What should an AI acceptable use policy cover?

An AI acceptable use policy should cover: the scope of who it applies to (employees, contractors, third parties); a list of approved AI tools and the process for getting new tools approved; data classification rules specifying what data can and cannot be entered into AI tools; prohibited uses such as generating discriminatory content, creating deepfakes, or circumventing security controls; accountability and incident reporting obligations; and a review schedule. Without these elements the policy cannot be enforced and provides no legal basis for action.

Do I need a separate policy for ChatGPT?

You do not need a separate ChatGPT policy if your AI acceptable use policy includes a clear approved tools list and data handling rules. Reference ChatGPT by name in your approved or prohibited tools list as appropriate. If ChatGPT Enterprise is approved for internal use, specify which version, which data tiers are permitted, and whether your contract with OpenAI includes a no-training clause. A single comprehensive policy that names specific tools is cleaner to enforce than multiple tool-specific documents.

Is an AI acceptable use policy required under the EU AI Act?

The EU AI Act does not prescribe an acceptable use policy by name, but it does require deployers of high-risk AI systems to implement appropriate governance measures, conduct fundamental rights impact assessments, and maintain human oversight. ISO 42001 (AI Management Systems) and NIST AI RMF both explicitly require documented AI use policies as part of a compliant AI governance programme. Regulators and auditors increasingly expect to see a documented AI policy as baseline evidence of AI governance maturity.

How do I enforce an AI acceptable use policy?

Enforcing an AI acceptable use policy requires both technical controls and procedural measures. Technical controls include blocking unapproved AI tools at the network or endpoint level, deploying data loss prevention (DLP) tools that detect sensitive data being sent to AI services, and using an AI security platform to monitor which AI tools employees are accessing. Procedural measures include requiring employees to sign the policy, training staff on their obligations, logging violations, and having a clear disciplinary process. A policy without technical enforcement is aspirational, not operational.

Get your Free 90 Days Gen AI Risk Discovery Trial -90 Days Gen AI Risk Trial -Start Now

Book a demo

Free TemplateEmployee AI Policy

AI Acceptable Use Policy Template

Free employee AI policy template covering permitted tools, data rules, prohibited uses, and compliance. Trusted by enterprise security teams.

Updated March 2026 · 6 policy sections · EU AI Act, ISO 42001, NIST AI RMF aligned

Download Template Book Demo

78%

of employees use AI at work

6 sections

complete policy coverage

3 frameworks

EU AI Act, ISO 42001, NIST

Free

to use and customise

Why You Need an AI Acceptable Use Policy

Most organisations have deployed AI tools without a formal policy governing how employees can use them. This creates real legal, regulatory, and reputational risk — particularly as regulators begin enforcing AI governance requirements.

78%

Employees use AI tools without IT approval

The majority of AI adoption is happening outside sanctioned channels, creating uncontrolled data exposure.

Most organisations have no formal AI policy

Without a documented policy, there is no legal basis to enforce AI usage rules or take disciplinary action.

Regulatory frameworks now require AI governance

EU AI Act, ISO 42001, and NIST AI RMF all require documented AI governance including usage policies.

24h

Incident response requires a policy baseline

Without a policy, you cannot determine whether an AI-related data incident constitutes a violation or assess liability.

The Policy Template

Click each section to expand the policy text. Customise the highlighted placeholders for your organisation.

This policy governs the use of artificial intelligence (AI) tools and services by all employees, contractors, and third parties acting on behalf of [Organisation Name]. It applies to all AI tools used for work purposes, whether accessed via company devices or personal devices.

Download Full Policy as PDF

How to Adapt This Template for Your Organisation

The template above is a starting point. Follow these steps to turn it into an enforceable policy for your specific environment.

Add your organisation name

Replace all instances of [Organisation Name] with your legal entity name.

Build your approved tools list

Populate Appendix A with specific AI tools, versions, and any approved use-case restrictions. Name the IT Security contact for new tool requests.

Map data classification tiers

Align Section 3 with your existing data classification policy. Add tier names (e.g. Restricted, Confidential, Internal, Public) and any tool-specific rules.

Name your reporting contacts

Replace [IT Security Contact] with a named person or team alias. Include an escalation path for incidents that may involve regulatory notification.

Set your review cycle

Define the review frequency (annually is the minimum), name the policy owner, and add a version history table so auditors can track changes.

Frequently Asked Questions

Enforce Your AI Policy Automatically

A written policy is only the first step. Aona enforces your AI acceptable use policy in real time — blocking unapproved tools, detecting sensitive data entering AI services, and generating the audit trail your compliance team needs.

Book a Demo

Related Resources

Aona AI Platform AI Governance Framework All Templates

AI Acceptable Use Policy Template

Why You Need an AI Acceptable Use Policy

The Policy Template

How to Adapt This Template for Your Organisation

Frequently Asked Questions

Enforce Your AI Policy Automatically

Product

Solutions

Resources

Compare

Compliance

Company

Contact