Governance

Building an AI Acceptable Use Policy Your Employees Will Actually Read

A one-page AI AUP template that ships in three sections — approved tools, disallowed content, incident path — and a discussion of what to leave out.

PromptShielder Security Team· Applied cryptography & privacy engineering September 9, 2025 6 min read

Section 1 — approved tools

List the specific service and the specific tier: 'ChatGPT Enterprise via SSO', 'Claude Team via SSO', 'GitHub Copilot Business'. If the tier matters, name it. If the SSO tenant matters, name it. Ambiguity here is where shadow AI enters.

Section 2 — disallowed content

Categories with concrete examples. Not 'confidential information' but 'source code including hard-coded credentials, database URIs or internal hostnames'. Not 'personal data' but 'names of customers, addresses, phone numbers, DOB, government IDs, medical notes'. Each category gets three examples an employee can point to and say 'that's me, don't paste it'.

Section 3 — incident path

'If you pasted something you shouldn't have, tell security@yourco.com within four hours. There is no penalty for reporting; there is a penalty for hiding.' Two lines. That's the whole thing.

Companion controls

  • Redact-before-send at the browser edge.
  • SSO-only login enforced at the identity provider.
  • Monthly random sample of prompt content by a small privacy team, with employee awareness of the sampling.

Frequently asked

Should we require training?+

Yes, ten minutes, annually, with a one-question quiz. Not two hours.

Should we ban personal accounts?+

Ban them logically, sanction an alternative practically. Bans without alternatives fail.

Sources
GovernanceCompliance
Try PromptShielder

Redact prompts before they leave your browser.

Free to try. Nothing is sent to a server. Ever.