AI Acceptable Use Policy Template: Ready-to-Use for Your Organization

Executive Summary

• An AI Acceptable Use Policy (AUP) defines what AI use is permitted and prohibited in your organization
• This template provides a complete, customizable policy ready for implementation
• Key sections cover: approved tools, permitted uses, prohibited activities, data rules, and accountability
• The policy should be clear enough that any employee can understand expectations
• Customize based on your organization's AI tools, risk tolerance, and industry requirements
• Review and update at least annually, or when AI capabilities and tools change significantly
• Pair policy deployment with training—rules without understanding don't work

Why You Need an AI Acceptable Use Policy

Your employees are already using AI. The question is whether they're using it safely and appropriately.

Without an AUP:

• Employees guess at what's acceptable
• Confidential data gets entered into AI tools
• AI outputs go unverified into customer communications
• Some teams ban AI while others use it freely
• You can't demonstrate governance to regulators

With an AUP:

• Everyone knows the rules
• Risks are addressed proactively
• Appropriate AI use is enabled
• Governance is demonstrable
• [incident response] has a foundation

AI Acceptable Use Policy Template

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
              [ORGANIZATION NAME]
        AI ACCEPTABLE USE POLICY
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Document Control
----------------
Version:        [1.0]
Effective Date: [Date]
Owner:          [Role/Title]
Approved By:    [Role/Title]
Review Date:    [Next annual review]

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. PURPOSE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

1.1 This policy establishes guidelines for the acceptable 
    use of artificial intelligence (AI) tools and systems 
    at [Organization Name].

1.2 The purpose is to:
    • Enable employees to use AI productively and safely
    • Protect organizational and customer information
    • Ensure compliance with legal and regulatory requirements
    • Manage risks associated with AI use

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
2. SCOPE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

2.1 This policy applies to:
    • All employees
    • Contractors and temporary staff
    • Third parties using AI on our behalf

2.2 This policy covers:
    • AI tools provided by [Organization Name]
    • Third-party AI services (including ChatGPT, Claude, 
      Copilot, Gemini, and similar tools)
    • AI features embedded in other software
    • Both work and personal devices used for work purposes

2.3 Definitions
    "AI" means any tool or system that uses artificial 
    intelligence, machine learning, or similar technologies.
    
    "Generative AI" means AI that creates new content 
    (text, images, code, audio, video).
    
    "Confidential Information" includes trade secrets, 
    financial data, customer information, personal data, 
    and any information classified as confidential.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
3. APPROVED AI TOOLS
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

3.1 Approved Tools
    The following AI tools are approved for business use:
    
    [List your approved tools, for example:]
    • [Tool 1] - for [purpose]
    • [Tool 2] - for [purpose]
    • [Tool 3] - for [purpose]
    
    The current list is maintained at [location/link].

3.2 Requesting New Tools
    To request approval for a new AI tool:
    • Contact [AI Owner/IT/Manager]
    • Provide the tool name, purpose, and data requirements
    • Await approval before use

3.3 Prohibited Tools
    The following tools are not approved:
    • [List any specifically prohibited tools]
    • Any AI tool not on the approved list (without approval)

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
4. PERMITTED USES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

4.1 You MAY use approved AI tools for:

    Content Creation and Editing
    ✓ Drafting emails, documents, and reports (with review)
    ✓ Improving writing clarity and grammar
    ✓ Summarizing long documents
    ✓ Creating presentation outlines
    
    Research and Analysis
    ✓ Gathering general information (verify accuracy)
    ✓ Exploring ideas and approaches
    ✓ Analyzing publicly available data
    ✓ Learning new concepts
    
    Technical Assistance
    ✓ Writing and debugging code (non-proprietary)
    ✓ Explaining technical concepts
    ✓ Generating test cases
    ✓ Troubleshooting issues
    
    Administrative Tasks
    ✓ Scheduling and planning
    ✓ Formatting and organization
    ✓ Translation (non-sensitive content)
    ✓ Brainstorming and ideation

4.2 Important Conditions
    All permitted uses require:
    • Human review before sending or publishing AI content
    • Verification of factual claims in AI outputs
    • Compliance with the data rules in Section 5

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
5. DATA RULES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

5.1 Data Categories

    GREEN - OK to use with AI:
    • Publicly available information
    • General knowledge questions
    • Non-sensitive internal processes
    • Your own ideas and drafts (without confidential content)
    
    YELLOW - Requires caution / manager approval:
    • Internal strategies and plans (remove specifics)
    • General business processes (anonymized)
    • Aggregated, non-identifying data
    
    RED - Never enter into AI:
    • Customer names, contact info, or data
    • Employee personal information
    • Financial records and projections
    • Passwords, access credentials, API keys
    • Legal documents and contracts
    • Proprietary code, algorithms, or trade secrets
    • Board materials and confidential communications
    • Any data marked "Confidential" or "Restricted"

5.2 When In Doubt
    If you are unsure whether data is appropriate to use 
    with AI, ask your manager or contact [AI Owner/Contact].
    
    The rule: When in doubt, leave it out.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
6. PROHIBITED ACTIVITIES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

6.1 You must NOT:

    [data protection]
    ✗ Enter confidential or personal data into AI tools
    ✗ Upload documents containing sensitive information
    ✗ Use AI to process customer data without authorization
    
    Content Integrity
    ✗ Present AI-generated content as entirely your own work
    ✗ Send AI content to customers/clients without review
    ✗ Use AI outputs without verifying accuracy
    ✗ Create misleading or deceptive content
    
    Decision Making
    ✗ Make significant decisions solely based on AI recommendations
    ✗ Use AI for employment decisions without proper oversight
    ✗ Rely on AI for legal, medical, or financial advice
    
    Security
    ✗ Share AI account credentials
    ✗ Bypass security controls to access AI
    ✗ Use AI to attempt unauthorized access
    
    Other
    ✗ Use AI for personal business during work time
    ✗ Use AI to create inappropriate or offensive content
    ✗ Violate copyright or intellectual property rights

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
7. OUTPUT HANDLING
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

7.1 Review Requirements
    • Always review AI outputs before use
    • Verify factual claims independently
    • Check for bias, errors, or inappropriate content
    • Edit and improve AI drafts as needed

7.2 Attribution
    • Significant AI assistance should be disclosed when 
      appropriate (e.g., in reports, publications)
    • Follow team/department norms for attribution

7.3 Retention
    • AI conversation logs may be retained by AI providers
    • Do not assume AI conversations are private
    • Important decisions should be documented outside AI

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
8. RESPONSIBILITIES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

8.1 All Employees
    • Follow this policy
    • Complete required AI training
    • Report concerns or incidents
    • Ask when unsure

8.2 Managers
    • Ensure team members understand the policy
    • Approve/decline AI use requests within their authority
    • Monitor for policy compliance
    • Escalate issues appropriately

8.3 [AI Owner/Contact]
    • Maintain approved tools list
    • Answer policy questions
    • Handle incident reports
    • Recommend policy updates

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
9. REPORTING ISSUES
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

9.1 Report immediately if:
    • You accidentally entered confidential data into AI
    • AI produced harmful or inappropriate outputs
    • You observe policy violations
    • You have concerns about AI use
    • AI outputs caused or could cause harm

9.2 How to report:
    • Contact: [Name/Role/Email]
    • [Alternative reporting method]

9.3 No retaliation
    Good-faith reporting will not result in negative 
    consequences, even if the reporter made a mistake.

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
10. COMPLIANCE
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

10.1 Training
     All employees must complete AI awareness training 
     [within 30 days of hire / annually].

10.2 Monitoring
     [Organization Name] may monitor AI tool usage to 
     ensure policy compliance.

10.3 Non-Compliance
     Violations may result in:
     • Additional training
     • Revocation of AI access
     • Disciplinary action per HR policies
     • For third parties: contract consequences

10.4 Exceptions
     Exceptions require written approval from [authority].

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
11. POLICY ADMINISTRATION
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

11.1 Questions
     Contact [AI Owner/Contact] at [email/channel].

11.2 Review
     This policy is reviewed annually and updated as needed.

11.3 Related Policies
     • Information Security Policy
     • Data Classification Policy
     • Privacy Policy
     • Code of Conduct

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ACKNOWLEDGMENT
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

I have read and understand this AI Acceptable Use Policy. 
I agree to comply with its requirements.

Name: _________________________
Signature: _____________________
Date: _________________________

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Customization Guide

1. Approved Tools

Replace the placeholder with your actual approved tools. Be specific:

• ChatGPT Enterprise (content drafting)
• GitHub Copilot (code assistance)
• Grammarly (writing improvement)

2. Data Categories

Adjust the GREEN/YELLOW/RED categories to match your data classification scheme and risk tolerance.

3. Reporting Contact

Insert actual names, roles, and contact information.

4. Prohibited Tools

If any specific tools are banned (e.g., consumer versions when enterprise versions are available), list them explicitly.

5. Training Requirements

Specify your actual training program and timeline.

Implementation Checklist

Before Launch

• Policy customized with organization specifics
• Legal review completed
• Executive approval obtained
• Training materials prepared
• Communication plan developed
• Reporting process established

At Launch

• All-hands announcement
• Policy distributed to all employees
• Acknowledgment process initiated
• Training scheduled
• Questions addressed

After Launch

• Training completion tracked
• Acknowledgments collected
• Compliance monitoring initiated
• Feedback gathered
• FAQ developed based on questions

Next Steps

Customize this template for your organization, complete the legal review, and launch with appropriate training and communication.

For guidance on rolling out your policy:

• [How to Communicate Your AI Policy: Rollout Strategies]

Book an AI Readiness Audit with Pertama Partners for help developing and implementing your AI policies.

Related Reading

• [What Should an AI Policy Include?]
• [Generative AI Policy: Boundaries for ChatGPT and Similar Tools]
• [How to Communicate Your AI Policy]

Customizing the Template for Your Organization

A template provides structure, but effective AI acceptable use policies require customization that reflects your organization's specific risk profile, industry regulations, and cultural context. Three areas require the most significant customization effort.

First, data classification alignment: map the template's generic data handling categories to your organization's existing data classification framework. If your organization distinguishes between public, internal, confidential, and restricted data, the AI policy should specify exactly which classification levels can be processed by which categories of AI tools, with explicit examples relevant to your industry. Second, role-based permissions: customize access levels based on actual organizational roles rather than generic categories. A marketing manager's AI usage permissions will differ significantly from a software engineer's or a financial analyst's, and the policy should reflect these distinctions with specific approved and prohibited use cases for each role. Third, incident response integration: connect the AI policy's incident reporting procedures with your existing security incident response framework rather than creating a parallel process that may create confusion during actual incidents.

Practical Next Steps

To put these insights into practice for ai acceptable use policy template, consider the following action items:

• Establish a cross-functional governance committee with clear decision-making authority and regular review cadences.
• Document your current governance processes and identify gaps against regulatory requirements in your operating markets.
• Create standardized templates for governance reviews, approval workflows, and compliance documentation.
• Schedule quarterly governance assessments to ensure your framework evolves alongside regulatory and organizational changes.
• Build internal governance capabilities through targeted training programs for stakeholders across different business functions.

Effective governance structures require deliberate investment in organizational alignment, executive accountability, and transparent reporting mechanisms. Without these foundational elements, governance frameworks remain theoretical documents rather than living operational systems.

The distinction between mature and immature governance programs often comes down to enforcement consistency and stakeholder engagement breadth. Organizations that treat governance as an ongoing discipline rather than a checkbox exercise develop significantly more resilient operational capabilities.