activity that would violate any other company policy (acceptable use, anti-harassment, confidentiality, code of conduct).

7. Use of AI-generated code

7.1 AI-generated code is reviewed under the same standards as human-written code.

7.2 AI-generated code containing identifiable third-party source must be reviewed for licence compatibility.

7.3 Production deployment of AI-generated code requires the same approval workflow as any other code change.

8. Disclosure and citation

8.1 When AI assistance materially shapes an output, employees are encouraged to note that internally. External disclosure is required where regulators or contracts mandate it (EU AI Act Article 50, several US state laws on AI in hiring).

9. Vendor management

9.1 New AI vendors must complete an AI Vendor Evaluation before procurement. The current checklist is maintained at [link].

9.2 Existing AI vendor relationships are reviewed quarterly by [Owner].

10. Reporting incidents

If you believe sensitive data was inadvertently sent to an AI tool, or if you observe a colleague using AI in a way that violates this policy, report immediately to [Security contact]. Reports made in good faith do not result in disciplinary action against the reporter.

11. Violations

Violations of this policy may result in disciplinary action up to and including termination, in addition to any legal consequences applicable to the underlying conduct.

12. Policy ownership and review

This policy is owned by [Owner] and reviewed at minimum annually. Material updates are communicated to all employees with a 14-day comment window before taking effect.