AI Acceptable Use Policy Template (For Small and Mid-Sized Businesses)

Each section below has a default policy line in plain English, followed by [BRACKETS] showing where to customize for your business. The defaults are written for a 10–500 person company without a dedicated compliance team. If you're in a regulated industry (healthcare, finance, legal), have your counsel review before adopting — the defaults are sensible starting points, not legal advice. Total length should land between 4–7 pages when adapted.

**Default policy:** This policy applies to all [COMPANY NAME] employees, contractors, and third parties when they use any AI tool — including but not limited to ChatGPT, Claude, Gemini, Copilot, Notion AI, Grammarly, and any AI features built into other software — in the course of [COMPANY] business. The purpose is to protect customer and company data, prevent unauthorized decisions being delegated to AI, and ensure compliance with applicable regulations. **Why this section matters:** Without explicit scope, employees argue that 'just summarizing notes' or 'just helping me write an email' isn't covered. Cover everything; allow exceptions in writing.

**Default policy:** AI usage is permitted at three tiers. All employees default to Tier 1 unless explicitly granted higher access by [POLICY OWNER ROLE]. • **Tier 1 — Personal productivity only:** Brainstorming, drafting first drafts of internal-only content, summarizing public information. No customer, financial, or HR data. • **Tier 2 — Internal data permitted:** Tier 1 plus internal documents, meeting notes (without external attendees by name), and operational data. Requires team lead approval and a signed acknowledgment of this policy. • **Tier 3 — Customer and sensitive data:** Tier 2 plus identifiable customer data, contract drafting with PII, financial analysis. Requires [EXECUTIVE ROLE] approval, an approved tool from the allowed list, and quarterly access review. **Why this matters:** Tiered access prevents the most common failure mode — well-meaning employees pasting customer SSNs into a free AI tool that explicitly logs all inputs for training.

**Default policy:** Only AI tools on the approved list below may be used for [COMPANY] business. Any other tool requires written approval from [POLICY OWNER ROLE] before use, including 'free' or trial versions. **Approved tools (example — customize to your stack):** • [TOOL NAME] — Tier [N] access — covered by Business Associate Agreement / DPA dated [DATE] • [TOOL NAME] — Tier [N] access — enterprise SSO required • [TOOL NAME] — Tier [N] access — usage logged via [LOGGING SOLUTION] **Specifically prohibited:** Free consumer-tier accounts (ChatGPT Free, Claude Free, etc.) for any work-related task involving non-public data. The training data and retention policies on consumer tiers are not compatible with [COMPANY]'s data obligations. **Why this matters:** Most data leaks happen via free consumer tools because employees don't realize that 'free' usually means 'data trains the model.' A short approved list is the single most effective policy control.

**Default policy:** The following categories of data must never be entered into any AI tool — regardless of tier, regardless of approval — without explicit written authorization from [LEGAL/COMPLIANCE ROLE]: • Customer Social Security numbers, driver's license numbers, passport numbers • Financial account numbers (credit cards, bank accounts) — except via approved tools with redaction • Protected health information (PHI) as defined under HIPAA • Information subject to legal hold, NDA, or active litigation • Trade secrets and source code containing proprietary algorithms • Personnel files, performance reviews, salary information • Strategic plans not yet announced internally • Customer communications when customer hasn't consented to AI processing **When in doubt, don't paste.** Ask [POLICY OWNER ROLE] before, not after. **Why this matters:** The hardest cases are gray-area data — meeting notes that 'mention' a customer, a draft contract with 'just the framework.' Define clear bright lines so employees don't have to make judgment calls under deadline pressure.

**Default policy:** When AI materially contributed to externally-facing output, [COMPANY] discloses appropriately: • **Customer communications:** AI-drafted communications must be reviewed and edited by a human before sending. The final responsibility is with the sender, not the AI. No specific disclosure required for routine communications. • **Contracts and legal documents:** AI may be used for drafting and review; final documents must be reviewed by qualified counsel or designated reviewer. The fact that AI was used in drafting is internal information. • **Public content (marketing, blog posts, social):** Substantive AI-generated content should be reviewed for accuracy, originality, and brand voice. Disclosure is at [COMPANY]'s discretion based on platform requirements and best practice. • **Decisions affecting customers (pricing, denials, recommendations):** Any automated or AI-assisted decision that affects a customer's outcome must be disclosed in the customer-facing decision communication, with a human review option offered. • **Regulated industries:** Additional disclosure may be required by [INDUSTRY-SPECIFIC REGULATIONS]. See [LEGAL/COMPLIANCE]. **Why this matters:** Disclosure rules vary wildly by industry and jurisdiction. Default to honesty — but be explicit about what 'AI used' means so employees aren't over- or under-disclosing.

**Default policy:** AI is a tool for analysis and drafting, not a decision-maker. The following decisions must always involve a human with appropriate authority — AI may inform, but cannot decide: • Hiring, firing, promotion, compensation, or any HR action • Customer credit, lending, or insurance approvals/denials • Contract execution or commitment of [COMPANY] funds above [$ AMOUNT] • Pricing changes affecting more than [N] customers • Public statements on behalf of [COMPANY] • Legal positions, regulatory filings, or disclosures • Actions that affect customer health, safety, or financial wellbeing • Escalations involving complaints, threats, or regulatory matters **For all other AI-assisted work**, the human reviewing the output is accountable for the final result. 'The AI did it' is not a defense. **Why this matters:** Algorithmic decision-making is increasingly regulated (NYC Local Law 144, EU AI Act, etc.). Even where not yet regulated, automated denial without human review is a fast track to customer-trust damage.

**Default policy:** Before adopting any new AI tool or AI-enabled feature of an existing tool, [POLICY OWNER ROLE] must verify: 1. Data residency and access rights (where does our data go, who can read it) 2. Training opt-out (our data is not used to train shared models — in writing, not verbally) 3. Subprocessor list and security certifications (SOC 2 Type II or equivalent) 4. Incident notification commitment (we are notified within [N] hours of any breach affecting our data) 5. Data export and deletion rights at contract end 6. Liability and indemnification terms appropriate to data sensitivity **Vendors changing AI features mid-contract:** If a vendor adds AI to an existing product mid-contract (e.g., 'our help desk now uses AI to suggest responses'), the new feature must be opted-out by default and reviewed under this policy before being enabled. **Why this matters:** Vendor sprawl is the silent risk. The CRM you signed in 2023 may have added AI features in 2025 that your team enabled without realizing it changes the data flow.

**Default policy:** If an employee or contractor becomes aware of an AI-related incident — sensitive data entered into a non-approved tool, AI output that was sent and was materially wrong, an AI tool behaving unexpectedly, or a vendor breach — they must report it to [POLICY OWNER ROLE] within 24 hours. **Reporting is not punitive.** Honest reporting is rewarded; concealment is grounds for discipline. We expect mistakes; we cannot tolerate hidden mistakes. **Policy review:** This policy is reviewed [QUARTERLY / SEMI-ANNUALLY] by [POLICY OWNER ROLE] with input from [LEGAL, IT, OPERATIONS]. AI technology and regulation are changing fast — a policy that hasn't been updated in 12 months is probably out of date. **Acknowledgment:** All current employees and contractors must acknowledge this policy within 30 days of issuance, and all new hires within their first 14 days. Acknowledgment is recorded by [HR / POLICY MANAGEMENT TOOL]. **Effective date:** [DATE]. **Owner:** [POLICY OWNER ROLE]. **Next review:** [DATE].

1. Replace every [BRACKET] with your specifics. Don't ship a policy with [PLACEHOLDER] text — employees will lose trust in it instantly. 2. Have legal counsel or compliance reviewer read it once before signing — 30 minutes of their time saves you from a 6-figure regret. 3. Build the approved tools list with your IT lead and the team that actually uses AI day-to-day. A theoretical list nobody uses is worse than no list. 4. Pick a policy owner with real authority — usually a department head or COO. AI policy that lives with 'whoever' fails within 90 days. 5. Train every employee in a 30-minute live session, not just an email blast. Take questions. The questions are the real risk surface. 6. Set the review date in [POLICY OWNER]'s calendar before the policy ships, not after. 7. Test the incident reporting path within 60 days — send a fake incident through the channel to verify it works.