AI Acceptable Use Policy: What to Include and a Template to Start

Every company deploying AI tools needs a use policy. Most do not have one. Only 37% of organizations have AI governance policies, which means the majority of businesses are letting employees figure out the rules on their own. That is a risk you can measure in data breaches, compliance violations and wasted resources. Here is how to build an AI acceptable use policy that actually gets followed.

This article is for informational purposes only and does not constitute legal advice. Organizations should consult with qualified legal counsel before implementing any AI policies to ensure compliance with applicable laws and regulations.

Why Do Most AI Policies Fail?

AI policies tend to fail for one of two reasons. They are either too restrictive or too vague.

Too restrictive means employees ignore the policy entirely. They find workarounds, use personal devices or simply pretend the rules do not exist. This creates shadow AI, which is more dangerous than having no policy at all because leadership loses visibility into what tools are being used and what data is being shared.

Too vague means employees interpret the policy however they want. “Use AI responsibly” is not a policy. It is a suggestion that ten different people will read ten different ways. Without specific guardrails, your marketing team might paste client data into ChatGPT while your engineering team builds production features on unapproved platforms.

The goal is a policy that sits in the middle: clear enough to follow, flexible enough to allow productive use of AI tools.

What Should an AI Acceptable Use Policy Include?

A comprehensive AI use policy covers ten core sections. Each one addresses a specific risk area and gives employees concrete guidance. Below is what to include in each section and the most common mistake organizations make.

1. Scope and Applicability

Define who the policy applies to and which tools it covers. This includes full-time employees, contractors, interns and any third parties with access to company systems. Specify whether the policy covers only company-provided AI tools or also personal AI tool usage for work purposes.

Common mistake: Limiting scope to “AI software” without defining what qualifies. Employees may not realize that AI-powered features embedded in tools they already use (like email assistants or code completion) fall under the policy.

2. Approved Tools and Platforms

Maintain an explicit list of sanctioned AI tools with their approved use cases. Include version requirements if relevant and specify whether free tiers or enterprise plans are required. Update this list as new tools are evaluated and approved through your AI services review process.

Common mistake: Publishing a static list and never updating it. AI tools launch weekly. Without a living document and a clear process for requesting new tools, employees will adopt unapproved options on their own.

3. Data Classification and Handling

Specify what data can and cannot be entered into AI tools. Create clear tiers: public data (fine for any tool), internal data (approved tools only with enterprise agreements), confidential data (restricted or prohibited) and regulated data (never without explicit legal review). Reference your existing data classification framework if you have one.

Common mistake: Using blanket prohibitions like “never enter company data into AI tools.” This is unenforceable and drives usage underground. Instead, create specific rules for each data tier so employees know exactly where the lines are.

4. Code and Application Development

Address AI-assisted coding directly. This includes code completion tools, AI pair programmers and what some call “vibe coding,” where developers use AI to generate entire applications or features. Define which repositories and codebases can use AI assistance, require code review for all AI-generated output and set standards for testing AI-produced code before it reaches production.

Common mistake: Treating AI-generated code the same as human-written code in review processes. AI-generated code requires additional scrutiny for security vulnerabilities, license compliance and logic errors that may not be obvious at first glance.

5. Review and Approval Process

Establish when IT, legal or management needs to be involved. Not every AI use case requires approval, but high-risk scenarios should. Define thresholds: routine tasks like email drafting may be pre-approved, while customer-facing AI applications or tools that process sensitive data need formal review. A strategic AI advisory engagement can help you set appropriate thresholds for your organization.

Common mistake: Requiring approval for everything. This creates bottlenecks that slow adoption and encourage workarounds. Focus approval requirements on high-risk use cases and pre-approve low-risk ones.

6. Intellectual Property and Output Ownership

Clarify who owns AI-generated content and code. Address whether AI outputs can be copyrighted, how to handle attribution and what happens when AI tools are trained on proprietary data. This section should align with your existing IP policies and employment agreements.

Common mistake: Ignoring the IP question entirely. The legal landscape around AI-generated content is evolving, but your policy still needs to set internal expectations now. Revisit as case law and regulations develop.

7. Monitoring and Compliance

Describe how the organization will monitor AI tool usage. This could include network monitoring, usage audits, access logs or self-reporting requirements. Be transparent with employees about what is being tracked. The NIST AI Risk Management Framework provides useful guidance on establishing monitoring practices that balance oversight with trust.

Common mistake: Heavy surveillance without transparency. If employees discover they are being monitored without their knowledge, trust erodes and shadow AI usage increases. Be upfront about monitoring practices.

8. Consequences for Violations

Define a clear, proportional consequence framework. First-time minor violations should look different from repeated or severe breaches. Include examples of what constitutes minor, moderate and serious violations so there is no ambiguity. Align consequences with your existing HR disciplinary framework.

Common mistake: Making consequences either too harsh or nonexistent. Termination for a first-time minor mistake discourages reporting. No consequences at all signals the policy is optional. Find the middle ground.

9. Exception Process

Create a formal path for employees to request exceptions to the policy. Some teams may have legitimate needs that the standard policy does not cover. Define who can approve exceptions, what documentation is required and how long exceptions remain valid before they need renewal.

Common mistake: No exception process at all. When there is no way to request an exception, employees either give up on productive use cases or bypass the policy entirely. A clear exception path keeps usage visible and manageable.

10. Review Cadence

Set a quarterly review schedule at minimum. AI tools and capabilities change faster than almost any other technology category. Assign a specific owner or committee responsible for triggering reviews. Major vendor updates, new regulations, security incidents or significant changes in how employees use AI should all prompt an out-of-cycle review.

Common mistake: Creating the policy once and filing it away. An AI use policy that was written 12 months ago is already outdated. Build the review cadence into your governance calendar from day one.

AI Acceptable Use Policy Template

Use this template as a starting point and adapt it to your organization. Each section includes placeholder language you can customize based on your company size, industry and risk tolerance.

Policy Overview

• Policy name: [Company Name] Artificial Intelligence Acceptable Use Policy
• Effective date: [Date]
• Policy owner: [Title/Department]
• Next review date: [Quarterly from effective date]
• Applies to: All employees, contractors, interns and third parties with access to company systems

Approved AI Tools

• Tier 1 (General use, pre-approved): [List tools, e.g., Microsoft Copilot Enterprise, approved ChatGPT Enterprise workspace]
• Tier 2 (Department-specific, manager approval): [List tools, e.g., GitHub Copilot for engineering, Jasper for marketing]
• Tier 3 (Restricted, requires IT/legal review): [List tools or categories that need formal approval]
• Prohibited: [List explicitly banned tools or tool categories]

Data Handling Rules

• Public data: May be used with any approved AI tool
• Internal data: Approved Tier 1 and Tier 2 tools only, with enterprise data agreements in place
• Confidential data: Requires written approval from [data owner/CISO] before use with any AI tool
• Regulated data (PII, PHI, financial): Prohibited from use with AI tools unless a specific, documented exception is granted by [legal/compliance]

AI-Assisted Development

• All AI-generated code must go through standard code review before merging
• AI-generated code must pass existing automated testing and security scanning
• Developers must disclose when code is substantially AI-generated in pull request descriptions
• Proprietary source code must not be pasted into non-enterprise AI tools

Review and Approval Thresholds

• Pre-approved: Internal content drafting, research summarization, email composition using Tier 1 tools
• Manager approval: Customer-facing content, marketing materials, Tier 2 tool usage
• IT/Legal review required: New tool adoption, Tier 3 tools, any use involving confidential or regulated data

IP and Output Ownership

• AI-generated outputs created using company tools and for company purposes are company property
• Employees must not represent AI-generated content as solely their own original work when attribution matters
• Legal review is required before publishing or distributing AI-generated content externally in contexts where IP ownership is material

Monitoring and Enforcement

• The organization monitors AI tool usage through [network logs, access audits, usage reports]
• Employees will be notified of monitoring practices during onboarding and policy training
• Quarterly compliance audits will review usage patterns and flag potential violations

Violation Consequences

• Minor (first occurrence): Verbal warning and mandatory policy refresher training
• Moderate (repeated minor or first-time significant): Written warning, access restrictions and manager notification
• Serious (data breach, regulatory violation): Suspension of AI tool access, formal investigation and disciplinary action up to termination

Exception Requests

• Submit exception requests to [AI governance committee/IT] using [form/system]
• Include: business justification, data involved, risk assessment and proposed safeguards
• Exceptions are valid for [90 days] and must be renewed
• Approved exceptions are logged and reviewed during quarterly policy audits

How Do You Get an AI Policy Adopted?

Writing the policy is the easy part. Getting people to follow it requires a rollout plan. Start with a pilot group, gather feedback and refine before a company-wide launch. Make the policy easy to find, reference it in onboarding and include it in your employee handbook. Schedule brief training sessions that focus on practical examples rather than reading the document aloud.

Most importantly, get buy-in from leadership. When executives visibly follow the policy and reference it in their own AI usage, adoption accelerates. When leadership treats the policy as a suggestion, everyone else will too.

If you are starting from scratch or need help calibrating your policy to your organization’s risk profile, an AI readiness assessment can identify gaps and priorities before you draft a single word.

This article is for informational purposes only and does not constitute legal advice. Organizations should consult with qualified legal counsel before implementing any AI policies to ensure compliance with applicable laws and regulations.