What is an AI Acceptable Use Policy?
An AI Acceptable Use Policy (AUP) is a practical, employee-facing document that tells your team exactly what they can and cannot do with AI tools at work. Unlike a comprehensive AI governance framework (which is designed for leadership and compliance teams), an AUP is written in plain language for everyday employees.
Think of it as the difference between a full employment law manual and a simple employee handbook. The AUP is the handbook — clear, actionable, and designed to be read in 10 minutes.
Why a Separate AUP Matters
Many companies make the mistake of embedding AI rules into their broader IT policy or data privacy policy. The problem is that employees rarely read those documents, and even when they do, the AI-specific guidance gets lost in dozens of pages of general IT rules.
A standalone AI AUP:
- Can be distributed as a one-page or two-page reference
- Is easy to update as tools and rules change
- Serves as a training handout during AI workshops
- Creates clear accountability — employees cannot claim ignorance
AI Acceptable Use Policy Template
[COMPANY NAME] — AI Acceptable Use Policy
Effective date: [DATE] Applies to: All employees, contractors, and temporary staff Policy owner: [CTO / CISO / Head of Digital]
What This Policy Covers
This policy applies to your use of any artificial intelligence tool for work purposes, including but not limited to:
- ChatGPT, Claude, Gemini, Copilot, and other generative AI chatbots
- AI features built into Microsoft 365, Google Workspace, or other work applications
- AI-powered writing, design, coding, or analysis tools
- AI features in department-specific software (CRM, ERP, HRIS, etc.)
Approved AI Tools
You may only use AI tools that have been approved by [COMPANY]. Currently approved tools are:
| Tool | What It Can Be Used For |
|---|---|
| [Tool 1] | [Approved use cases] |
| [Tool 2] | [Approved use cases] |
| [Tool 3] | [Approved use cases] |
Important: Free or personal versions of AI tools (e.g. the free version of ChatGPT) are not approved for work use. Always use the enterprise/company account.
To request a new AI tool, contact [designated person/team].
What You CAN Do with AI
- Draft emails, reports, presentations, and other business documents
- Summarise meeting notes, articles, and internal documents
- Brainstorm ideas and create outlines
- Analyse data and create charts (using non-confidential data)
- Generate first drafts that you will review and edit
- Research publicly available information
- Translate documents between languages
- Debug and write code (using approved coding AI tools)
What You MUST NOT Do with AI
Data rules — never input these into any AI tool:
- Names, IC/NRIC numbers, passport numbers, or other personal identifiers
- Client names, account numbers, or contract details
- Salary, compensation, or financial data
- Medical or health information
- Passwords, access codes, or API keys
- Board papers, legal documents, or privileged communications
- Unreleased product information or trade secrets
Usage rules:
- Do not use AI to make final decisions about hiring, firing, promotions, or disciplinary actions without human review
- Do not present AI-generated content as your own original work in academic or professional certification contexts
- Do not use AI to generate content that is misleading, discriminatory, or harmful
- Do not use AI to access, process, or generate content that violates any law or company policy
- Do not bypass company-approved tools by using personal devices or accounts
Quality Check Requirements
Before using any AI output in your work:
- Read it completely — Do not blindly copy and paste
- Check facts — Verify any specific claims, statistics, or references against primary sources
- Review for bias — Look for assumptions, stereotypes, or one-sided perspectives
- Check for hallucinations — AI can fabricate names, dates, legal citations, and URLs that do not exist
- Edit for tone and accuracy — Ensure the output matches your company's voice and is appropriate for the audience
- Apply professional judgment — If the output does not feel right, it probably is not
When to Disclose AI Use
| Situation | Disclosure Required? |
|---|---|
| Internal emails and notes | No |
| Internal reports and presentations | No, but recommended for transparency |
| Client deliverables | Yes — inform the client or follow client-specific AI policies |
| Regulatory filings or submissions | Yes — must be reviewed by compliance team |
| Published content (blog, social media) | Follow [COMPANY]'s content policy |
| Recruitment and HR decisions | Yes — document AI involvement |
What to Do If Something Goes Wrong
If you accidentally input restricted data, encounter a concerning AI output, or are unsure about an AI use case:
- Stop — Do not continue using the output
- Report — Contact [designated person/email] immediately
- Document — Note what happened, which tool was used, and what data was involved
- Do not delete — Preserve the conversation/output for review
Reporting incidents promptly is essential and will not result in disciplinary action for good-faith mistakes.
Your Responsibilities
By using AI tools at [COMPANY], you agree to:
- Follow this policy in all AI-related activities
- Complete required AI training sessions
- Report incidents and concerns promptly
- Stay informed about policy updates
- Use professional judgment at all times
How to Roll Out This AUP
Step 1: Customise for Your Company
Fill in the approved tools table, designate the policy owner and incident contact, and adjust the disclosure requirements to match your business context.
Step 2: Keep It Short
The AUP should be no more than 2-3 pages. If it is longer, employees will not read it. Move detailed technical and legal content to a separate governance document.
Step 3: Make It Accessible
Post the AUP on your intranet, include it in onboarding materials, and distribute printed copies during AI training sessions.
Step 4: Train, Don't Just Distribute
An email attachment is not sufficient. Walk employees through the policy in a 30-minute session, with real examples of do's and don'ts.
Step 5: Enforce Consistently
The policy only works if it is enforced. Address violations promptly and consistently, while encouraging good-faith incident reporting.
Differences Between an AI Policy and an AI AUP
| AI Policy (Governance Document) | AI AUP (Employee Document) |
|---|---|
| Comprehensive, 10-20+ pages | Concise, 2-3 pages |
| Covers strategy, risk, compliance | Covers daily dos and don'ts |
| Audience: leadership, legal, compliance | Audience: all employees |
| Updated quarterly | Updated as tools/rules change |
| References regulations in detail | References regulations simply |
Most companies need both. The AI policy is the governance foundation; the AI AUP is the practical employee guide derived from it.
Related Reading
- AI Policy Template — Comprehensive AI governance policy for your organisation
- ChatGPT Data Leakage Prevention — Technical controls to complement your usage policy
- AI Vendor Approval Checklist — Evaluate and approve AI tools before employees use them
Frequently Asked Questions
An AI policy is a comprehensive governance document covering strategy, risk management, compliance, and organisational AI oversight. An AI acceptable use policy (AUP) is a shorter, employee-facing document that provides clear do's and don'ts for daily AI use. Most companies need both — the policy for governance, the AUP for practical guidance.
Yes, for work purposes. Free versions of AI tools like ChatGPT often use inputs for model training and lack enterprise data protection. The AUP should require employees to use only company-approved enterprise versions, which offer better security, data handling, and audit controls.
Enforcement starts with training — employees must understand the policy before they can follow it. Beyond that, enforcement includes regular reminders, manager accountability, technical controls (blocking unapproved tools via IT), incident reporting mechanisms, and consistent disciplinary follow-up for violations.