IT KORR Knowledge Center
AI Acceptable Use Policy
Informed by HIPAA Security Rule and PCI DSS data handling expectations
1. Purpose
This policy establishes [Organization Name]'s requirements for the acceptable use of artificial intelligence (AI) tools, covering approved tools, data sensitivity handling, and human review requirements for AI-assisted decisions, aligned with Informed by HIPAA Security Rule and PCI DSS data handling expectations. This policy applies to all employees, contractors, and third parties using AI tools in connection with [Organization Name]'s business.
This policy is sized for a mid-sized organization, and should be reviewed against your organization's actual structure before adoption.
2. Approved AI Tools
AI tool use is limited to the specific tools listed below. Use of any AI tool not on this list requires approval through the process defined in Section 5 before use.
- [No tools listed yet — add your approved AI tools here]
Employees must not use unapproved ("shadow") AI tools for business purposes, including free consumer-grade tools accessed through personal accounts.
3. Data Sensitivity Tiers
Confidential and restricted-tier data (as defined by the organization's data classification scheme) may not be submitted to any AI tool, including approved tools, unless that tool has been specifically vetted and contractually confirmed not to retain or train on submitted data.
Regulated data (e.g., PII, protected health information, cardholder data, or other data subject to specific regulatory requirements) is prohibited from submission to any AI tool without prior compliance review and explicit written authorization.
- Public and internal-tier data may generally be used with approved AI tools, subject to ordinary business judgment.
- When in doubt about a specific data type or system, employees should treat the data as restricted until confirmed otherwise.
4. Human Review of AI-Assisted Decisions
AI-generated output must not be used, without human review, to inform financial, legal, clinical, contractual, hiring, or other high-stakes decisions. A qualified human reviewer must evaluate and approve such output before it is acted upon.
Factual claims, citations, and statistics in AI-generated content intended for external use must be independently verified against primary sources before publication or distribution.
5. Tool Approval Process
Any new AI tool must be submitted for review and approval before business use, evaluating data handling terms, security posture, and intended use case. Approved tools are added to the list in Section 2; the approval owner is responsible for maintaining that list.
6. Incident Reporting
Employees must promptly report any suspected policy violation, unexpected data exposure, or AI tool output surfacing content it should not have access to, using the organization's standard incident reporting channel.
7. Training and Awareness
All employees using AI tools are required to complete AI usage training, covering approved tools, prohibited data types, and human review expectations, prior to gaining access and on a recurring basis thereafter.
8. Enforcement and Review
Violations of this policy may result in disciplinary action up to and including termination, consistent with [Organization Name]'s other acceptable use and data handling policies. This policy is reviewed at least annually, or upon a significant change to AI tools in use, applicable regulatory requirements, or a security incident. Last generated: July 10, 2026.
9. References
- Informed by HIPAA Security Rule and PCI DSS data handling expectations
- IT KORR Knowledge Center — AI Governance & Secure AI: /knowledge-center/artificial-intelligence/ai-governance-secure-ai