Approved vs Unapproved ChatGPT Use Cases at Work

Setting Clear Boundaries for ChatGPT at Work

One of the biggest challenges companies face with AI adoption is ambiguity. Employees want to use ChatGPT but are unsure what is allowed. Without clear guidelines, the result is either shadow AI use (employees using tools without permission) or AI avoidance (employees not using tools out of fear).

This guide provides a clear framework for categorising ChatGPT use cases.

The Three Categories

Approved (Green Light)

Use freely without additional approval. These tasks involve no sensitive data and produce outputs that are reviewed before sharing.

Conditionally Approved (Yellow Light)

Permitted with specific safeguards. Requires data anonymisation, manager awareness, or additional review steps.

Prohibited (Red Light)

Never permitted, regardless of circumstances. These use cases involve unacceptable data, legal, or ethical risks.

Approved Use Cases (Green Light)

Conditionally Approved Use Cases (Yellow Light)

Prohibited Use Cases (Red Light)

How to Handle Edge Cases

When an employee encounters a use case not clearly covered:

1. Apply the data classification test: Is any Restricted (Red) data involved? If yes, it is prohibited.
2. Apply the disclosure test: Would you be comfortable if the AI company's employees could see this prompt? If no, do not proceed.
3. Apply the review test: Can the output be properly reviewed before use? If no, find an alternative approach.
4. Ask your manager: If still unsure, escalate before using AI.

Department-Specific Quick Reference

HR Team

• Approved: Job descriptions, interview questions, training content, process documentation
• Conditional: Survey analysis (anonymise), policy drafts (no individual data)
• Prohibited: Salary data, performance reviews with names, disciplinary records

Sales Team

• Approved: Prospect research (public info), email drafts, proposal templates, objection handling
• Conditional: Client communication drafts (remove details), CRM summaries
• Prohibited: Client contracts, pricing agreements, competitive intelligence documents

Finance Team

• Approved: Report structure drafts, SOP creation, concept explanations, formula help
• Conditional: Management report narratives (illustrative figures only)
• Prohibited: Actual financial data, tax calculations, audit findings, investor information

IT Team

• Approved: Technical documentation, error research (public messages), architecture discussions
• Conditional: Code review (non-proprietary code only)
• Prohibited: Source code with trade secrets, API keys, security configurations, access credentials

Communicating These Guidelines

1. Create a one-page quick reference card that employees can keep at their desk
2. Include in AI training as a mandatory module
3. Post in team channels (Slack, Teams) for easy reference
4. Update quarterly as new use cases emerge
5. Celebrate good examples — share success stories of approved AI use

Related Reading

• ChatGPT Company Policy — Create a formal usage policy around approved use cases
• AI Use-Case Intake Process — A structured process for evaluating and approving AI use cases
• AI Evaluation Framework — Measure quality, risk, and ROI of AI implementations

Approved Use Case Framework: Categorization by Risk Level

Organizations implementing generative tools benefit from structured categorization rather than binary approved/prohibited lists. The following framework, developed through Pertama Partners engagements across forty-three enterprises in Singapore, Malaysia, Indonesia, and the Philippines between 2024 and March 2026, provides actionable classification guidance:

Green Category — Pre-Approved for All Employees. Internal email drafting and formatting, meeting note summarization from transcripts already classified as internal, research synthesis from publicly available sources, code comment generation and documentation improvement, presentation outline creation, and grammar correction for non-confidential documents. These applications involve no sensitive data exposure and generate productivity gains averaging twelve to eighteen percent based on participant self-reporting across Pertama Partners training cohorts.

Yellow Category — Approved with Manager Awareness. Customer communication drafting (requires human review before sending), competitive analysis compilation, marketing copy generation for internal review workflows, technical documentation authoring, and project status report summarization. These use cases require established review procedures but pose manageable risk when employees follow output verification protocols.

Red Category — Requires Formal Exception Approval. Processing customer personally identifiable information, generating legal contract language, producing financial projections shared externally, creating medical or pharmaceutical content, developing pricing recommendations, and any application involving regulated data categories under PDPA, GDPR, or Indonesia's UU PDP legislation.

How Approved Use Cases Differ Across Industries

Professional Services (Legal, Accounting, Consulting). Firms including Baker McKenzie, KPMG, and Accenture publicly disclosed approved use case registries during 2025. Common approvals include research memorandum drafting, engagement letter template customization, and timesheet narrative generation. Prohibited applications typically include client advice generation, tribunal submission drafting, and audit opinion formulation.

Healthcare and Pharmaceutical. Approved applications concentrate on administrative workflows — appointment scheduling communication, insurance pre-authorization documentation, and clinical trial recruitment material drafting. Patient-facing content generation remains restricted pending regulatory guidance from national health authorities across ASEAN jurisdictions.

Financial Services. Banks and insurers operating under MAS, Bank Negara Malaysia, or OJK supervision maintain narrower approved registries reflecting prudential requirements. Typical approvals cover internal reporting summarization, regulatory filing draft preparation, and staff training material development. Customer-facing applications require additional approval layers involving compliance, legal, and technology risk management committees.

Maintaining Currency: Quarterly Use Case Reviews

Approved registries become outdated rapidly as model capabilities evolve and regulatory landscapes shift. Establishing quarterly review cycles — scheduled for March, June, September, and December — ensures organizations capture newly viable applications while identifying emerging risk categories. Each review should incorporate employee feedback submissions, incident reports from the preceding quarter, updated vendor capability documentation, and regulatory developments from relevant jurisdictions.

Organizations curating sanctioned usage inventories benefit from NIST's AI 100-1 taxonomy distinguishing generative, discriminative, and reinforcement-based application archetypes. Approved registries at multinational corporations spanning Petronas, DBS Group, and Ayala Corporation categorize permissible deployments through ROPA (Records of Processing Activities) templates satisfying GDPR Article 30 documentation obligations. Use-case triage protocols incorporate DPIA (Data Protection Impact Assessment) threshold screening calibrated against Singapore's PDPC Advisory Guidelines and Malaysia's PDPA 2010 Commissioner's enforcement precedents. Procurement teams cross-reference vendor security postures through SOC 2 Type II attestation reports, ISO 27001 certification scopes, and CAIQ (Consensus Assessment Initiative Questionnaire) submissions maintained through CSA STAR registry infrastructure, preventing shadow-IT proliferation through unauthorized SaaS procurement circumventing centralized architectural governance.