AI Acceptable Use Policy

Tier 1 GOVERNANCE
ISO A.2 ISO Cl.5 NIST GV-1 OWASP ASI08

Related Templates

AI Acceptable Use Policy

What This Requires

Publish and enforce a clear AI Acceptable Use Policy that defines approved AI tools, permitted use cases by role, prohibited activities, data classification requirements for AI interactions, and the process for requesting access to new AI tools. The policy must be approved by executive leadership, acknowledged by all employees, and reviewed at least annually or upon material changes to the AI landscape.

Why It Matters

Employees are adopting AI tools at an unprecedented pace, often without understanding the data privacy, intellectual property, or regulatory implications. Without explicit boundaries, confidential data is routinely pasted into public AI services, proprietary code is used for model training, and AI-generated outputs are deployed without human review. A well-communicated acceptable use policy transforms ambiguous risk into enforceable organizational standards.

How To Implement

Define Tool Tiers and Use Cases

Categorize AI tools into tiers: Tier 1 (approved for general use — e.g., enterprise ChatGPT with data protections), Tier 2 (approved for specific roles with conditions — e.g., GitHub Copilot for engineering only), and Prohibited (consumer-grade tools without enterprise agreements). For each tier, specify permitted data classifications, required configurations, and any output review requirements.

Codify Prohibited Activities

Explicitly prohibit: submitting data classified as Confidential or Restricted to any AI tool without approved DLP controls, using AI outputs in regulated decisions (hiring, lending, clinical) without human review, disabling safety filters or guardrails on approved tools, and using AI-generated code in production without code review. Include specific examples to eliminate ambiguity.

Establish Request and Approval Workflow

Create a standardized intake form for new AI tool requests that captures the proposed use case, data types involved, vendor security assessment status, and business justification. Route requests through a lightweight approval chain — security review, privacy review, and business owner sign-off — with a target SLA of 10 business days.

Enforce and Measure Compliance

Integrate policy enforcement into technical controls: configure DLP rules to detect sensitive data in AI service traffic, block access to prohibited tools at the network level, and require SSO authentication for approved tools. Track policy acknowledgment rates, violation counts, and exception requests as governance KPIs reported monthly to the AI governance committee.

Evidence & Audit

  • Approved AI Acceptable Use Policy document with executive signature and effective date
  • Employee acknowledgment records showing completion rate by department
  • AI tool classification matrix (approved, conditional, prohibited)
  • New AI tool request intake forms and approval records
  • DLP rule configurations blocking sensitive data to AI services
  • Network blocklist configurations for prohibited AI tools
  • Monthly governance KPI reports (violations, exceptions, acknowledgment rates)

Related Controls

AI Deployment Validation and Approval AI Risk Self-Assessment AI Data Input Governance AI Asset Inventory