Every organization needs an AI acceptable use policy. Not because it is a compliance checkbox (though it helps with that too), but because without one, every employee is making their own risk decisions about AI tools. That inconsistency is where problems start.
This guide walks through the key sections of an effective AI acceptable use policy, with example language you can adapt for your organization. The goal is a policy that is clear enough to follow, flexible enough to not obstruct legitimate work, and enforceable with technical controls.
Section 1: Purpose and Scope
Start with why the policy exists and who it applies to. Keep it short. Nobody reads a preamble that runs four paragraphs.
Example language: "This policy establishes guidelines for the use of artificial intelligence tools by [Organization] employees, contractors, and third parties with access to organizational systems or data. It applies to all AI-powered tools including but not limited to large language models, code generation tools, image generators, and AI-enhanced productivity features."
Note the inclusion of contractors and third parties. AI use policies that only cover employees leave a significant gap. Your contractors and vendors are using AI tools too, often with your data.
Section 2: Tool Classification
Define three tiers of AI tools. This gives you a framework for applying different rules to different tools based on risk assessment.
Approved tools have been vetted by IT and security. They have acceptable terms of service, appropriate data handling provisions, and (where required) signed DPAs or BAAs. Employees may use these tools within the guidelines of this policy.
Restricted tools are permitted for specific use cases or specific user groups only. They may have data handling concerns that limit what information can be shared with them.
Prohibited tools are not authorized for any business use. This typically includes AI tools with unacceptable data retention policies, tools from sanctioned entities, or tools that have been assessed and rejected.
Example language: "Employees may use Approved AI tools for business purposes in accordance with this policy. Use of Restricted tools requires written approval from the employee's manager and the IT Security team. Use of Prohibited tools for any business purpose is not authorized."
Section 3: Data Handling Rules
This is the most important section. Map your existing data classification scheme to AI usage rules.
Example language: "The following data types must not be entered into any AI tool, regardless of approval status: Social Security numbers, credit card numbers, passwords or credentials, protected health information, data classified as Confidential or Restricted under the Data Classification Policy, attorney-client privileged communications, and material non-public information."
Be specific about what is prohibited. "Sensitive data" is too vague. Employees need concrete categories they can evaluate in the moment. When someone is about to paste something into ChatGPT, they need to be able to quickly determine whether it falls into a prohibited category.
Section 4: Enforcement Levels
Define how the policy will be enforced. A graduated approach is both more practical and more palatable to the organization:
Monitor: All AI interactions are logged for security review. Users are not interrupted, but activity is recorded and may be audited. This is the baseline for all AI usage.
Example: "All interactions with Approved AI tools are logged and may be reviewed by the security team."
Warn: When potentially sensitive data is detected, the user receives a warning before the data is submitted. They can choose to proceed, modify their input, or cancel.
Example: "When the monitoring system detects potentially sensitive data in an AI prompt, the user will receive a notification identifying the concern. The user may modify their input and proceed."
Block: For the highest-risk data categories, submission is prevented entirely.
Example: "Submissions containing Social Security numbers, credit card numbers, or credentials to any AI tool will be automatically blocked."
Section 5: User Responsibilities
Outline what employees are expected to do:
- Complete AI usage training before using AI tools for business purposes
- Review AI-generated output for accuracy before using it in business communications or decisions
- Report any suspected data exposure through AI tools to the security team
- Not use personal AI accounts for business purposes
- Not attempt to circumvent AI monitoring or policy enforcement controls
Section 6: Compliance and Consequences
State clearly that violations will be addressed through existing disciplinary processes. You do not need new consequences for AI policy violations. Link to your existing acceptable use policy consequences.
Example language: "Violations of this policy will be addressed in accordance with [Organization]'s existing disciplinary procedures as outlined in the Employee Handbook."
Making the Policy Enforceable
A policy document alone changes behavior only marginally. The policies that work are the ones backed by technical enforcement. When your policy says "do not paste SSNs into AI tools," the technical control should detect and block SSN patterns in AI prompts.
Tools like InvestigAItor bridge this gap by translating policy rules into technical enforcement. Your approved/restricted/prohibited tool classifications become allow/warn/block rules. Your data handling rules become sensitive data detection patterns. The policy document and the technical controls reflect the same rules, which eliminates ambiguity and reduces reliance on employee judgment in the moment.
Draft your policy, distribute it, train your team on it, and then back it up with technical controls that make compliance the default. That combination is what makes AI governance work in practice.