Guide

AI use policy template: what to include before you publish

Most companies using AI tools right now have no written policy governing them. If that's you, this page is the fastest way to understand what your policy needs to cover and how to build one that actually holds up.

The problem

The gap between “we use AI tools” and “we have a policy for AI tools” is wider than most IT managers realize — and it closes fast once something goes wrong. An employee pastes customer data into a public LLM. A vendor quietly adds an AI feature to a tool you already approved. Someone builds an internal workflow on a free-tier AI service with no data processing agreement in place. None of these incidents require sophisticated threat actors. They require only the absence of clear rules.

The underlying issue isn’t that people are reckless. It’s that most AI tools entered the workplace through the path of least resistance — a free trial, a browser extension, a product update — before anyone had a chance to set expectations. By the time an IT manager asks “what are we actually using?”, the answer is already complicated. You can read more about the scope of that problem in The AI tools your employees are already using.

Writing a policy doesn’t fix the underlying sprawl, but it does two things immediately: it establishes accountability, and it gives you a defensible record that governance existed. Both matter if you’re ever in front of a regulator, a client’s security review team, or your own legal counsel explaining what happened.

What good enough looks like

A policy doesn’t have to be long to be effective. A two-page document that employees can actually read and understand will outperform a thirty-page framework that lives in a SharePoint folder no one opens. The goal isn’t comprehensiveness for its own sake — it’s coverage of the decisions that actually expose you.

At minimum, a functional AI use policy addresses five areas:

  1. Scope — which tools, systems, and people the policy applies to, and whether it covers only company-issued accounts or also personal accounts used for work purposes.
  2. Roles and ownership — who approves new AI tools, who reviews incidents, and who is accountable when something breaks. Without named roles, enforcement is theoretical.
  3. Approved and prohibited uses — a short, concrete list of what’s allowed (summarizing internal documents, drafting external communications with review) and what isn’t (inputting PII, confidential client data, or regulated information into non-approved tools).
  4. Data handling rules — how employees should classify information before deciding whether it can be used as an AI input, and what to do when they’re unsure.
  5. Incident reporting — a clear, low-friction path for employees to report when something goes wrong or when they suspect a tool is behaving unexpectedly.

That last item is where most first-draft policies fall short. If the reporting path is unclear or intimidating, incidents go unreported until they become problems. Five things your AI use policy is missing goes deeper on the gaps that show up most often in policies we review.

A policy that covers these five areas, written in plain language, reviewed by legal, and communicated to staff is a policy you can stand behind. It won’t be perfect. Iterate from there.

A practical method

Here’s a straightforward sequence for building your first AI use policy without a dedicated compliance team.

1. Inventory what’s already in use.

You can’t govern tools you don’t know about. Before you write a single sentence of policy, spend a week collecting the actual list — approved software with AI features, unsanctioned tools employees are already using, and AI capabilities embedded in existing vendor products. That inventory becomes the foundation for your scope section. Start with How to build an AI tool inventory without enterprise software if you haven’t done this yet.

2. Define your data classification tiers.

AI policy enforcement lives or dies on data classification. If employees don’t have a simple way to categorize information — public, internal, confidential, regulated — they’ll default to their own judgment, which is inconsistent by definition. Two or three tiers with concrete examples is enough to start.

3. Draft the five sections in plain language.

Use the coverage areas above as your section headers. Write each one in the same language you’d use in a staff meeting, not legal boilerplate. A policy your team can read in ten minutes and actually understand is more valuable than one that’s technically complete but practically ignored. How to write an AI use policy that gets followed covers the communication and adoption side of this in detail.

4. Run each approved tool through a basic vendor risk check.

Before you list a tool as approved, you need to know where your data goes, whether the vendor uses it for model training, and what their data retention and deletion practices are. This doesn’t have to be a lengthy process, but it has to happen before the tool is in the policy. AI tool risk assessment: what to ask before you sign gives you the specific questions. If you want a repeatable process for this, How to run a defensible AI vendor risk assessment walks through the full method.

5. Set a review cadence before you publish.

A policy with no review date becomes stale the moment a new tool enters the stack. Add a review date — quarterly is realistic for most SMBs right now given how fast the tool landscape is moving — and name the person responsible for triggering it. That single line turns your policy from a static document into a living control.

Do this week: Pull a list of every SaaS tool your company pays for and flag every one that has launched or announced an AI feature in the past twelve months. That’s your minimum scope for the policy. It takes an afternoon and gives you a concrete starting point.

If you want a system to track policy ownership, log AI-related incidents, and export evidence of your governance posture for client audits or regulatory reviews, that’s exactly what InfoDefenders’ AI Governance Manager is built to do. It’s not a prerequisite for writing your first policy — but once the policy exists, it’s how you prove the policy is being followed.

Ready to see how it fits your environment? Start a free trial and you’ll have a working governance structure in place before your next vendor review.

Go deeper

Related Insights

Practitioner analysis on this topic — start with the hub, then read the deep dives.

Jun 30, 2026 9 min read

How to Write an AI Use Policy That Gets Followed

Most AI use policies collect dust. Here's how to write an AI use policy that's specific, short enough to read, and built into actual workflows.

acceptable use ai compliance AI Governance ai policy template
Read →
Jun 30, 2026 8 min read

How to Run a Defensible AI Vendor Risk Assessment

A practical AI tool risk assessment workflow covering data handling, subprocessors, model training, breach notification, and the evidence auditors actually

AI Governance ai risk management ai tool risk assessment ai vendor risk
Read →
Jun 30, 2026 9 min read

AI Tool Risk Assessment: What to Ask Before You Sign

A practical AI tool risk assessment framework for IT managers: data handling, model training, subprocessors, breach notification, and contract terms to dem

ai compliance AI Governance ai tool risk assessment ai vendor risk
Read →

Browse all Insights →

InfoDefenders

Governance program management in one place

Policy library, control ownership, and evidence exports — connect your AI use policy to incident logging and risk work so auditors see a coherent program.

Start your free 30-day trial See pricing
InfoDefenders governance program dashboard

FAQ

Common questions

Does an AI use policy need to be reviewed by a lawyer before we publish it?
At minimum, have legal counsel review the data handling and prohibited-use sections, since those carry the most liability exposure. A full legal review is ideal, but even a thirty-minute conversation with your company's attorney before publishing is better than none.
Should our AI use policy cover tools employees use on personal devices for work?
Yes, and this is one of the most common scope gaps in first-draft policies. If an employee uses a personal ChatGPT account to process work-related information, that data is outside your control regardless of what device it's on. Your policy needs to address this explicitly.
How often should we update our AI use policy?
Quarterly reviews are realistic for most SMBs right now given how frequently AI features are being added to existing tools and how quickly the regulatory environment is developing. At minimum, trigger a review whenever you add a new AI tool or a significant vendor update changes how your data is handled.
What's the difference between an AI use policy and an AI acceptable use policy?
The terms are often used interchangeably. In practice, an acceptable use policy focuses narrowly on what employees can and can't do, while a broader AI use policy also covers governance roles, vendor approval, data handling, and incident reporting. For most SMBs, a single document that covers all of these is more practical than maintaining separate policies.
We already have an acceptable use policy in our employee handbook. Do we need a separate AI policy?
Almost certainly yes. General AUPs weren't written with AI-specific risks in mind u2014 model training data rights, hallucination liability, AI-generated output review requirements, and vendor data processing terms aren't covered in standard IT use language. You can reference your existing AUP in the AI policy, but the AI-specific content needs to stand on its own.

Ready to govern AI with evidence?

Start a 30-day free trial — no credit card required.

Start your free trial See pricing