Key facts
- Cover: approved tools, data rules, and how to request a new tool.
- Keep it short enough that employees will actually read and follow it.
- Be explicit about what data must never be entered into AI tools (customer PII, credentials, etc.).
- Use the free AI acceptable use policy template as a starting point.
- Review the policy whenever a new AI tool is approved or a data risk is identified.
What to cover
State clearly which AI tools are currently approved for use, what categories of data may and may not be entered into them (customer personal data, credentials, confidential business information are common exclusions), and the process an employee follows if they want to use a tool that is not yet approved.
Writing it so people actually follow it
A policy written in dense legal language, several pages long, tends to be skimmed once and then ignored. A policy that fits on one or two pages, uses plain language, and gives concrete examples of what is and is not allowed is far more likely to be followed day to day.
Being specific about data
Vague guidance like "use good judgement with sensitive data" is not enough. Name the categories of data that must never be entered into AI tools — customer personal data, credentials and API keys, confidential financial or legal information — so there is no ambiguity in practice.
Keeping the policy current
Review the policy whenever a new AI tool is approved, a data risk is identified, or the organisation's AI use changes materially. An outdated acceptable use policy that still names tools no longer in use signals to staff that the document is not actively maintained.
Frequently asked questions
What should an AI acceptable use policy cover?
Approved tools, what data can and cannot be entered into them, and the process for requesting a new tool.
How long should an AI acceptable use policy be?
As short as possible — one to two pages in plain language is more effective than a long legalistic document.
What data should never be entered into AI tools?
Common exclusions include customer personal data, credentials and API keys, and confidential financial or legal information — name them explicitly.
Is there a template for an AI acceptable use policy?
Yes — the free AI acceptable use policy template covers the core structure.
How often should the policy be reviewed?
Whenever a new AI tool is approved, a data risk is identified, or AI use changes materially.
Related pages
Sources
Last updated 19 June 2026.