What this is

This is a free, ready-to-adapt AI usage policy for a mid-sized business. It defines acceptable use, an approved-tools list, a data classification standard for what may never be pasted into public AI tools, a human-review rule, vendor and data-residency requirements, incident handling, and ownership. Read it in full below or download an editable copy.

AI Usage Policy Template

1. Purpose and scope

This policy governs the use of artificial intelligence tools by all employees, contractors, and anyone acting on behalf of the company. It applies to any AI tool used for company work, whether company-provided or publicly available.

2. Acceptable use

Employees may use approved AI tools to draft, summarize, research, analyze, and assist with properly classified information. AI output must be reviewed by a qualified person before it is sent to a client, filed, billed, or used in a decision. AI assists. People remain accountable.

3. Approved tools

Only tools on the company approved-tools list may be used for company work. Tools cleared for confidential or regulated data are listed separately from tools acceptable only for public, non-sensitive content. If a tool is not on the list, it is not approved. Request additions through the defined process.

4. Data classification

Public information may be used with any approved tool. Internal information may be used with approved tools only. Confidential information is restricted to tools cleared for confidential data. Regulated information, including protected health information and personal data under GDPR or CCPA, is never entered into a public or personal AI tool. The bright line: never paste client, patient, financial, or personally identifiable information into a public or personal AI account.

5. Human review and accountability

A qualified person must review AI-generated output before it is used externally or in any decision about a person. The individual who signs, sends, or acts on the output owns the result.

6. Vendor and data-residency requirements

Any AI tool that handles company data must not train its models on your inputs, must isolate your data from other customers, and must operate under contractual terms the company has reviewed. New AI vendors must be approved before they handle company data.

7. Incident handling

If sensitive data is exposed to an unapproved tool, report it promptly through the defined channel. The goal is fast containment, not blame. Early reporting limits exposure.

8. Ownership and review

A named owner maintains this policy and the approved-tools list. The policy is reviewed on a set cadence, at least twice per year, and updated as tools and regulations change.

Want help configuring AI safely, not just writing the policy?

Book a 30 minute consultation
Start here

Ready to evaluate Fortify AI?

Book a 30 minute consultation with our team. We will scope your environment, identify the two or three highest-leverage AI deployments for your firm, and outline what a Fortify AI rollout looks like.