Free template
A free AI policy template your team will actually follow
Most AI acceptable-use policies are either three sentences long or a fifteen-page legal document nobody reads. This one is built to be read, understood, and actually followed. Copy it, fill in the brackets, and use it today.
Why you need one
None of this is hypothetical.
Every one of these happens without a policy in place — not because employees are careless, but because nobody told them where the line is.
An employee pastes client financials into a free chatbot
Someone's trying to save time on a report and drops a spreadsheet of client account balances into ChatGPT's free tier to "summarize it." That data may now be used to train a model your competitors also use. No malice, no policy, no way to undo it.
An AI-drafted contract clause goes out unreviewed
A manager asks AI to draft a liability clause, likes how it sounds, and sends it straight to a client. The clause references the wrong jurisdiction and contradicts a term three pages earlier. Nobody catches it because nobody was supposed to skip the review step — there just wasn't one written down.
Two departments buy overlapping AI tools
Sales signs up for one AI writing tool. Marketing signs up for a different one with the same feature, on a different card, with no idea the other exists. Six months later you're paying for three subscriptions that do the same thing, with data scattered across all of them.
The template
Copy it. Edit the brackets. Done.
AI ACCEPTABLE USE POLICY [Company Name] Last reviewed: [Month, Year] 1. PURPOSE & SCOPE This policy sets the rules for how employees, contractors, and temporary staff at [Company Name] may use artificial intelligence tools (chatbots, writing assistants, image generators, coding assistants, and similar) in the course of their work. It applies to any AI tool used on company devices, company accounts, or on personal devices when doing work for [Company Name]. The goal is simple: let your team use AI to work faster, without putting client data, contracts, or the company's reputation at risk. 2. APPROVED TOOLS Only the following AI tools are approved for business use: - [Tool 1 — e.g., ChatGPT Business/Enterprise] - [Tool 2 — e.g., Microsoft Copilot] - [Tool 3 — e.g., Claude for Work] Free, consumer-tier versions of these tools (the kind anyone can sign up for with a personal email) are not approved for business use, because they may use your inputs to train future models. New tools must go through the approval process in Section 6 before anyone uses them for company work. If you're already using a tool that isn't on this list, tell [IT/Ops Contact] — you won't be in trouble, but we need to know. 3. PROHIBITED DATA Never enter the following into any AI tool, approved or not, unless that specific tool has been explicitly cleared for it in writing by [IT/Ops Contact]: - Client personally identifiable information (names tied to account numbers, SSNs, medical information, etc.) - Financial data — client account balances, internal financials, payroll, or banking details - Passwords, API keys, credentials, or access tokens of any kind - Anything covered by a signed NDA or confidentiality agreement - Unreleased company plans (pricing changes, layoffs, acquisitions, etc.) When in doubt, don't paste it in. Ask [IT/Ops Contact] first. 4. HUMAN REVIEW OF OUTBOUND WORK PRODUCT AI can draft it. A person must check it before it goes out. Specifically: - Any AI-drafted content sent to a client, vendor, or the public (emails, proposals, contracts, reports, marketing copy) must be reviewed and approved by a qualified human before it's sent. - Contracts or legal language drafted or edited with AI must be reviewed by [Legal Contact / outside counsel] before signing or sending. - Numbers, dates, names, and citations produced by AI must be independently verified — AI tools can state incorrect information confidently and without warning. Nobody should treat "the AI wrote it" as a reason to skip review. It's the opposite: AI output gets the same scrutiny as a first draft from a new hire. 5. DISCLOSURE Be straightforward about AI use: - If a client or partner asks whether AI was used on their work, answer honestly. - Internal documents that are substantially AI-generated (reports, first drafts, research summaries) should note that at the top, so reviewers know to check it carefully. - This policy does not require disclosing routine use of AI for internal productivity (e.g., drafting an internal email, summarizing notes). 6. PROCUREMENT & NEW TOOL APPROVAL Before signing up for or paying for any new AI tool for business use: - Submit the tool name and intended use to [IT/Ops Contact]. - [IT/Ops Contact] confirms the tool's data-handling terms are acceptable and checks whether an existing approved tool already covers the need. - Approved tools are added to Section 2 and communicated to the team. This prevents the business from paying for three tools that do the same thing, and keeps company data off of platforms nobody vetted. 7. INCIDENT REPORTING If you accidentally enter prohibited data into an AI tool, send something AI-drafted without review, or discover someone else did — report it to [IT/Ops Contact] immediately. There is no penalty for reporting a mistake quickly; there may be consequences for hiding one. Fast reporting is what lets us contain a problem before it becomes a bigger one. 8. REVIEW CADENCE This policy is reviewed at minimum every [6 months], and immediately after: approving a new AI tool, signing a client contract with new confidentiality terms, or any reported incident. [IT/Ops Contact] owns keeping this document current. Questions about this policy go to [IT/Ops Contact].
How to roll it out
Three steps, not a project.
01
Fill in the brackets
Swap the placeholders for your actual approved tools, your IT or ops contact, and your review cadence. Fifteen minutes, not a project.
02
Walk it through with your team
Don't just email a PDF. Spend ten minutes in a team meeting on what's allowed, what's not, and why — especially the client data rules. Policies people understand get followed; policies people skim get ignored.
03
Put it where people will actually see it
Onboarding packet, employee handbook, wherever your team already looks for policies. Revisit it when you approve a new tool or after any incident, not just once a year.
One honest note: this template is a strong starting point, not a finished legal document. Have an employment attorney review the final version before you make it official, especially if your industry has its own confidentiality or compliance rules on top of this.
FAQ
Questions we hear a lot.
Is this template legally binding?
A policy your employees acknowledge and follow can absolutely carry weight — but this template is a starting point, not legal advice. Have an employment attorney review the final version before you roll it out, especially if you're in a regulated industry or plan to make it a condition of employment.
What tools should we actually approve?
That depends on what your team needs and what data they'll touch. As a starting point: paid business-tier accounts (not free consumer tiers) from vendors with clear data-handling terms, reviewed by whoever owns IT or security decisions. If you're not sure where to start, our AI consulting engagements include vendor and tool selection.
How often should we update the policy?
Review it at least twice a year, and any time you approve a new AI tool, sign a new client contract with confidentiality terms, or have an incident. AI tools and their data policies change faster than most company handbooks — treat this as a living document, not a one-time form.
What if employees are already using AI tools we don't know about?
Assume they are. Most "shadow AI" use isn't malicious — it's someone trying to get work done faster with whatever's free and available. Ask directly in a team meeting rather than framing it as a crackdown, then use what you learn to decide which tools to formally approve. Punishing people for using AI in secret just pushes it further underground.
We write and roll out AI policies for a living.
Writing and rolling out AI governance — policies, tool approval processes, and training — is part of our AI consulting engagements. The free assessment tells you what your business actually needs before you spend anything.