AI Is Already in Use. Is Your Policy Keeping Up?

Whether your company has an AI acceptable use policy—or just a vague idea that you “should get around to it”—one thing is certain: AI is already being used by your employees.

They’re using generative AI tools to draft emails, summarize contracts, write code, analyze customer data, and more. But without strong, clear guardrails, what starts as a productivity boost can quickly become a legal risk.

If you don’t have an acceptable use policy yet, this is the place to start. If you already have one, now’s the time to review whether it’s clear, current, and enforceable.

Why an Acceptable Use Policy Is the First AI Governance Move That Matters

An AI Acceptable Use Policy defines how employees may—and may not—use AI tools at work. It helps your company:

• Prevent inadvertent data leaks and confidentiality breaches
• Clarify expectations before problems arise
• Reinforce human oversight and legal review
• Establish a compliance foothold before regulations land
• Connect AI use to your company’s broader governance, risk, and ethical framework

It’s not a silver bullet, but it’s the most practical, scalable step a legal or compliance team can take today to reduce risk and build trust. It also lays the groundwork for more advanced AI governance measures, such as risk assessments, ethical reviews, and oversight committees.

📢 Upcoming Event: AI Literacy Playbook: Train your workforce the right way

Join Laura Jeffords Greenberg , Alan Robertson , and Christine Uri to learn how to build a company-wide AI literacy program that meet legal, ethical, and regulatory expectations. Discover the four essential components of AI literacy training and gain insights on effective implementation. Sponsored by Wordsmith AI

🗓️ Thursday, May 15 | 9 AM PT / 12 PM ET / 4 PM GMT 📍 Register Here

Don’t miss out on this opportunity to up-level your workforce.

Nine Core Elements Every AI Acceptable Use Policy Should Include

Here’s a quick audit. If your current policy skips one of these—or if you're starting from scratch—consider this your blueprint.

1. Scope and Covered Tools

Spell out which AI tools and technologies the policy applies to (e.g., large language models,

image generators, AI code assistants). Clarify that it covers both company-approved and personally accessed tools used for work. Reference how this policy integrates with other company policies, such as data protection, information security, and code of conduct.

2. Permitted Uses

Outline appropriate use cases—like drafting internal content, summarizing documents, or brainstorming. Be specific enough to guide behavior without stifling innovation.

3. Prohibited Uses

Prohibit high-risk behavior, such as:

• Entering confidential or regulated data into public AI tools
• Using AI to generate legal, medical, or financial advice
• Allowing AI to make final decisions in regulated areas
• Representing AI-generated content as original human work

Include a reminder to consider ethical principles such as fairness, transparency, and non-discrimination when using AI.

4. Use of Non-Approved Tools and the Approval Process

Make it clear that employees must use only company-approved AI tools for work purposes. Prohibit the use of unauthorized or personally downloaded AI apps without explicit approval. Include a simple, documented process for requesting new tools—such as submitting a risk assessment or routing requests through legal, compliance, or IT. This balances innovation with oversight.

5. Disclosure Expectations

Should employees disclose AI involvement in client communications, public writing, or product content? Define what kind of attribution is required and when.

6. Human Oversight Requirement

Reinforce that AI outputs must be reviewed by qualified humans before use. Make it clear that AI is a tool—not a decision-maker.

7. Data Privacy and Security Controls

Explain that many AI tools store and reuse user input. Ban the use of AI tools for inputs that include personal information, proprietary code, trade secrets, or third-party data under NDA.

8. Enforcement and Reporting

State how violations will be addressed. Tie the policy to existing codes of conduct and acceptable use standards. Provide a mechanism for reporting misuse or gray areas.

9. Training and Ongoing Review

Offer access to training and contacts for policy questions. Commit to reviewing and updating the policy regularly as laws evolve and new tools emerge.

You Don’t Need a 40-Page AI Policy. You Need One That Works.

Legal and compliance teams are under pressure to “do something” about AI. But doing something thoughtful—even just publishing a focused, well-scoped acceptable use policy—puts you ahead of the curve.

This is your chance to:

• Rein in ungoverned AI experimentation
• Signal that your company is taking AI risks seriously
• Build the foundation for broader governance efforts

Start with what’s actionable. A clear, well-communicated acceptable use policy is the first layer of protection—and it’s one you can implement now.

Legal Tech and AI Solutions Vendors: Put your brand where your potential clients will see it. Sponsorships are available. Send an email to christine@christineuri.com for details or just send me a DM.