PolicyForge
All posts
6 min

How to write an AI acceptable use policy

An AI usage policy defines how staff may use generative AI with company data. Here is what to include — approved tools, data rules, oversight — with a free template.

Why you need an AI policy now

Employees are already pasting company data into ChatGPT and other tools, whether or not you allow it. An AI acceptable use policy sets clear rules so you capture the productivity of generative AI without leaking confidential data, breaching GDPR or shipping unreviewed AI output. It is fast becoming the first thing auditors and customers ask about.

What to include

  1. Scope — which tools and use cases are covered (chatbots, coding assistants, embedded AI features).
  2. Approved tools — a sanctioned list, and how to request additions; default-deny for everything else.
  3. Data rules — what may never be entered into public AI tools (personal data, secrets, source code, client data), and what is acceptable.
  4. Confidentiality and IP — caution on training-data reuse and ownership of generated content.
  5. Human oversight — AI output must be reviewed before use; staff remain accountable for decisions.
  6. Bias, accuracy and transparency — verify facts; disclose AI use where required.
  7. Alignment with ISO 42001 — for organisations building an AI management system.

Common mistakes

  • Banning AI outright, which only drives shadow usage.
  • No data rules, so confidential information flows into public models.
  • Treating AI output as authoritative without human review.

Framework alignment

Complements ISO 27001:2022 Annex A 5.10 (acceptable use) and 8.10–8.12 (data handling), aligns with ISO/IEC 42001 (AI management), and supports GDPR accountability.

Generate it in minutes

See a sample AI acceptable use policy or generate yours free.