AI acceptable use policy

what an AI acceptable use policy is

An AI acceptable use policy is a short, specific document that tells employees three things: which AI tools are approved for use at work, which categories of data cannot be entered into any external AI tool, and how to get a new AI tool reviewed before using it.

It is operational guidance that a person can read in five minutes and act on, written in plain language rather than legal language, and it works without banning the technology.

A working AI AUP has four components. An approved-tool list that names specific tools with any relevant conditions (enterprise mode required, no personal data, etc.). A data classification section that names the categories of data that cannot go into external AI tools, with examples. A vetting process that tells employees what to do when they want to use a tool that is not on the list. And a brief explanation of why each rule exists, which is what makes people follow it.

why most organizations do not have a working AI policy

AI adoption moved faster than policy processes. A year or two ago, many organizations were still deciding whether AI tools were relevant to their work. By the time that question was answered, significant adoption had already occurred.

Writing a policy after adoption has started is harder than writing one before it. The policy has to account for tools already in use, avoid retroactively prohibiting things people find valuable, and be specific enough to be useful without being so restrictive that it is ignored.

The result is that many organizations have either no policy, or a policy that is too vague to change behavior. Neither is adequate given the data-handling implications of AI tool use at scale.

what happens without a working AI policy

Without a policy, employees make independent decisions about what data is appropriate to share with AI tools. Most of those decisions are made with good intent and no specific guidance. Some will be wrong in ways that have consequences.

Regulatory. GDPR requires a lawful basis for transferring personal data to a third party. An employee using a consumer AI tool to process customer or employee data may be creating a compliance gap the organization cannot easily explain. A working AI policy, combined with an approved-tool list that only includes tools with appropriate DPAs, closes that gap.

Contractual. Client contracts and NDAs often include data handling restrictions. An AI policy that is specific about what constitutes covered information, with examples, reduces the risk of inadvertent breach.

Operational. Without a policy, there is also no framework for reviewing new tools before adoption. Every department makes its own evaluation, or makes none at all. Over time, the organization accumulates AI tool commitments with no central record and no consistent standard.

what works

The policies people actually follow start from an inventory of what is already in use. A policy written blind either bans tools people depend on or misses the real risks; one written against the directory's OAuth grant list and a short usage survey speaks to tools employees recognize from their own day. From there, the approved-tool list works best as a positive statement: the tools people can use, each with its conditions, enterprise mode required, no personal data, internal use only. A list of what is allowed gets read and used in a way a list of prohibitions never does.

The data classification carries the most weight, and it only works in plain language. The categories most organizations protect first are personal data under GDPR, NDA-covered material, financial figures before public release, and source code, each illustrated with examples drawn from people's actual work. A rule like "do not share confidential information" changes nothing, because nobody can apply it to the specific thing they are about to paste.

A usable vetting path keeps the list alive. A short checklist settles most cases: does the vendor offer a DPA, is data used for training, is there an enterprise mode, is EU data residency available, and who approves additions to the list. The last piece is tone. A policy sent as guidance, with a sentence explaining why each rule exists, that personal-tier AI tools may use inputs for training and that this raises a GDPR question, outperforms the same rules issued bare. People follow guidance they understand.