An AI acceptable use policy is one of the higher-leverage governance documents most SMBs don't have yet. With employees already using ChatGPT, Claude, Gemini, and other AI tools regardless of formal policy, the absence of an explicit acceptable use policy means decisions are being made by individual employees without guidance. A good AI AUP isn't about banning AI use — it's about making the productive uses safe and the unsafe uses explicit. Here's a practical template.
What a Useful AI AUP Covers
Effective AI acceptable use policies address several dimensions:
- Which AI tools are approved for which purposes
- What categories of data can and cannot be input to AI tools
- How AI-generated output must be reviewed before use
- Attribution and disclosure requirements
- Prohibited use cases
- Reporting obligations for AI mistakes or concerns
- Consequences for policy violations
The policy should be specific enough to guide actual behavior but not so restrictive that it drives employees back to shadow AI.
The Template Sections
Here's a structure that works for most SMBs:
Section 1 — Scope and Purpose. Define which employees and contractors the policy applies to, what "AI tools" includes, and why the policy exists. Don't bury the why — employees follow policies they understand the reasoning behind.
Section 2 — Sanctioned AI Tools. Specifically list which AI tools are approved for what use. Microsoft Copilot for productivity work, ChatGPT Enterprise for general assistance, internal AI gateway for engineering, etc. Tools not on the sanctioned list aren't approved without explicit exception.
Section 3 — Data Handling Restrictions. Specifically define what categories of data can and cannot be input to AI tools:
- Public information: usually fine
- Internal non-sensitive: typically fine for sanctioned tools
- Customer information: sanctioned tools only with appropriate handling agreements
- Sensitive personal data (PHI, financial, etc.): only specific sanctioned tools with explicit approval
- Regulated data (PCI, CUI, etc.): typically prohibited from any AI tool
- Trade secrets and IP: prohibited from any AI tool without specific approval
- Credentials, tokens, keys: never input to any AI tool
Section 4 — Output Review and Verification. AI output must be reviewed before use externally. The specific obligations:
- Factual claims must be verified before relying on them
- Citations and references must be checked for accuracy
- Code generated by AI must be reviewed for security and correctness before deployment
- Client deliverables incorporating AI output remain the employee's professional responsibility
Section 5 — Attribution and Disclosure. When AI is used in work product:
- For internal work: no specific disclosure required
- For client deliverables: disclose AI use per client contract terms
- For published content: disclose per publication guidelines
- For academic or regulatory submissions: disclose per applicable rules
- Never present AI output as exclusively human work in contexts where that distinction matters
Section 6 — Prohibited Uses. Specifically prohibit AI use for:
- Decisions about employment (hiring, firing, performance evaluation)
- Credit, lending, or insurance decisions without compliant frameworks
- Legal advice or regulated professional services
- Generating content intended to mislead
- Impersonation of specific individuals
- Bypassing security controls or company policies
- Any use that violates third-party terms of service
Section 7 — Reporting Obligations. Employees must report:
- Suspected AI tool security incidents
- AI output that produced business impact when used
- Discovery of sensitive data inadvertently shared with AI tools
- Concerns about colleagues' AI use that may violate policy
Section 8 — Enforcement and Consequences. Policy violations subject to disciplinary action per existing HR processes, with explicit attention to:
- Honest mistakes treated as learning opportunities
- Deliberate violations subject to more significant consequences
- Repeated negligent violations escalating in consequence
- Serious data exposure violations potentially terminable
The Communication Layer
A policy that exists but isn't communicated produces little behavior change. Practical communication:
- Initial rollout includes a training session, not just an email
- FAQ document anticipating common questions
- Periodic reminders as AI tools and use patterns evolve
- Integration into new-hire onboarding
- Regular updates as the AI landscape changes
The Living Document Approach
AI tools and use patterns are evolving fast. The policy needs to evolve with them. Recommended cadence: review annually, update when sanctioned tool list changes substantially, communicate updates clearly. Treat the policy as a living document rather than a one-time exercise.
If you'd like help drafting or refining an AI acceptable use policy for your business, a free 30-minute conversation can scope what fits your specific environment.
Leonidas is a managed IT services provider, cybersecurity consulting firm, and unified communications consultancy serving businesses across industries. We offer free 30-minute assessments. Contact us or call 850-614-9343.