An AI acceptable use policy sets out which AI tools staff and consultants may use, for what purposes, and with what data. Most organisations now need one, because staff are already using AI tools informally, whether or not there is a policy in place. This piece looks at what the policy should cover, and why “we haven’t had a problem yet” is not the same as “we don’t need one.”
Why does an organisation need an AI acceptable use policy?
Generative AI tools are free, fast, and easy to access. Staff are already using them – to draft emails, summarise documents, research topics, or generate content – whether or not the organisation has sanctioned it. This is often called shadow AI: tool use that sits outside any formal record or oversight.
The risk is not that staff are using AI. It is that they are doing so without knowing what happens to the data they put into it, whether the output can be relied upon, or whether their use complies with client contracts, professional obligations, or data protection law. A policy closes that gap by giving staff clear, practical boundaries.
What should an AI acceptable use policy cover?
A working policy typically addresses:
- Approved tools – which AI platforms staff may use, and which require sign-off before use
- Permitted purposes – what kinds of tasks AI may be used for, and which are off-limits
- Data boundaries – what data may never be entered into a public or third-party AI tool (client confidential information, personal data, commercially sensitive material)
- Output verification – a requirement that AI-generated content is checked by a human before it is relied upon or sent externally
- Attribution and transparency – whether and how AI use needs to be disclosed to clients or third parties
- Escalation – who to tell if an AI tool produces something wrong, biased, or potentially harmful
Does the policy need to be different for different roles?
Often, yes. A blanket policy tends to be either too restrictive for some teams or too loose for others. A finance team handling sensitive commercial data needs tighter data boundaries than a marketing team drafting social content. Some organisations set a baseline policy for all staff, with additional restrictions layered on for specific roles or departments that handle higher-risk data.
How does this fit into wider AI governance?
An acceptable use policy is usually the first document an organisation puts in place, because it is the most immediate control – but it works best alongside a system register (recording which tools are actually in use) and a sign-off process for any new tool before it goes into regular use. Together, these form the practical core of an AI governance framework.
If you need help drafting or reviewing an AI acceptable use policy, see our AI Governance advisory services.