Your employees are using AI tools. You know this. They know this. But there's no written rule about what's okay and what isn't.

Then someone pastes a client spreadsheet into ChatGPT to "clean it up," and you realize you have no policy that says whether that's allowed.

This happens. The solution isn't a 40-page legal document — it's a clear, short policy that your team can actually read and follow.

---

AI Use Policy

Effective Date: [Insert Date] Business: [Your Business Name] Last Updated: [Insert Date]

Purpose

This policy explains how our team uses AI tools. It exists to protect our business, our clients, and our people.

AI tools are useful. We use them. But we use them thoughtfully, with awareness of what can go wrong.

What AI Tools Are Covered

This policy covers any AI-powered tool used for work purposes, including but not limited to:

• Chatbots (ChatGPT, Claude, Gemini, Copilot)
• AI writing assistants
• AI image or video generators
• AI coding tools
• AI voice or transcription tools
• Any new AI tool we start using

What You Can Do

Allowed — with human review:

• Draft emails, messages, or documents using AI
• Summarize meetings, calls, or long documents
• Generate first drafts of job postings, social media, or marketing content
• Help with research and analysis
• Draft code with proper review (see Code section)

Allowed — with approval:

• Use a new AI tool for the first time (tell your manager)
• Share AI-generated content externally
• Use AI for customer-facing communications

What You Cannot Do

Never do the following:

1. Share customer personal information with AI tools. Names, addresses, phone numbers, Social Security numbers, financial information, health information, or anything that identifies a person — don't paste this into AI tools.

2. Share confidential business information with AI tools without approval. Business strategies, financial data, proprietary processes, internal communications, or anything that isn't public — check first.

3. Use AI-generated content without review. AI makes mistakes. It gets facts wrong. It hallucinates. Never send or publish AI output without reading and approving it first.

4. Make decisions based solely on AI output. AI can inform decisions. It cannot make them. A human must review and approve any consequential action.

5. Use personal accounts for work AI. Use the business accounts provided. If you don't have one, ask.

6. Share your login credentials. Your AI account is yours. Don't share passwords or access with others.

Customer Data and AI

If you work with customer data:

• Assume AI tools are NOT secure for personal information unless your company has explicitly approved that tool and signed a data agreement with the vendor.
• When in doubt, ask before using AI with customer data.
• Report any accidental data sharing immediately.

Code and AI

If you use AI for coding:

• All AI-generated code must be reviewed by a qualified developer before it goes into production.
• AI-generated code must pass our security checks.
• Do not use AI to generate authentication, payment processing, or security-critical code without senior developer approval.

Reporting Problems

If AI gives you wrong information that could affect our business or customers, tell someone.

If you accidentally share information you shouldn't have, tell someone immediately. Quick reporting matters more than perfect behavior.

No one gets in trouble for reporting a mistake. People get in trouble for hiding one.

Questions

Ask your manager or [Designated Contact] if you're unsure about whether something is allowed.

---

Implementation Notes

This policy takes effect on [date]. After that date:

1. Provide copies to all employees
2. Answer questions in a team meeting
3. Post in a shared location (shared drive, team wiki)

Review this policy every six months. AI tools change; this policy should too.

What this policy doesn't cover

This is a practical starting point, not legal advice. If you're in a regulated industry (healthcare, finance, legal, government contracting), you likely need additional compliance documentation. Talk to a lawyer.

What can go wrong without a policy

• Employees share customer data with AI tools, creating liability
• No one knows what AI tools are being used — shadow IT explosion
• AI-generated errors reach customers or partners
• Employee uses personal account, leaves, takes conversation history with them
• Vendor asks about your AI policy in a contract — you don't have one

When to hire help

• Regulated industry: If you're in healthcare (HIPAA), finance, legal, or government contracting, get a lawyer to review this template before you implement it.
• Larger team (25+ employees): A managed IT provider can help deploy this policy, set up appropriate AI tools, and handle training.
• You've already had an incident: Get legal counsel before updating your policy.

---

A policy only works if people read it and follow it. Keep it short. Keep it real. Update it when things change.