Skip to main content
IT KORR
IT KORRKeeping Organizations Reliable & Resilient
Knowledge Center

AI Acceptable Use Policies: What Actually Needs to Be in One

What a real AI acceptable use policy needs to cover, why a general IT acceptable use policy doesn't address AI-specific risk, and how to roll out a policy employees actually follow.

7 min read

Most organizations already have an acceptable use policy governing how employees use company systems. Very few have a policy that tells an employee whether it's acceptable to paste a customer's contact information into a public chatbot to help draft a follow-up email. That gap is exactly what an AI acceptable use policy needs to close — not restate general IT rules with the word "AI" inserted, but give employees an explicit, specific answer to the AI-shaped decisions they're already making. This article covers what a real AI acceptable use policy needs to cover, why a generic policy doesn't get the job done, and how to roll one out so it's actually followed.

What an AI acceptable use policy actually needs to cover

A policy that only says "use AI responsibly" gives an employee nothing to act on in the moment they're deciding whether to paste something into a prompt box. A usable policy needs to answer specific, foreseeable questions directly.

Permitted uses. A concrete list of the AI use cases the organization has evaluated and approved — drafting internal communications, summarizing publicly available documents, generating first-draft code, and similar low-risk, high-value tasks. Naming what's allowed, not just what isn't, gives employees a safe default to work from instead of guessing.

Prohibited uses, tied to data sensitivity. This is the section that does the most work, and the one most policies get wrong by being vague. It needs to state explicitly which categories of data may never be submitted to which categories of AI tool — not left to individual judgment.

Example data sensitivity tiers and AI tool boundaries
Data tierExamplePublic/consumer AI toolsApproved enterprise AI tools
RestrictedProtected health information, payment card data, Social Security numbersNever permittedOnly if contractually covered and explicitly approved
ConfidentialCustomer contracts, financial statements, unreleased business plansNever permittedPermitted with defined use case and approval
InternalInternal process documentation, non-sensitive employee communicationsDiscouraged, case by casePermitted
PublicPublished marketing content, public web pagesPermittedPermitted

Disclosure requirements. When AI has materially contributed to a work product — a client deliverable, a report, a piece of code shipped to production — the policy should state whether and how that needs to be disclosed, both internally and, where relevant, to the client or end user. Silence on this leaves employees guessing whether AI-assisted work needs to be flagged at all.

Human review requirements for high-stakes decisions. Any decision with real consequence for a person or the business — a hiring recommendation, a clinical or financial determination, contract language, code shipping to production — needs a defined human review step before AI-generated output is acted on. The policy should say which categories of decision require this and who is responsible for the review, not leave it assumed.

Consequences of violation. Like any policy with teeth, it needs a stated consequence for violating it, proportionate to the sensitivity of what was exposed and whether the violation was inadvertent or a deliberate workaround of a known restriction.

High-Risk AI UseRequires governance committee review and a formal risk assessment before approvalMedium-Risk AI UseRequires manager or IT approval before useLow-Risk AI UseSelf-service — pre-approved tools, no review needed↑ Increasing risk & scrutiny
Governance rigor is proportional to risk, not uniform — low-risk, pre-approved AI use stays self-service, while high-risk use requires formal committee review before it ever reaches production.

Why a general IT acceptable use policy isn't enough

A typical IT acceptable use policy tells an employee not to misuse company systems, not to share credentials, and not to install unauthorized software. None of that tells the employee whether pasting a customer's data into a public chatbot to draft a response is acceptable — it's a genuinely new question that a policy written before AI tools existed simply never anticipated.

The gap isn't that general policy is wrong; it's that it was built around a threat model where data moves between systems the organization controls or has a contract with. A prompt submitted to a public AI tool is a new kind of data flow, and an employee acting in good faith, with no AI-specific guidance, has no reliable way to infer the right answer from a policy that never mentions it. Leaving that gap unaddressed doesn't prevent the behavior — it just means the first time the organization finds out is after something sensitive has already left its control.

Inferred Rules Don't Hold Up

An employee guessing at what's acceptable, in good faith, based on a general IT policy that predates AI tools, is not the same as having an actual AI policy. If the answer to a real, foreseeable scenario isn't spelled out, the organization doesn't have policy coverage for it — it has an assumption that hasn't been tested yet.

Rolling out a policy that's actually followed

A policy's value is entirely dependent on whether employees actually read, understand, and apply it — and most AI policies fail on exactly that, not because the content is wrong but because of how they're delivered.

Keep it short and specific. A long, legalistic document modeled on a generic template signals to employees that it isn't meant to be read, and it usually isn't. A policy an employee can read in a few minutes, written in plain language, is far more likely to actually inform behavior.

Ground it in real examples from the organization's own work. Abstract prohibitions ("do not submit sensitive data to AI tools") are easy to skim past. A concrete example relevant to the organization's actual work — "do not paste a client's financial statements into a public chatbot to summarize them, even for an internal task" — is far more likely to be remembered at the moment it matters.

Treat it as a living document. New AI tools and capabilities appear quickly, and a policy written once and never revisited falls out of date fast — sometimes within months. Building in a scheduled review, not just an ad hoc one triggered by an incident, keeps the policy aligned with how AI is actually being used.

Pair the policy with training, not just distribution. A policy sent by email and never discussed again tends to be forgotten. Short, periodic reinforcement — a real example, a reminder of where the line is — keeps the policy operative rather than archival.

Common mistakes

  • Writing a policy too vague to guide a real decision. "Use AI responsibly" doesn't tell an employee anything actionable in the moment they're deciding whether to submit a specific piece of data to a specific tool.
  • Copying a generic legal template with no organization-specific detail. A policy that could apply to any company, unchanged, rarely gets read carefully and almost never gets followed.
  • Writing the policy once and never updating it. AI tools and their data handling terms change quickly; a policy that isn't revisited becomes inaccurate, not just outdated.
  • Publishing the policy without any enforcement or monitoring behind it. A policy nobody checks against actual usage describes an aspirational state, not the organization's real exposure.

FAQ

Does a small business need a formal AI acceptable use policy? Yes — the core risk (an employee submitting sensitive data to a public AI tool with no data handling guarantees) doesn't scale down with company size. The policy's length and formality can, but the underlying data-tier guidance should exist regardless of headcount.

Should the AI acceptable use policy be a separate document from the general IT acceptable use policy? Generally yes, or at minimum a clearly distinct, prominently referenced section. Burying AI-specific guidance inside a general policy makes it easy to miss, and AI guidance tends to need more frequent updates than the rest of the IT policy set.

How often should an AI acceptable use policy be reviewed? At least annually, with an additional review triggered any time the organization adopts a new AI tool, approves a new use case, or a provider materially changes its data handling terms.

Operational Support

Need help implementing these findings?

IT KORR can coordinate DNS configuration, email authentication setup, and Microsoft 365 governance alignment. We work with your current providers — no migration required.

No commitment required — we respond within one business day.

Build: add8299 | Built: Jul 9, 2026 9:26 PM EDT