Sample Template

Internal AI Use Policy

Important: This is a sample template for informational purposes only. It is not legal or compliance advice. Adapt it to your industry, regulatory environment, and the specific tools your team uses, and have qualified counsel review before adopting.

1. Purpose

[Company Name] (“the Company”) uses artificial-intelligence tools to improve productivity. This policy defines which AI tools may be used, what kinds of information may be processed with them, and the responsibilities of every team member who uses them. It applies to all employees, contractors, and vendors acting on the Company's behalf.

2. Definitions

Confidential Information: any non-public information about clients, customers, employees, finances, operations, or vendors, including any information subject to a duty of confidentiality, privilege, HIPAA, GLBA, or similar obligations.
Public AI Tool: a consumer-grade AI service such as ChatGPT (Free/Plus), Claude.ai (Free/Pro), or Gemini consumer.
Enterprise AI Tool: an AI service used through an API or enterprise account governed by commercial terms and a Data Processing Agreement.

3. Approved Tools & Permitted Use

Risk Tier	Tools	Permitted Use
High Risk Public AI	ChatGPT Free/Plus, Claude.ai Free/Pro, Gemini consumer, [other]	Public, non-confidential information only. Never with client data, financial data, personnel data, or any Confidential Information.
Conditional Cloud Automation	Make.com, Zapier (paid tiers with DPA), [other]	Administrative use (scheduling, intake, notifications). Confidential Information only when a signed DPA is in place and data minimization is applied.
Approved Self-Hosted + API	Company-hosted n8n + AI API on commercial terms, [other]	Approved for Confidential Information consistent with documented workflows.

4. Prohibited Uses

Pasting Confidential Information into any Public AI Tool.
Uploading client documents, contracts, or records to a personal AI account.
Using AI output as a final deliverable without human review.
Sharing AI-generated content as the work of the AI tool to third parties without disclosing AI involvement, where disclosure is required.

5. Human Review

AI assists; humans decide. All AI-generated work product that leaves the Company — communications, documents, analyses, recommendations — must be reviewed and approved by a qualified team member before delivery. The reviewer is responsible for accuracy, appropriateness, and compliance.

6. Data Minimization

Even with approved tools, send only the minimum information necessary for the task. Redact names, account numbers, and other identifiers when the task does not require them.

7. Onboarding & Training

Every team member who will use AI tools must read this policy, sign the acknowledgment below, and complete [training program / orientation] before being granted access to approved tools.

8. Vendor & Contract Requirements

Any AI tool that touches Confidential Information must operate under:

A signed Data Processing Agreement.
A no-training clause covering Company data.
A defined retention period.
Breach-notification obligations.
A data-deletion right at termination.

9. Reporting & Incidents

Any suspected misuse, unauthorized disclosure, or AI-related incident must be reported to [designated officer / email] within 24 hours of discovery.

10. Policy Owner & Review

This policy is owned by [Title — e.g., Managing Partner / Operations Manager] and will be reviewed at least annually, or whenever a new AI tool or class of tool is introduced.

Acknowledgment

I have read and understand this AI Use Policy and agree to follow it.

Name & Title

Signature

Date