IT KORR Knowledge Center
AI Acceptable Use Policy
A policy structure defining permitted and prohibited AI use, data handling rules, disclosure requirements, and consequences for violations.
Permitted Uses
- Drafting and editing internal communications, general correspondence, and marketing content using non-confidential inputs.
- Summarizing publicly available or internal-tier documents to save review time.
- Research assistance — using AI as a starting point for research, with output independently verified before being relied upon.
- Code assistance for non-sensitive internal tooling, subject to normal code review.
Prohibited Uses
- Submitting regulated or confidential data — client records, protected health information, financial account numbers, credentials, or trade secrets — to any AI tool not specifically approved for that data tier.
- Using AI-generated output for high-stakes decisions (hiring, termination, credit, medical, legal, or safety-related determinations) without meaningful human review.
- Presenting AI-generated output as final work product without verifying its accuracy.
- Using unapproved or personal-account AI tools to process organizational data of any classification above public.
Data Handling Rules
- Only submit data to an AI tool consistent with the data classification rules in the AI Governance Policy.
- Do not paste customer, patient, or employee personal data into a general-purpose AI chat interface unless it is contractually confirmed not to train on submitted data and is on the approved list for that data tier.
- Remove or redact identifying details before using AI tools for illustrative or exploratory purposes wherever possible.
Disclosure Requirements
- Disclose AI assistance when it materially shaped a work product delivered to a client, regulator, or external party, consistent with any contractual or professional obligations.
- Disclose AI use internally when AI-generated content forms the basis of a decision, recommendation, or analysis presented to leadership.
- When uncertain whether disclosure is required, disclose — silence is the higher-risk default.
Consequences of Violation
- Violations are handled under existing organizational conduct and data protection policies, up to and including termination for serious or repeated violations.
- Accidental disclosure of confidential data to an AI tool must be reported immediately so it can be assessed and, where required, escalated as a data incident.
Acknowledgment
By using any AI tool on behalf of the organization, I acknowledge that I have read and understand this Acceptable Use Policy, and agree to comply with its permitted uses, prohibited uses, and data handling and disclosure requirements.
- Employee name, signature/acknowledgment, and date.
- Policy version acknowledged, for version-tracking purposes.
Related Resources
- AI Acceptable Use Policies — /knowledge-center/artificial-intelligence/ai-governance-secure-ai/ai-acceptable-use-policies
- Shadow AI Explained — /knowledge-center/artificial-intelligence/ai-governance-secure-ai/shadow-ai-explained