How to Write an AI Use Policy for Employees (2026 Template)

Your staff are already using AI. The only question is whether they are doing it inside rules you set or outside any rules at all. An AI use policy is the document that turns a free-for-all into a managed practice: it tells people which tools are allowed, what data can never go into a prompt, when a human has to check the output, and what happens if the rules are broken. This guide walks you through writing one clause by clause, with a comparison table for approved versus prohibited use and a set of sample clauses you can copy, edit and drop straight into your handbook.

A team of employees reviewing an AI use policy document together in an office meeting room

Why You Need This in 2026

The gap between adoption and governance is the real risk. A UpGuard report published in November 2025 found that more than 80 percent of workers use AI tools their employer has not approved. This is shadow AI: people pasting customer lists, draft contracts, payroll figures and source code into consumer chatbots on personal accounts, with no record and no oversight. The productivity is real, but so is the leakage, and a policy is how you keep the first without the second.

The legal backdrop has hardened too. Article 4 of the EU AI Act, which has applied since 2 February 2025, requires providers and deployers to ensure a sufficient level of AI literacy among their staff and anyone using AI on their behalf. The broader Act becomes applicable to high-risk systems and to the transparency duties in Article 50 on 2 August 2026, with penalties reaching up to 35 million euro or 7 percent of global annual turnover for the most serious breaches. In the UK, the Information Commissioner's Office published its position on generative AI and data protection in December 2024, confirming that the usual data protection principles apply to anything you put into a model. A written policy is how you show a regulator you took reasonable steps.

What an AI Use Policy Must Cover

Before drafting, agree the sections the document has to answer. A policy that leaves any of these vague will fail at the moment someone needs it. Use this as a contents checklist.

Purpose and scope. Why the policy exists and who it binds: employees, contractors, agency staff and anyone using AI on the organisation's behalf.
What counts as AI. A definition broad enough to catch new tools, with concrete examples so people recognise when a rule applies.
Acceptable use. The tasks AI may be used for, and the principles that govern all use.
Approved and prohibited tools. A maintained list of sanctioned tools and a clear ban on anything not on it without sign-off.
Data handling. What may and may not be entered into a prompt, mapped to your data classes.
Disclosure and human review. When AI involvement must be declared and when a person must check the output before it is used.
Accuracy and intellectual property. Who owns the result and who is responsible for it being correct, lawful and original.
Enforcement. How the policy ties to your disciplinary process and what breaches look like.
Roles and review. Who owns the policy, who approves tools, and how often it is updated.

For organisations that want a recognised framework behind the document, ISO/IEC 42001:2023, the first international standard for AI management systems, sets out a governance structure you can test your draft against. It is broad and sector-agnostic, and it pairs well with a practical staff-facing policy.

Step 1: Define Scope and Acceptable Use

Start by saying who the policy covers and what AI means in your context. Keep the definition wide, covering generative tools that produce text, images, code or audio, AI features built into software you already use, and any system that makes or supports decisions. List examples so no one can claim a tool was not included. Then set the acceptable-use principles that sit above every specific rule: AI is a tool to assist people, not to replace their judgement; it must be used lawfully and in line with your other policies; and the person using it remains accountable for the result.

Acceptable use is easier to follow when it is framed positively first. Say what AI is encouraged for, such as drafting, summarising public material, brainstorming, code assistance and research, then layer the limits on top. People follow a policy that helps them work better far more readily than one that reads as a list of bans.

Step 2: Decide Approved Versus Prohibited Tools

The single most effective control is a maintained list of approved tools. Name the person or group who owns it, give a simple route to request a new tool, and state plainly that using anything off the list for company work requires sign-off. The goal is not to make approval hard; it is to make the approved path easy enough that no one needs the shadow one. The table below shows the distinction your policy should draw.

Area	Approved use	Prohibited use
Tools	Enterprise accounts on the approved list, configured so inputs are not used for training	Personal or free consumer accounts, or any tool not yet vetted
Data in prompts	Public or non-sensitive information, anonymised material, your own draft text	Personal data, customer records, source code, financials, trade secrets, anything confidential
Tasks	Drafting, summarising, ideation, code assistance, research support	Final decisions on hiring, dismissal, credit, legal or safety matters without human sign-off
Output	Reviewed and verified by a person before use, with facts and sources checked	Published or sent externally unchecked, or passed off without disclosure where required

Keep the list short enough to govern and long enough to be useful. If the approved tools cannot do the job, people will go around them, so treat requests for new tools as a signal to act on rather than an irritation to refuse.

Step 3: Set the Rules for Data in Prompts

This is the clause that prevents most real harm, so make it the clearest part of the document. The principle is simple: treat anything you type into a tool that has not been approved for that data class as if you posted it in public. Map the rule to the data classifications you already use. Personal data of any kind, customer and client information, employee records, source code, financial data, legal documents, security details and anything under a confidentiality obligation must never go into an unapproved tool.

The ICO's position on generative AI confirms that the usual data protection principles, including lawfulness, fairness, transparency, purpose limitation, data minimisation and accuracy, apply to personal data processed through AI. In practice that means staff need an approved enterprise tool with the right contractual terms and privacy settings before any personal or confidential data goes near a model, and even then only the minimum needed. Spell out a safe alternative for sensitive work so the rule reads as a redirection rather than a dead end.

Close-up of an employee typing a prompt into an AI chatbot on a laptop with a data classification notice on screen

Step 4: Require Disclosure and Human Review

Two rules keep AI output trustworthy: say when you used it, and check it before anyone relies on it. For disclosure, set a threshold around impact. Require people to declare AI involvement when it materially shaped a deliverable that affects a customer, a colleague, a legal or financial position, or an external communication. Trivial help such as tidying grammar does not need a label, and burying staff in disclosure for everything trains them to ignore the rule.

Human review is non-negotiable for anything that leaves the building or feeds a decision. Generative tools produce fluent, confident text that can be wrong, so require a named person to verify facts, figures, quotations, code and citations before AI-assisted work is sent, published or acted on. State that AI may inform a decision affecting people, such as in recruitment or performance, but may never make it alone. This is where your internal policy meets the law: the same human-oversight and transparency duties run through the EU framework. Our EU AI Act compliance checklist for businesses shows how these policy rules map to the legal obligations you face before 2 August 2026.

Step 5: Assign Accuracy and IP Responsibility

Make ownership unambiguous. The employee who uses an output and the organisation that publishes it are responsible for it, not the tool. State that staff own the accuracy of anything they submit under their name, and that they must not present AI-generated work as if it were independently verified when it is not. Add that AI tools can reproduce protected material, so people must not use outputs that copy a recognisable source, and must respect third-party rights and your own confidentiality obligations.

Intellectual property cuts both ways. Outputs created with AI may not always attract the protection you expect, and inputs you share may leak your own confidential material into a third party's systems. The policy should tell staff to keep proprietary information out of prompts and to check that any AI-assisted deliverable is genuinely original before it carries the company's name.

Step 6: Tie Enforcement to Your Disciplinary Process

A policy with no teeth is a suggestion. State clearly that breaching it, especially by putting confidential or personal data into an unapproved tool, may be treated as a disciplinary matter under your existing process, up to and including dismissal for serious cases. Reference the disciplinary policy by name rather than inventing a parallel system. Make the same point fairly: someone who reports an honest mistake, such as realising they pasted the wrong document, should be encouraged to come forward, because the alternative is silence and a hidden breach. Pair enforcement with training so no one can credibly say they did not know the rule.

Sample Policy Clauses You Can Copy

The clauses below are a starting point. Adapt the wording to your organisation, your data classifications and your disciplinary process, and have them reviewed before adoption. They are written to be lifted into a handbook and edited.

Scope

"This policy applies to all employees, contractors, agency workers and anyone using artificial intelligence tools in connection with [Company]'s business. It covers any AI system used for work, including generative tools that produce text, images, code or audio, AI features within other software, and any system that makes or supports decisions."

Approved tools

"You may only use AI tools on [Company]'s approved list for work purposes. The current list is maintained by [role or team]. To request a new tool, contact [role]. Using any AI tool that is not approved for company work, or using a personal account for company data, is not permitted without prior written sign-off."

Data in prompts

"Do not enter personal data, customer or client information, employee records, source code, financial information, security details, legal documents or any confidential or proprietary information into an AI tool unless that tool has been approved for that class of data. If in doubt, treat the information as confidential and do not enter it."

Disclosure and human review

"Where AI has materially shaped a deliverable that affects a customer, a colleague, a legal or financial decision, or an external communication, you must disclose that AI was used in line with [process]. You remain responsible for the output. Before any AI-assisted work is published, sent externally or used to support a decision, a person must review and verify its facts, figures, sources and accuracy. AI must not be the sole basis for a decision affecting an individual."

Accuracy, IP and enforcement

"You are responsible for the accuracy, legality and originality of any output you use or submit. Do not present AI-generated work as independently verified unless it has been, and do not use outputs that reproduce another party's protected material. Breaching this policy may be treated as a disciplinary matter under [Company]'s disciplinary procedure, up to and including dismissal in serious cases."

Step 7: Train, Communicate and Review

A policy no one reads changes nothing. Brief managers first, give every member of staff the document at induction and again when it changes, and run short training that covers the data rule, the approved list and the disclosure threshold, since those are where breaches happen. Training is also how you meet the AI literacy expectation in the EU framework. Name an owner, version the document, and review it at least annually or whenever a new tool, a new regulatory deadline or an incident makes the current version out of date.

Common Mistakes to Avoid

A few predictable errors weaken otherwise sound policies. Banning AI outright simply pushes everyone into shadow use, because the work still has to get done. Approving a list of tools that cannot actually do the job has the same effect. Writing a data rule so vague that no one knows what counts as confidential leaves the most important clause unenforceable. And publishing the policy once, then never training on it or reviewing it, guarantees it is forgotten by the time it matters. Each is avoidable with the steps above.

Frequently Asked Questions

Is an AI use policy a legal requirement?

No single law says every employer must publish an AI policy, but several obligations make one the practical way to comply. Under Article 4 of the EU AI Act, which has applied since 2 February 2025, providers and deployers must take measures to ensure their staff have a sufficient level of AI literacy. UK and EU data protection law requires you to control how personal data is processed, which includes data typed into AI prompts. A written policy is how you evidence that you took reasonable steps, so even where it is not strictly mandatory it is treated as good practice.

Can employees put confidential or customer data into ChatGPT?

Not unless the tool is approved for that purpose and configured so your inputs are not used to train the model or retained beyond your control. A general consumer chatbot account should be treated as a public space. Your policy should ban entering personal data, customer information, source code, financial records, trade secrets and anything covered by confidentiality obligations into any tool that has not been approved for that data class. Where staff need AI for sensitive work, give them an enterprise account with the right contractual and privacy settings.

What is shadow AI and how does a policy reduce it?

Shadow AI is the use of AI tools that the organisation has not vetted or approved, usually on personal accounts and outside any oversight. Surveys through 2025 found the practice is widespread, with a UpGuard report published in November 2025 stating that more than 80 percent of workers use unapproved AI tools at work. A policy reduces it by giving people approved tools that are good enough to use, a quick route to request new ones, and clear consequences for routing company data through unsanctioned services.

Do employees have to disclose when they used AI?

Set the rule in your policy rather than leaving it to judgement. A common standard is to require disclosure whenever AI materially shaped a deliverable that affects a customer, a colleague, a legal or financial decision, or an external communication. Routine help such as fixing grammar or summarising a public article usually does not need a label. The point of disclosure is traceability and trust, so write it around the impact of the output, not the mere fact a tool was opened.

Who is responsible if AI produces a wrong or infringing output?

The employee who uses the output and the organisation that publishes it, not the tool. Generative systems can produce confident errors and can reproduce protected material, so your policy should make clear that staff own the accuracy, legality and originality of anything they submit under their name. Require human review and verification of facts, figures, quotes, code and citations before AI-assisted work is relied on or sent outside the business.

How often should we review the AI use policy?

At least once a year, and sooner when something material changes. The tools, the law and the risks all move quickly, so tie a review to events such as a new approved tool, a new regulatory deadline, or an incident, as well as a fixed annual date. Name an owner for the policy so the review actually happens rather than drifting, and version the document so people can see what changed and when.

Moving Forward

An AI use policy is where your values about responsible technology meet the keyboard. Built in the right order, it lets people use AI to work better while keeping your data, your customers and your obligations protected. Define scope and acceptable use first, then settle approved tools, the data rule, disclosure and review, accuracy and IP, and enforcement, and finish with training and a review cycle. Keep the document short, the approved path easy, and the data rule unmissable.

This works best as one part of a wider framework. If you have not yet set the values the policy enforces, start with your code of ethics for business owners, then map the policy to the law using our EU AI Act compliance checklist. You can find more practical guides across the E-Business Ethics resources.

For the underlying rules, the official text of Article 4 of the EU AI Act on AI literacy and the ICO's guidance on AI and data protection are reliable places to check what applies to your business.

Need Help Writing Your AI Use Policy?

We help compliance, HR and operations leads draft AI use policies that staff actually follow: scope, approved tool lists, data rules, disclosure and human-review requirements, and enforcement that ties cleanly to your existing procedures. From first draft to a policy that holds up under scrutiny.