Governance & guardrails

AI acceptable use policy: a free template

An AI acceptable use policy, sometimes called an AI usage policy, is the short, employee-facing document that tells your people which AI tools they can use, on what data, and where the lines are. This page explains what goes in one and gives you the full template, including an approved-versus- prohibited tools matrix, free and with no email wall.

What an AUP is, and what it isn't

An acceptable use policy is the rules an individual follows: what they can use, on what data, and where a human has to stay in charge. It is not the whole governance program. The broader AI policy sets principles, roles, risk tiering, and procurement; the AUP is the part you hand to every employee. If you only write one document first, this is usually the one, because it is what people are actually asking for when they say "can I use this AI tool for work?"

The reason to publish it clearly is the same reason we published this page without a form: a policy nobody can read is a policy nobody follows. Keep it short, concrete, and free of legalese people will skim past.

The template

Below is a working AI acceptable use policy, section by section, with a note on what each part is for. It is a starting structure, not legal advice. Copy it, fill in your approved tools and data definitions, cut what doesn't apply, and have counsel review it before you roll it out.

  1. 1. Purpose and scope. Why this policy exists and who it covers (employees, contractors, anyone using AI on company work). State plainly that it applies to both company-provided and personal AI tools used for work.
  2. 2. Your responsibilities. The one rule under everything: you are accountable for anything AI produces in your name. AI assists; it does not absolve. Check its work before you use, send, or publish it.
  3. 3. Approved tools. The specific AI tools the company has vetted and approved, with the tier or plan (an enterprise plan with data protections is not the same as a free consumer login). Anything not on the list needs approval before use.
  4. 4. What you may not put into AI tools. The data lines: no customer personal data, secrets, credentials, source code, or confidential material in unapproved or consumer-tier tools. Spell out what counts, because "confidential" means nothing without examples.
  5. 5. Prohibited uses. The uses that are off-limits regardless of tool: impersonation, generating misleading content, evading security, unauthorized surveillance, or making consequential decisions about people (hiring, credit, discipline) without human review and sign-off.
  6. 6. Human review and verification. Where a human must check AI output before it is relied on: anything customer-facing, anything that informs a decision about a person, and anything with legal, financial, or safety weight. Name who reviews what.
  7. 7. Disclosure and transparency. When AI use must be disclosed: to customers interacting with an AI agent, in content where it matters, and internally when AI materially shaped a deliverable. This is also an EU AI Act obligation for some systems.
  8. 8. Security and access. Use company accounts, not personal ones; keep AI tools inside your normal access and authentication controls; do not connect unapproved AI to company systems or data.
  9. 9. Reporting problems. How to report a mistake, a data exposure, or a tool behaving badly, and the promise that reporting an honest mistake fast is treated better than hiding it.
  10. 10. Enforcement and review. What happens if someone breaks the policy, who owns the policy, and when it is reviewed (at least annually, plus after any significant incident or new regulation).

The approved-versus-prohibited tools matrix

The single most useful page for employees is a plain matrix of what is fine and what is not, by scenario. Abstract rules get argued with; a table gets followed. Adapt this to your actual approved tools:

Scenario Approved Prohibited
Drafting internal documents, notes, summaries Approved enterprise AI tools Consumer / free tiers with company data
Customer or personal data as input Only tools contractually cleared for that data Any general-purpose consumer chatbot
Source code and secrets Approved coding assistant on an enterprise plan Pasting into unapproved or public tools
Customer-facing content or replies AI draft, with a named human reviewing before it ships Unreviewed AI output sent as-is
Decisions about people (hiring, credit, discipline) AI as an input, human decides and is accountable AI making or effectively making the decision
Connecting AI to company systems Through IT-approved integrations only Unsanctioned plugins, agents, or automations

The through-line is simple: match the tool to the sensitivity of the data and keep a human accountable for anything that reaches a customer or affects a person. Give people a safe, approved option for each job and most shadow AI problems solve themselves.

How to roll it out

  1. Approve it through your governance committee. The AI governance committee ratifies the policy so it carries real authority, not just an IT memo's.
  2. Publish it where people work. One findable page, plus the tools matrix somewhere people actually see it, beats a PDF buried in a shared drive.
  3. Tell people why, not just what. A short explanation of the data risk lands better than a list of bans, and it is the difference between compliance and evasion.
  4. Review it on a schedule. At least yearly, plus after any incident or new regulation. AI tools and the rules around them both keep moving.

An AUP is one piece of a working program. It sits inside your AI governance framework, it is enforced by your committee, and the risk tiering that decides which uses need the tightest rules comes from your AI risk assessment. If you would rather have the whole set built and adapted to your company than assemble it from templates, that is AI governance consulting, and the fixed-scope starting point is an AI risk assessment.

One line of hygiene: this template is general information, not legal advice. Have counsel review it before you rely on it; the data, disclosure, and enforcement sections touch privacy and employment law.

Questions people ask

What is an AI acceptable use policy?
An AI acceptable use policy (or AI usage policy) is the short, employee-facing document that tells your people which AI tools they may use at work, what data they may and may not put into them, when a human has to check the output, and what is prohibited outright. It is the day-to-day rules layer, distinct from the broader governance framework that sits behind it.
What should an AI acceptable use policy include?
At minimum: purpose and scope, each person's responsibility for AI output, the list of approved tools, the data you must never put into unapproved tools, prohibited uses, where human review is required, disclosure rules, security and access, how to report problems, and enforcement plus a review date. The template on this page covers all ten.
What is the difference between an AI acceptable use policy and an AI policy?
An AI policy is the broader governance document: principles, roles, risk tiering, procurement, oversight. The acceptable use policy is the employee-facing slice of it, the rules an individual actually follows day to day. Most companies need both; the AUP is usually the one you write first because it is what people are asking for.
Should we ban public AI tools like ChatGPT at work?
Usually no, and a ban rarely holds; it just pushes AI use into the shadows where you can't see it. The workable approach is to approve safe tools (enterprise tiers with data protections), draw clear data lines about what may never go into a consumer tool, and give people an approved option so they don't reach for an unapproved one. Prohibit the risky uses, not the technology.
Is this template legally binding, and do we need a lawyer?
The template is a starting structure, not legal advice, and it is not binding until you adapt it, approve it, and communicate it as policy. Have counsel review it before you rely on it, especially the data, disclosure, and enforcement sections, which interact with privacy law, employment law, and rules like the EU AI Act's transparency obligations.

Tell us about the work.

A few lines is enough. We read every enquiry ourselves and reply within one business day.