How to Write an AI Policy for Your Team
Your team is already using AI. The question isn't whether to allow it — it's whether you'll have clear guidelines before something goes wrong. An AI policy isn't bureaucracy for its own sake. It's the difference between a team that uses AI confidently and one where people are either reckless or paralyzed by uncertainty.
Here's how to write one that actually works.
This guide is part of the AI Future of Work guide, which covers how teams and organizations are adapting to AI long-term.
Your First Policy Draft in 15 Minutes
You can have a working first draft right now. Open ChatGPT or Claude and paste this:
I manage a [team size]-person [department] team at a [company type].
We use AI for: [list 2-3 common uses — email drafting, data analysis,
code generation, etc.].
Our main data sensitivity concerns: [customer PII / financials /
health data / source code / none specifically].
Write a concise AI use policy (under 2 pages) covering:
1. Approved tools and tiers
2. Data that must never be shared with AI tools
3. When human review is required before using AI output
4. Prohibited uses
5. Who is accountable for AI-generated work
Format as a ready-to-use policy document with bracketed placeholders
for company-specific details.
Review the output, fill in the brackets, and you have a policy good enough to share with your team today. The rest of this article explains how to make it better.
Why you need an AI policy now
If you don't have a policy, you have an implicit one: "figure it out yourself." That leads to predictable problems:
- Data leaks. Someone pastes customer data into a free-tier AI tool with no data retention guarantees.
- Quality incidents. AI-generated content goes to clients without review and contains errors or hallucinations.
- Inconsistency. One team uses AI freely; another bans it. New hires don't know what's expected.
- Legal exposure. AI-generated code or content creates IP questions nobody thought to address.
- Shadow AI. People use AI tools anyway but hide it, making it impossible to manage risk or share best practices.
- Ethics gaps. Without guidelines, teams stumble into bias, privacy violations, and accountability failures. (See my guide on AI ethics at work for the foundational concerns your policy should address.)
A policy doesn't need to be a 40-page legal document. For most teams, 2-3 pages covering the key areas is enough to eliminate ambiguity and let people move fast with guardrails.
What to include
Approved tools
Be explicit about which AI tools are sanctioned — this is about ensuring data handling standards, not restricting choice. (If you're still deciding which tools to approve, my AI tools comparison can help.)
Here are the tiers that matter for most teams:
- General-purpose AI: ChatGPT Team ($25/user/month — no training on your data), Claude Pro ($20/month — no training, SOC 2), or Gemini for Workspace (included in Business Standard+).
- Code assistance: GitHub Copilot Business ($19/user/month — code not used for training), Cursor Pro ($20/month).
- Meeting notes: Otter.ai Business ($17/user/month), Fireflies.ai Business ($19/user/month).
- Email: Superhuman ($30/month), or native Copilot/Gemini if you're on M365/Workspace.
Key rule: Free tiers of ChatGPT, Claude, and Gemini may use your inputs for model training. Enterprise/team tiers do not. For work use, always use the paid tier.
- Define the approval process for new tools. Keep it lightweight — a Slack message to IT with a link to the tool's data policy works for most teams.
Data handling rules
This is the most important section. Be concrete and specific — especially if your team uses AI for data analysis, where sensitive information can easily end up in prompts.
What can be shared with AI tools:
- Publicly available information
- Internal drafts and brainstorming content
- Anonymized or synthetic data
- Your own code (with appropriate review)
What must never be shared:
- Customer PII (names, emails, addresses, payment info)
- Credentials, API keys, passwords
- Confidential financial data, unreleased earnings
- Data covered by NDA or regulatory requirements (HIPAA, SOX, etc.)
- Proprietary source code (define what "proprietary" means in your context)
Grey areas and how to handle them:
- Internal communications — generally fine if no PII or confidential data
- Aggregate business metrics — usually fine; use judgment
- When in doubt, anonymize first, then use the tool
Review requirements
Define when AI-generated output needs human review before use.
- Always review: Customer-facing content, legal documents, financial reports, published code, anything with your name or company brand on it.
- Light review: Internal drafts, brainstorming outputs, code used only in development/testing.
- No review needed: Personal productivity (rewriting your own notes, summarizing for your own use, learning).
The key principle: the higher the stakes and the wider the audience, the more review is needed. AI output should be treated as a first draft from a capable but unreliable junior colleague.
Prohibited uses
Some things should be off-limits regardless of context.
- Don't use AI to make hiring or firing decisions.
- Don't use AI to generate performance reviews without substantial human rewriting — it doesn't know your people.
- Don't submit AI-generated work as your own in contexts where original authorship is expected (research papers, expert testimony, some client deliverables — define which ones).
- Don't use AI to monitor or surveil employees unless explicitly disclosed and legally compliant.
- Don't rely on AI for legal, medical, or financial advice without professional verification.
Disclosure expectations
This is team-dependent, but pick an approach and be explicit:
- Always disclose to external clients when AI assisted with deliverables.
- Disclose when asked for internal work.
- No disclosure needed for personal productivity use.
Accountability
AI doesn't change who's responsible. Make this crystal clear:
- The person who submits AI-generated work is responsible for its accuracy, quality, and appropriateness.
- "The AI got it wrong" is not an acceptable explanation for errors in published work.
- Managers are responsible for ensuring their team understands and follows the policy.
Failure Modes and Fixes
AI policies break in predictable ways. Here is what goes wrong and how to fix it.
The policy is so restrictive that people ignore it entirely. Banning all AI use or requiring manager approval for every interaction guarantees shadow AI. Fix: Set guardrails, not roadblocks. Approve specific tools for specific tiers of use. If people can use AI for low-risk tasks without asking permission, they'll follow the rules for high-risk ones.
The policy says "use AI responsibly" but nobody knows what that means. Vague guidelines create inconsistency — one person thinks it's fine to paste customer data, another won't even use AI for personal notes. Fix: Use concrete examples. "NEVER input customer names or email addresses into AI tools" is a policy. "Be careful with sensitive data" is not.
The policy exists but nobody can find it or remembers it. A wiki page nobody visits is worse than no policy — it gives a false sense of security. Fix: Pin it in your team Slack channel. Reference it in onboarding. Bring it up once a quarter in a team meeting. If the policy is longer than 2 pages, that's part of the problem.
The policy is 12 months old and doesn't cover new tools or capabilities. AI changes fast. Fix: Set a review date when you publish. Every 6 months is reasonable. Check if tools have changed their data policies, assess whether new tools should be on the approved list.
The team resents the policy because they weren't consulted. People who helped shape the policy follow it. People who had it imposed look for workarounds. Fix: Involve at least one power user, one skeptic, and one person from legal in the drafting process. Their buy-in carries the team.
A practical framework for drafting your policy
Workflow: Write Your AI Policy
Trigger: When your team starts using AI tools, or when you realize you don't have a written policy
1. Survey your team: which AI tools are they using, for what, and what concerns do they have? (1 day)
2. Map your specific risks: data sensitivity, regulatory requirements, client obligations
3. Generate a first draft using the 15-minute prompt above, then fill in the brackets
4. Share the draft with one person from legal, one power user, and one skeptic — incorporate feedback
5. Keep it under 2 pages. If it's longer, cut until it isn't
6. Walk through it in one team meeting (15 min) — comprehension, not compliance theater
Outcome: A clear, team-endorsed AI use policy your team actually reads
Time: ~3-4 hours spread over one week
Step-by-step details
Step 1: Audit current usage. Send a short anonymous survey. Takes a day, saves you from writing a disconnected policy.
Step 2: Identify your risks. A healthcare company has HIPAA concerns. A law firm has confidentiality obligations. A startup may prioritize speed over process. Map your specific risks before writing generic rules.
Step 3: Draft with input. Write a first draft using the prompt template above, then circulate to a small review group and incorporate feedback.
Step 4: Keep it short. If your policy is longer than 3 pages, people won't read it. Aim for 1-2 pages of clear rules plus a short FAQ.
Step 5: Announce and train. Don't just email the policy. Walk through it in a team meeting. The goal is comprehension, not compliance theater.
Sample policy outline
Here's a skeleton you can adapt. Fill in the brackets with your specifics.
[Company Name] AI Use Policy
Effective date: [Date] | Review date: [Date + 6 months]
1. Purpose This policy provides guidelines for using AI tools at [Company Name]. Our goal is to enable productivity while protecting company data, client information, and work quality.
2. Approved tools
- [Tool 1 — e.g., ChatGPT Team] — approved for [use cases]
- [Tool 2 — e.g., Claude Pro] — approved for [use cases]
- [Tool 3 — e.g., GitHub Copilot] — approved for [use cases]
- Using unapproved tools for work tasks requires approval from [role/person]. To request approval, [process].
3. Data rules
- NEVER input into AI tools: [list — customer PII, credentials, NDA-covered data, etc.]
- OK to input: [list — public info, internal drafts, anonymized data, etc.]
- When in doubt: anonymize the data first, or ask [role/person].
4. Review requirements
- Customer-facing outputs: must be reviewed by [role] before delivery.
- Internal outputs: author is responsible for accuracy.
- Personal productivity use: no review required.
5. Prohibited uses
- [List your prohibited uses]
6. Disclosure
- External deliverables: disclose AI assistance to clients.
- Internal work: disclosure encouraged, not required.
7. Accountability
- You are responsible for the accuracy and quality of any AI-assisted work you submit.
8. Questions Contact [person/channel] with questions about this policy.
Getting buy-in
Lead with enablement, not restriction. Frame it as "here's how to use AI confidently" rather than "here's what you can't do."
Show risks concretely. Share real examples of AI-related incidents — data leaks, hallucinated citations in legal briefs, confidential code in training data. Specific stories motivate; abstract risk doesn't.
Involve early adopters. If your power users endorse the policy, others follow. If they think it's unreasonable, it probably is.
Make compliance easy. If the approved tool is harder to access than the unapproved free one, guess which people will use. Remove friction from the compliant path.
When to revisit
Set a review date when you publish. Every 6 months is reasonable. Check if tools have changed their data policies, assess whether new tools should be on the list, review any incidents, and get team feedback.
Before and After: What a Policy Changes
Here is what typically happens in teams before and after implementing even a simple AI policy:
| Metric | Before policy | After policy (1 month) |
|---|---|---|
| Employees using free-tier tools with sensitive data | 40-60% (unknowingly) | <5% (with clear approved-tools list) |
| AI-related data incidents | 1-2 per quarter (discovered late) | Near-zero (prevented by clear data rules) |
| Team AI adoption | Uneven — 20% power users, 40% afraid to use | 70%+ using approved tools confidently |
| Time to onboard new hire on AI norms | "Figure it out" | 15 min reading the policy |
| Shadow AI usage | High and invisible | Low and visible |
The policy doesn't slow people down — it removes the uncertainty that was already slowing them down. People who were afraid to use AI because "what if I'm not supposed to?" start using it on day one.
Quick-Start Checklist
- Send a 3-question anonymous survey: which AI tools is your team using, for what, and what concerns do they have?
- Use the 15-minute prompt above to generate a first draft policy
- Fill in the bracketed placeholders with your real tools and rules
- Share the draft with one person from legal, one power user, and one skeptic
- Incorporate feedback and keep it under 2 pages
- Walk through it in one team meeting (15 min)
- Set a calendar reminder to review in 6 months
- Pin the policy in your team's Slack/Teams channel
AI governance isn't a one-time project. But the first version doesn't need to be perfect — it needs to be clear, short, and better than the implicit policy of "wing it."
For a broader look at how AI is reshaping work and teams, see the AI Future of Work guide.
