Building an AI Acceptable Use Policy Your Employees Will Actually Read
A one-page AI AUP template that ships in three sections — approved tools, disallowed content, incident path — and a discussion of what to leave out.
Section 1 — approved tools
List the specific service and the specific tier: 'ChatGPT Enterprise via SSO', 'Claude Team via SSO', 'GitHub Copilot Business'. If the tier matters, name it. If the SSO tenant matters, name it. Ambiguity here is where shadow AI enters.
Section 2 — disallowed content
Categories with concrete examples. Not 'confidential information' but 'source code including hard-coded credentials, database URIs or internal hostnames'. Not 'personal data' but 'names of customers, addresses, phone numbers, DOB, government IDs, medical notes'. Each category gets three examples an employee can point to and say 'that's me, don't paste it'.
Section 3 — incident path
'If you pasted something you shouldn't have, tell security@yourco.com within four hours. There is no penalty for reporting; there is a penalty for hiding.' Two lines. That's the whole thing.
Companion controls
- Redact-before-send at the browser edge.
- SSO-only login enforced at the identity provider.
- Monthly random sample of prompt content by a small privacy team, with employee awareness of the sampling.
Frequently asked
Should we require training?+
Yes, ten minutes, annually, with a one-question quiz. Not two hours.
Should we ban personal accounts?+
Ban them logically, sanction an alternative practically. Bans without alternatives fail.