Every business using AI needs a written policy. Without one, employees make their own decisions about what data to put into ChatGPT — and those decisions aren’t always good ones.

Here’s a complete template you can customize for your organization. It covers what most businesses need without being 50 pages of legalese.

How to Use This Template

1. Copy the policy below
2. Replace everything in [brackets] with your specifics
3. Have your legal team review it
4. Distribute to all employees
5. Review and update quarterly

---

[Company Name] AI Usage Policy

Effective date: [date] Last updated: [date] Applies to: All employees, contractors, and vendors with access to company systems Policy owner: [name/title] Next review date: [date — set quarterly]

1. Purpose

This policy establishes guidelines for using artificial intelligence tools at [company name]. AI can significantly improve productivity, but improper use creates risks to client confidentiality, data privacy, regulatory compliance, and competitive advantage.

2. Approved AI Tools

Approved for General Use (non-sensitive data only)

• [ChatGPT (free or Plus)]
• [Claude (free or Pro)]
• [Google Gemini]
• [List any other approved tools]

Approved for Sensitive Data

• [Company’s local AI system — describe setup]
• [Enterprise AI tool with BAA/DPA — if applicable]

Not Approved

• Any AI tool not listed above
• AI features in personal apps (Siri, Google Assistant) for work data
• AI browser extensions that process page content
• Any tool that requires uploading company files to a third-party server without approval

Employees who want to use a tool not on this list must request approval from [approver name/role].

3. Data Classification for AI Use

Never Put Into Cloud AI (ChatGPT, Claude, Gemini)

• Client/customer personal information (names + financial data, health data, SSNs)
• Employee personal data (salaries, performance reviews, disciplinary records)
• Trade secrets and proprietary algorithms
• Legal documents containing client-privileged information
• Unannounced financial results or projections
• Passwords, API keys, or access credentials
• Any data subject to NDA or contractual confidentiality

Acceptable for Cloud AI

• Generic writing tasks (emails without sensitive details, marketing copy)
• Public information (published content, general knowledge questions)
• Brainstorming and ideation (without referencing specific clients or deals)
• Code that doesn’t contain proprietary business logic or credentials
• Learning and research on general topics

Use Local AI For

• Any task involving data from the “Never” category above
• Bulk processing of business data
• Any task where you’re unsure about data sensitivity

When in doubt, use local AI or ask your manager.

4. Required Practices

All employees using AI tools must:

1. Review all AI output before using it. AI makes mistakes, hallucinates facts, and can produce biased content. You are responsible for the accuracy of anything you submit, send, or publish — regardless of whether AI helped create it.

2. Never present AI output as original human work without disclosure, where disclosure is required by policy, contract, or regulation.

3. Remove sensitive data before prompting. If you need AI help with a document containing client names, replace them with placeholders first: “[Client A]” instead of the actual name.

4. Don’t rely on AI for critical decisions. AI is a drafting and analysis tool, not a decision-maker. Legal opinions, medical advice, financial recommendations, and hiring decisions require human judgment.

5. Report any data incidents. If you accidentally put sensitive data into a cloud AI tool, report it to [contact] immediately. Early reporting allows us to assess and mitigate risk.

5. Profession-Specific Rules

[For Law Firms]

• All client-related AI use must be on the local AI system
• AI-generated legal content must be reviewed by a licensed attorney before use
• AI cannot be used for legal advice to clients without attorney review
• Cite-checking is mandatory — AI hallucinates legal citations

[For Healthcare]

• No patient data (PHI) in any cloud AI tool, regardless of tier
• AI-assisted clinical documentation must be reviewed by a licensed provider
• Local AI only for any task involving patient information

[For Financial Services]

• No client financial data in cloud AI tools
• AI-generated financial projections must be verified manually
• Compliance team must approve any new AI workflow involving regulated data

[For Education]

• Student data (FERPA-protected) must only be used with the school’s local AI system
• AI tools used by students must be approved by administration
• Teachers must review AI-generated content before distributing to students

[For HR]

• Employee personal data must only be processed on local AI
• AI-assisted hiring decisions must be reviewed for bias
• Performance reviews drafted with AI must be personalized and reviewed by the manager

[Delete sections that don’t apply to your organization]

6. Intellectual Property

• AI-generated content created during work using company resources is company property
• Employees should not input proprietary company content into AI tools that may use it for training (check the tool’s terms of service)
• When using AI for creative work, be aware that AI-generated content may have limited copyright protection

7. Compliance

This policy supports compliance with:

• [GDPR — if you handle EU data]
• [HIPAA — if you handle health data]
• [FERPA — if you handle student data]
• [SOC 2 — if applicable]
• [Industry-specific regulations]
• [Client contractual obligations]

Violations of this policy may result in disciplinary action, up to and including termination, depending on the severity and nature of the violation.

8. Training

All employees must complete AI usage training within [30 days] of this policy’s effective date or their start date, whichever is later. Training covers:

• How to use approved AI tools
• Data classification and handling
• When to use local vs. cloud AI
• How to review AI output for accuracy
• How to report incidents

9. Policy Review

This policy will be reviewed and updated [quarterly / semi-annually] by [policy owner] to reflect changes in AI technology, regulations, and company needs.

---

Customization Guide

Small Business (Under 20 Employees)

• Simplify sections 5 and 7 — you probably don’t need profession-specific rules or extensive compliance references
• Focus on sections 3 (data classification) and 4 (required practices) — these are the most important
• The whole policy should fit on 2 pages

Mid-Size Business (20-200 Employees)

• Use the full template
• Add department-specific rules in section 5
• Assign a specific person as policy owner
• Include the policy in onboarding

Enterprise (200+ Employees)

• Expand section 7 with specific regulatory requirements
• Add an AI governance committee
• Include vendor assessment requirements for new AI tools
• Add audit and monitoring procedures
• Consider separate policies for different departments

Setting Up Local AI

If your policy references local AI (and it should), here’s how to set it up:

• Technical setup: How to Set Up Open WebUI — gives your team a ChatGPT-like interface on your own server
• Security: How to Sandbox Local AI Models — isolation and security configuration
• Model selection: Best Local AI Models by Task — which model to use for what

Related Reading

• Is Local AI Safe? A Non-Technical Privacy Guide
• How Much Does AI Actually Cost?
• How to Set Up AI for Free — Guide for Every Profession

Profession-specific local AI guides: Lawyers · Accountants · HR · Sales · Marketers · Realtors · Schools

🛠️ Try it yourself: Email Rewriter or Prompt Improver — free, no signup needed.