Governance · 7 min read

The one-page AI acceptable-use policy your business actually needs.

By Dave · Published May 2026

Most AI acceptable-use policies are 14 pages long and read like a lawyer hedging a bet with another lawyer. The version your staff will actually follow is one page, written in plain English, and answers four questions. Here's what belongs in it, what doesn't, and a template you can adapt in 30 minutes.

Why most AI policies fail

Nine times out of ten, the AI policy I'm asked to review has the same problem: it was copied from a Fortune 500 template, lawyered into oblivion, and quietly archived in a SharePoint folder no one reads. Meanwhile, the marketing coordinator is pasting customer emails into ChatGPT, the finance team is asking Gemini to summarize sealed bids, and nobody on the leadership team knows it's happening.

A policy that nobody reads is not a policy — it's a liability shield that doesn't shield anything. The fix isn't a longer document. It's a shorter, sharper one that answers the four questions every employee is actually trying to figure out on their own.

The four questions a real AUP answers

1. What AI tools am I allowed to use?

Be specific. “Approved generative AI tools” is not specific. ChatGPT Team, Claude.ai (Pro), and Microsoft Copilot in our M365 tenant is specific. List the exact products, name the plan tier, and say where the access lives.

Then list what's not approved — consumer-tier free accounts of the same tools, any AI feature that retains data for training, and anything the team hasn't been told about yet. Default to no.

2. What data am I allowed to put into them?

This is where the entire policy lives or dies. Map your existing data classifications onto AI usage:

  • Public — marketing copy, public job posts, press releases — anything you've already published. Fine for any approved tool.
  • Internal — meeting notes, internal training, draft documents, general questions about your business. Fine for approved tools running in your business tenant.
  • Confidential — customer data, employee data, contracts, financials, anything under NDA. Only in tools with a signed data processing agreement, never in consumer accounts.
  • Restricted — PHI, payment card data, anything regulated, anything that would embarrass you on the front page of the local paper. Default to no. If a use case comes up, it goes through the model intake process before anyone pastes anything.

If your business doesn't already have data classifications, that's the homework to do first — an AUP without them is a guess.

3. What am I allowed to use the output for?

The output question matters as much as the input one, and most policies skip it. A few rules that cover 90% of cases:

  • You are responsible for the output. AI can draft, summarize, suggest, and translate — you sign off on every word that leaves your hand.
  • No AI-generated content goes to a customer without human review. That means email, proposals, contracts, support replies, social posts, all of it.
  • No code goes to production without a human commit and a real review. Pasting from an AI window directly into a deploy pipeline is not allowed.
  • Disclose when it matters. If a deliverable was substantially AI-generated and the recipient would care, say so.

4. What do I do when something goes wrong?

Tell people, in one sentence, who to email when they think they messed up. Then make the consequences for an honest mistake survivable. The fastest way to make your AUP unusable is to make the punishment for reporting an issue worse than the punishment for hiding one. People will hide it.

If you pasted something into an AI tool that you shouldn't have, email security@yourcompany.com immediately. Reporting promptly and honestly will not result in disciplinary action. Hiding it might.

The template

Drop this on one page, change the bracketed bits, share it with your team, and you're 80% of the way to a real policy. The other 20% is the work of training, reviewing edge cases, and updating it when tools change — which they will, quarterly, at least. 

[COMPANY NAME] — AI Acceptable Use Policy
Version 1.0  ·  Owner: [name]  ·  Reviewed: [date]

1. APPROVED TOOLS
   You may use: [list specific products + plan tiers + tenant].
   You may NOT use: free consumer accounts, personal accounts,
   browser extensions, or any tool not on the approved list.
   Need a tool that isn't here? Email [intake@company] before
   using it.

2. APPROVED DATA
   Public data        → any approved tool.
   Internal data      → approved business-tenant tools only.
   Confidential data  → only tools with a signed DPA.
   Restricted data    → never, without explicit approval
                          via the model intake process.

3. APPROVED USES
   - You are responsible for every output.
   - No AI-generated content goes to a customer without
     human review.
   - No AI-generated code goes to production without a
     human commit and review.
   - Disclose AI use when the recipient would reasonably
     want to know.

4. WHEN SOMETHING GOES WRONG
   Email [security@company] immediately. Honest, prompt
   reports will not be punished. Concealment will.

5. UPDATES
   This policy is reviewed every quarter and any time we
   add or remove an approved tool.

Acknowledged: ____________________ Date: __________

What to do after you write it

Writing it is the easy part. The work that decides whether it sticks:

  • Get it signed. Every employee acknowledges it as part of onboarding and annually thereafter.
  • Train against it, not around it. Half an hour of real examples beats an hour of legal language. Show people the bad pastes you've actually seen.
  • Add a model intake. A two-question form that catches new tool requests before someone uses them. Then have a real human decide.
  • Audit, gently. Spot-check a sample of AI usage logs monthly. You're not looking for crimes; you're looking for gaps in the policy.
  • Update it when reality changes. A 2024 AUP that still says “no AI tools that can browse the web” in 2026 is a museum piece.

One thing you don't need to do

You do not need to ban AI to be safe. Every business I've worked with that tried ended up with a worse problem: shadow AI. People still use it; they just stop telling you. The job of an AUP is not to keep AI out of your business. It's to make AI use visible, intentional, and recoverable when something goes wrong.

One page. Four questions. Get the easy version done this week, and iterate from there. Perfect is the enemy of signed.

If you want a branded, customized version of this policy — with your data classifications, your approved tools, and your intake workflow built in — that's the Build an AI Program package. Or grab the full ISO 27001–aligned set in the Complete Policy Deck. Questions? Send a note.

Dave, the AI Guy
Dave, the AI Guy
Fractional AI leader and consultant for small and mid-sized businesses. Akron, Ohio · remote-first. Get in touch →

Want the branded version, signed and ready?

The Build an AI Program package delivers a customized AUP, intake workflow, and supporting policies in two weeks — everything editable, everything yours to keep.

Request a proposal →