AI Policy Template for Organisations

Purpose: This policy establishes guidelines for the responsible use of artificial intelligence tools at [ORGANISATION NAME]. It aims to maximise the productivity benefits of AI while protecting [ORGANISATION NAME]'s data, reputation, intellectual property, and stakeholders.

Scope: This policy applies to all [EMPLOYEES / CONTRACTORS / THIRD-PARTY PARTNERS] who use AI tools in the course of their work for [ORGANISATION NAME]. It covers both AI tools provided by the organisation and personal AI tools used for work purposes.

Effective Date: [DATE]

Review Cycle: This policy will be reviewed [QUARTERLY / SEMI-ANNUALLY] by [ROLE / COMMITTEE NAME].

Approved AI Tools

The following AI tools have been reviewed and approved for use at [ORGANISATION NAME]:

• Tier 1 — Unrestricted: [TOOL NAMES — e.g. Microsoft Copilot, ChatGPT Team]. May be used for all approved purposes without additional approval.
• Tier 2 — Restricted: [TOOL NAMES — e.g. Claude, Midjourney]. May be used for [SPECIFIC PURPOSES]. Requires [MANAGER APPROVAL / TRAINING COMPLETION].
• Tier 3 — Pilot Only: [TOOL NAMES]. Currently being evaluated. Use only by [PILOT GROUP] with [OVERSIGHT REQUIREMENT].

Unapproved Tools

Any AI tool not listed above requires written approval from [IT DEPARTMENT / AI GOVERNANCE COMMITTEE] before use. Employees must not use unapproved AI tools with company data under any circumstances.

Before using any AI tool, employees must classify the data they intend to input:

• Public: Information already publicly available. ✅ May be used with any approved AI tool.
• Internal: Non-sensitive business information. ✅ May be used with Tier 1 tools only. ⚠️ Remove identifying details where possible.
• Confidential: [EXAMPLES — e.g. financial data, strategic plans, employee records]. ❌ Must NOT be entered into any AI tool unless [SPECIFIC EXCEPTION — e.g. the tool has a signed DPA and enterprise data protections].
• Restricted: [EXAMPLES — e.g. PII, health records, legal privileged information]. ❌ Must NEVER be entered into any AI tool under any circumstances.

Data Residency: AI tools processing [ORGANISATION NAME] data must store data in [APPROVED REGIONS — e.g. UK, EU, Australia]. Verify data residency settings before use.

• AI-generated content produced in the course of work for [ORGANISATION NAME] is the property of [ORGANISATION NAME].
• Do not input [ORGANISATION NAME]'s proprietary code, trade secrets, or unpublished intellectual property into AI tools without [APPROVAL FROM LEGAL / IP TEAM].
• When using AI to generate creative content (text, images, code), employees must [DISCLOSE AI INVOLVEMENT / REVIEW FOR IP CONFLICTS / BOTH].
• AI-generated code must undergo the same review process as human-written code before deployment to production.

• AI outputs must be reviewed by a qualified human before being shared externally or used in decision-making.
• Employees are responsible for the accuracy of any AI-assisted work they submit, publish, or share — treat AI as a first draft, not a final answer.
• All facts, statistics, citations, and claims in AI-generated content must be independently verified.
• AI must not be used as the sole basis for decisions that significantly affect individuals (hiring, performance reviews, disciplinary actions) without [HUMAN REVIEW PROCESS].
• For [HIGH-RISK USE CASES — e.g. legal advice, medical information, financial reporting], AI outputs require sign-off from [QUALIFIED ROLE].

• AI tools must not be used to generate content that is discriminatory, harassing, defamatory, or otherwise in violation of [ORGANISATION NAME]'s Code of Conduct.
• Employees must not use AI to impersonate individuals, create misleading deepfakes, or generate deceptive content.
• AI-powered hiring tools must be regularly audited for bias by [RESPONSIBLE TEAM].
• If an AI tool produces biased or harmful output, report it to [CONTACT / CHANNEL] immediately.

• When AI has substantially contributed to external-facing content (reports, articles, client deliverables), [ORGANISATION NAME] [REQUIRES / RECOMMENDS] disclosure.
• Disclosure format: [EXAMPLE — "This content was created with the assistance of AI tools and reviewed by [AUTHOR NAME]."]
• Internal AI use does not require disclosure unless [EXCEPTION — e.g. it involves HR decisions, legal matters, or board reporting].
• Client-facing AI use must comply with any relevant contractual obligations regarding AI disclosure.

• AI Governance Committee: [COMMITTEE NAME], comprising [ROLES], meets [FREQUENCY] to review this policy, evaluate new tools, and address incidents.
• Training: All employees must complete [TRAINING PROGRAM NAME] within [TIMEFRAME] of this policy's effective date. New starters must complete it during onboarding.
• Reporting: Report AI-related concerns, data incidents, or policy questions to [EMAIL / CHANNEL / PERSON].
• Compliance: Violations of this policy will be addressed in accordance with [ORGANISATION NAME]'s disciplinary procedures.
• Exceptions: Requests for policy exceptions must be submitted in writing to [AUTHORITY] with a risk assessment and business justification.