If your company doesn't have an AI usage policy yet, you're not alone. A 2025 survey by SHRM found that only 25% of organizations had formal guidelines for how employees should use AI tools at work. The other 75%? Their employees are using ChatGPT, Claude, Gemini, and a dozen other tools anyway. They're just doing it without guardrails.
That gap between usage and policy is where bad things happen. An engineer pastes proprietary source code into a public AI tool. A recruiter feeds candidate resumes into a free chatbot that trains on user input. A manager uses AI to write a performance review and doesn't check if it hallucinated accomplishments the employee never actually achieved. These aren't hypothetical scenarios. I've seen every one of them happen.
The good news: you don't need to be a lawyer or a technologist to write a solid AI usage policy. You need to be the person who cares enough to put one in place before something goes wrong. And I'm going to give you the template to do it.
Why HR Should Own This
You might be thinking, "Isn't this an IT thing?" In some organizations, sure, IT or Legal will drive the policy. But in most mid-size companies, HR is in the best position to own it for three reasons:
- You already manage company policies. You know how to write them, roll them out, train people on them, and enforce them. This is your lane.
- AI usage touches people issues. When AI is used in hiring, performance management, compensation decisions, or terminations, the legal and ethical risks are squarely in HR territory.
- Employees trust you. A policy that comes from IT often feels like a restriction. A policy that comes from HR, framed as "here's how to use these tools well," feels like enablement.
What Your Policy Needs to Cover
After reviewing dozens of AI policies from companies ranging from 50 to 50,000 employees, I've found that the most effective ones cover six areas. Skip any of them and you'll end up revising the policy within months.
- Approved tools and accounts. Which AI tools are employees allowed to use? Are personal accounts okay, or must they use company-provisioned accounts?
- Data classification. What types of information can and cannot be shared with AI tools? This is the most important section of the entire policy.
- Use case guidelines. What's AI appropriate for? What requires human judgment and should never be delegated to a model?
- Disclosure requirements. When do employees need to disclose that AI was used? To colleagues? To candidates? To customers?
- Prohibited uses. What's explicitly off-limits? Being specific here prevents ambiguity.
- Incident response. What happens if someone makes a mistake? Who do they tell? What's the process?
The Full Template
Below is a complete, copy-and-paste AI usage policy template. Anywhere you see italicized placeholder text, replace it with your company's specifics. I've written this to be practical and readable, not legalistic, because a policy nobody reads is worse than no policy at all.
Artificial Intelligence Acceptable Use Policy
[Company Name] — Effective [Date]
Version 1.0 — Owned by [HR / People Operations / IT]
1. Purpose
This policy establishes guidelines for the responsible use of artificial intelligence tools by [Company Name] employees. Our goal is to empower employees to use AI productively while protecting company data, maintaining ethical standards, and complying with applicable laws.
2. Scope
This policy applies to all employees, contractors, interns, and temporary workers at [Company Name]. It covers all AI-powered tools including but not limited to large language models (e.g., ChatGPT, Claude, Gemini), AI coding assistants (e.g., GitHub Copilot, Cursor), AI image generators, and any AI features embedded in existing software tools.
3. Approved Tools
The following AI tools have been reviewed and approved for company use:
| Tool | Account Type | Approved For |
|---|---|---|
| [e.g., Claude Team] | Company account | All employees |
| [e.g., GitHub Copilot] | Company account | Engineering team |
| [e.g., Grammarly Business] | Company account | All employees |
Important: Use only company-provisioned accounts for approved tools. Personal accounts for AI tools should not be used for any company-related work, as they may lack enterprise data protections.
Requests for additional AI tools should be submitted to [IT / your manager / People Ops] for security review before use.
4. Data Classification and AI
Not all company information can be shared with AI tools. Follow these guidelines:
| Data Tier | Examples | AI Use |
|---|---|---|
| Public | Published blog posts, marketing copy, public job descriptions | Allowed with any approved tool |
| Internal | Internal memos, process documentation, meeting notes (non-sensitive) | Allowed with approved tools on company accounts only |
| Confidential | Financial data, unreleased product details, employee PII, compensation data, candidate information | Not permitted without explicit approval from [Legal / CISO / VP of People] |
| Restricted | SSNs, health records, credentials/passwords, customer payment data, trade secrets | Never permitted in any AI tool under any circumstances |
When in doubt, don't paste it in. If you're unsure about a data classification, ask [IT / your manager] before using it with an AI tool.
5. Acceptable Use Guidelines
AI tools may be used for:
- Drafting and editing written content (emails, documents, presentations)
- Brainstorming and ideation
- Summarizing meeting notes or long documents
- Research and information gathering
- Code generation and debugging (engineering roles)
- Data analysis on appropriately classified data
- Creating first drafts of policies, procedures, and templates
Human review is always required. AI output must be reviewed for accuracy, bias, and appropriateness before being used in any final deliverable, communication, or decision.
6. Disclosure Requirements
- Internal work: Disclosure is encouraged but not required for routine tasks (drafting emails, editing copy, brainstorming).
- Hiring decisions: Any use of AI in resume screening, candidate evaluation, or interview scoring must be disclosed to the hiring team and documented.
- Performance management: AI-generated content used in performance reviews, PIPs, or promotion recommendations must be disclosed to the reviewing manager and the employee.
- Customer-facing content: [Define your company's position: e.g., "AI-assisted content does not require disclosure" or "All AI-generated customer content must be reviewed by the Communications team"]
- Legal and compliance documents: All AI use in legal, compliance, or regulatory documents must be disclosed to the Legal team.
7. Prohibited Uses
The following uses of AI are strictly prohibited:
- Inputting Restricted-tier data (SSNs, health records, passwords, payment data) into any AI tool
- Using AI to make final hiring, termination, or disciplinary decisions without human review and approval
- Using AI to monitor, surveil, or score employees without their knowledge and consent
- Representing AI-generated work as original human work in contexts where authenticity is required (e.g., published research, sworn statements, certifications)
- Using AI tools to circumvent security controls, access restrictions, or other company policies
- Using AI to generate content that is discriminatory, harassing, or in violation of our Code of Conduct
- Using unapproved AI tools for company work without prior authorization
8. Incident Response
If you believe company data has been inappropriately shared with an AI tool, or if you discover AI-generated content that may be harmful, inaccurate, or in violation of this policy:
- Report immediately to [IT Security / your manager / People Ops] via [email / Slack channel / reporting tool]
- Document what data was shared, which tool was used, and the approximate date and time
- Do not attempt to delete your conversation history with the AI tool until IT has reviewed the incident
- No retaliation: Good-faith reports of accidental data exposure will not result in disciplinary action. We want people to report incidents, not hide them.
9. Training and Compliance
All employees will receive training on this policy within [30 days] of its effective date. New employees will receive training during onboarding. Annual refresher training will be provided, and this policy will be reviewed and updated [quarterly / semi-annually].
10. Policy Violations
Violations of this policy will be addressed through the standard disciplinary process outlined in the Employee Handbook. The severity of the response will depend on the nature of the violation, whether it was intentional, and the potential impact on the company and its stakeholders.
11. Questions and Feedback
This is a living document. As AI technology evolves, so will this policy. Questions, suggestions, and feedback should be directed to [People Ops email / Slack channel / policy owner name].
How to Present This to Leadership
Having a template is one thing. Getting it approved is another. Here's how I'd position this conversation with your leadership team:
Lead with risk, not restriction. Don't frame this as "we need to control AI usage." Frame it as "our employees are already using AI tools. Right now, we have zero visibility into what data is being shared. This policy gives us a framework before something goes wrong."
Bring examples. Samsung banned ChatGPT entirely after engineers leaked proprietary source code. Several law firms have been sanctioned after filing AI-generated briefs with fabricated case citations. These aren't fear-mongering; they're things that actually happened. A proactive policy is dramatically cheaper than a reactive incident.
Show the enablement angle. An AI policy isn't just about risk mitigation. It's about giving employees explicit permission to use AI tools. Many employees are already using them and feeling guilty about it, or avoiding them entirely because they're unsure what's allowed. Clear guidelines unlock productivity.
Pro tip: Don't try to get the perfect policy approved on day one. Get version 1.0 approved quickly and commit to reviewing it quarterly. AI is moving fast and your policy should move with it. An 80% policy today is better than a perfect policy six months from now.
After the Policy Is Live
A policy that lives in a Google Doc nobody reads is just a liability shield. To make it actually work:
- Host a 30-minute training session. Walk through the data classification table with real examples from your company. This is the section people struggle with most.
- Create a Slack channel (something like #ai-at-work) where people can ask questions, share useful prompts, and flag concerns. Make it a positive space, not a compliance channel.
- Audit quarterly. Check which AI tools employees are actually using (your IT team can help with this). Update the approved tools list. Review any reported incidents.
- Celebrate good usage. When someone uses AI to save their team ten hours of work, share that story. The goal is a culture where AI is used openly and well, not hidden and badly.
You don't need to be an AI expert to write this policy. You need to be the person who steps up and says, "We need guardrails and I'm going to build them." That's an HR move. And your company will be better for it.
← Back to all articles