How to Write an AI Acceptable Use Policy for Your Business

An AI acceptable use policy defines which AI tools employees may use, what data they can share with those systems, what uses are explicitly prohibited, and who is accountable when something goes wrong. For most SMEs, a single clear document covering these four areas — reviewed every six months and signed by all staff — is sufficient to manage the primary risks. You do not need a legal team or a consultant to write one. You need clarity about what you are trying to protect.

Why you need one now, not later

Most businesses already have policies governing internet use, email, and data handling. AI tools belong in the same category — except they move faster, the risks are less obvious, and employees are far more likely to use them without asking permission first.

When an employee pastes a client contract into ChatGPT to summarise it, they are not trying to cause a problem. They are trying to do their job faster. Without a policy, they have no way of knowing that they may have just shared confidential client data with a US-based AI provider whose free tier uses inputs for model training. That is your liability, not theirs.

A policy does three things: it sets expectations before incidents happen, it gives managers a basis for action when they do, and it demonstrates to clients, insurers, and regulators that your business takes AI risk seriously. Under UK GDPR, you are responsible for the personal data your employees share with third-party processors — and most AI tools qualify.

What your AI acceptable use policy needs to cover

You do not need a 30-page document. You need five clear sections that answer the questions employees will actually have.

1. Approved tools

List the AI tools your business has reviewed and sanctioned. Be specific: "ChatGPT" is not enough — state whether you mean the free tier, ChatGPT Plus, or ChatGPT Team. Each tier has different data handling terms. If you have enterprise agreements with Microsoft Copilot or Google Gemini, note that. Tools not on the approved list require explicit written approval before use on company work.

2. Permitted data classifications

Define what data employees may and may not share with AI tools. A simple three-tier classification works for most SMEs: Public (freely shareable), Internal(shareable with approved tools under enterprise agreements only), and Confidential(never shareable with any AI tool without specific authorisation). Client names, financial data, personal data, and legally privileged material are always Confidential.

3. Acceptable uses

Describe what AI tools may be used for: drafting internal communications, summarising public documents, generating code with non-confidential logic, brainstorming marketing copy. Being explicit about permitted uses reduces the grey area employees navigate daily.

4. Prohibited uses

List what is never permitted regardless of tool: sharing personal data of clients or staff, inputting unpublished financial information, using AI outputs without human review in client-facing work, creating deepfakes or misleading content, and using personal AI accounts for company work. Prohibited uses should be unambiguous.

5. Accountability and reporting

Name the person responsible for the policy (typically your IT Manager or DPO). Provide a clear route for employees to report suspected misuse or accidental data sharing. State that suspected data breaches involving AI tools must be reported within 24 hours so you can assess your GDPR notification obligations.

What to explicitly prohibit

Beyond the general prohibited uses above, the following deserve a specific call-out in your policy because they are common, high-risk, and employees often do not realise they are a problem:

• Inputting client or customer personal data (names, emails, addresses, financial details) into any AI tool not covered by a Data Processing Agreement
• Using the output of AI tools in legal, medical, financial, or regulated advice without qualified human review and sign-off
• Presenting AI-generated content as original human work in contexts where that distinction matters (academic, regulatory, or contractual submissions)
• Connecting AI tools to company systems (email, calendar, CRM) via OAuth without IT approval — these grants often provide broad data access beyond what the employee intended
• Using personal accounts on AI platforms where the business cannot audit usage or revoke access when an employee leaves

Section-by-section template structure

A workable one-page structure for a small business:

1. Purpose — one sentence on what the policy covers and why it exists
2. Scope — who it applies to (all employees, contractors, and third parties acting on behalf of the business)
3. Approved tools — named list with tier/version noted
4. Data classification rules — three tiers, defined clearly
5. Permitted uses — bullet list
6. Prohibited uses — bullet list, non-exhaustive but explicit
7. Accountability — named policy owner, review date, reporting route
8. Consequences — reference to disciplinary policy

Keep it to one side of A4 if possible. Policies that fit on one page get read. Policies that run to twelve pages get filed and forgotten.

Getting employees to actually read it

Writing the policy is the easy part. The harder part is ensuring employees understand it, acknowledge it, and can recall what it says when they are about to do something they should not.

Send it with a covering note that explains the "why" in plain language — not corporate boilerplate. Something like: "We've written this because AI tools are now part of how most of us work, and we want to make sure we're using them safely for our clients and for the business." Require a written acknowledgement (a checkbox in your HR system, or a signed email) and log who has completed it. Run a brief 15-minute team session to answer questions. Revisit it at the next all-hands when you update it.

How Governably can automate the process

Governably detects the AI tools already in use across your business by scanning OAuth grants in Google Workspace and Microsoft 365, then cross-references them against your approved tool list. Where gaps exist — tools in use that are not in your policy, or tools granted access to sensitive scopes — Governably surfaces them as remediation tasks.

This means your acceptable use policy stays grounded in reality rather than aspiration. You know what is actually running, not just what you think is running.

Frequently asked questions

What is an AI acceptable use policy?

An AI acceptable use policy is a written document that defines which AI tools employees may use at work, what data they are permitted to share with those tools, what uses are prohibited, and who is accountable when things go wrong. It sits alongside your existing IT and data protection policies.

Does a small business need an AI acceptable use policy?

Yes. Any business whose employees use AI tools — even free consumer ones like ChatGPT — is exposed to data leakage, confidentiality breaches, and compliance risk. A one-page policy is enough to set expectations and reduce liability.

How often should we update our AI acceptable use policy?

Review it at least every six months. The AI tool landscape changes rapidly, and a policy written in early 2024 may not cover tools employees are using today. Build a calendar reminder into your policy review cycle.

Who should sign off on the AI acceptable use policy?

The policy should be approved by whoever owns data protection and IT risk in your organisation — typically the Managing Director, IT Manager, or Data Protection Officer if you have one. All employees should acknowledge it in writing, ideally via your HR onboarding system.

What happens if an employee violates the AI acceptable use policy?

Violations should be handled under your existing disciplinary process. The policy should state clearly that breaches may result in disciplinary action up to and including dismissal, particularly where confidential data has been shared with an unsanctioned AI tool.