What is an AI policy template and what should it include?

An AI policy template is a pre-built document organisations adapt to govern how employees use artificial intelligence tools at work. A complete AI policy template covers: scope (who the policy applies to), a list of approved AI tools and the approval process for new tools, data classification rules that specify which data can and cannot be entered into AI systems, prohibited uses such as generating discriminatory content or exfiltrating sensitive data, accountability and incident reporting procedures, and a review schedule. This template is designed to be customised with your organisation's specific tools, data tiers, and contact details before distribution.

What is the difference between an AI acceptable use policy and an AI policy?

An AI policy is the broad governing document that sets your organisation's overall position on AI: principles, roles, risk appetite, procurement standards, and how AI decisions are made and overseen. An AI acceptable use policy (AUP) is the narrower, employee-facing rulebook that sits inside that programme and tells staff exactly what they can and cannot do with AI tools day to day: which tools are approved, what data is allowed, and what is prohibited. In practice the AUP is the part employees sign and the part you actually enforce. Many organisations publish one combined document, but the acceptable use rules are the operative section.

How often should you update an AI acceptable use policy?

Review an AI acceptable use policy at least annually, and sooner whenever something material changes: a new AI tool is approved or banned, a vendor changes its data handling or training terms, your data classification scheme changes, or a regulation such as the EU AI Act reaches a new compliance milestone. Because the approved tools list and data rules move faster than the rest of the document, keep them in an appendix you can revise without reissuing the whole policy. Record a version number, the review date, and the owner so auditors can see the policy is actively maintained.

Do I need a separate policy for ChatGPT?

You do not need a separate ChatGPT policy if your AI acceptable use policy includes a clear approved tools list and data handling rules. Reference ChatGPT by name in your approved or prohibited tools list as appropriate. If ChatGPT Enterprise is approved for internal use, specify which version, which data tiers are permitted, and whether your contract with OpenAI includes a no-training clause. A single comprehensive policy that names specific tools is cleaner to enforce than multiple tool-specific documents.

Is an AI acceptable use policy required under the EU AI Act?

The EU AI Act does not prescribe an acceptable use policy by name, but it does require deployers of high-risk AI systems to implement appropriate governance measures, conduct fundamental rights impact assessments, and maintain human oversight. ISO 42001 (AI Management Systems) and NIST AI RMF both explicitly require documented AI use policies as part of a compliant AI governance programme. Regulators and auditors increasingly expect to see a documented AI policy as baseline evidence of AI governance maturity.

How do I enforce an AI acceptable use policy?

Enforcing an AI acceptable use policy requires both technical controls and procedural measures. Technical controls include blocking unapproved AI tools at the network or endpoint level, deploying data loss prevention (DLP) tools that detect sensitive data being sent to AI services, and using an AI security platform to monitor which AI tools employees are accessing. Procedural measures include requiring employees to sign the policy, training staff on their obligations, logging violations, and having a clear disciplinary process. A policy without technical enforcement is aspirational, not operational.

Get your Free 90 Days Gen AI Risk Discovery Trial -90 Days Gen AI Risk Trial -Start Now

Book a demo

Free AI Policy Template

AI Acceptable Use
Policy Template

Free AI policy template for employees covering permitted tools, data classification rules, prohibited uses, and compliance requirements. The most downloaded AI governance template for enterprise security teams.

Download Template Book Demo

Last updated: June 23, 2026

An AI acceptable use policy is the employee-facing rulebook that defines how staff may use AI tools at work: which tools are approved, what data is allowed into them, and which uses are prohibited. In 2026 a usable policy has to cover six things, scope (who it applies to), an approved tools list and the process to add new tools, data classification rules for what can and cannot be entered into AI, prohibited uses, accountability and incident reporting, and a review cycle.

To implement one, inventory the AI tools already in use (including shadow AI), map your data classification tiers to clear allow and prohibit rules, name the owner and the reporting contact, then distribute it for employees to acknowledge. The template below is ready to fill in. The part most policies skip is enforcement: a document on its own does not stop sensitive data reaching an AI tool, so the section after the template shows how each clause maps to a technical control you can actually run.

of employees use AI at work

0 sections

complete policy coverage

0 frameworks

EU AI Act, ISO 42001, NIST

Free

to use and customise

Why You Need an AI Acceptable Use Policy

Most organisations have deployed AI tools without a formal policy governing how employees can use them. This creates real legal, regulatory, and reputational risk - particularly as regulators begin enforcing AI governance requirements.

78%

Employees use AI tools without IT approval

The majority of AI adoption is happening outside sanctioned channels, creating uncontrolled data exposure.

Most organisations have no formal AI policy

Without a documented policy, there is no legal basis to enforce AI usage rules or take disciplinary action.

Regulatory frameworks now require AI governance

EU AI Act, ISO 42001, and NIST AI RMF all require documented AI governance including usage policies.

24h

Incident response requires a policy baseline

Without a policy, you cannot determine whether an AI-related data incident constitutes a violation or assess liability.

The Policy Template

Click each section to expand the policy text. Customise the highlighted placeholders for your organisation.

This policy governs the use of artificial intelligence (AI) tools and services by all employees, contractors, and third parties acting on behalf of [Organisation Name]. It applies to all AI tools used for work purposes, whether accessed via company devices or personal devices.

Download Full Policy

How to Adapt This Template for Your Organisation

The template above is a starting point. Follow these steps to turn it into an enforceable policy for your specific environment.

Add your organisation name

Replace all instances of [Organisation Name] with your legal entity name.

Build your approved tools list

Populate Appendix A with specific AI tools, versions, and any approved use-case restrictions. Name the IT Security contact for new tool requests.

Map data classification tiers

Align Section 3 with your existing data classification policy. Add tier names (e.g. Restricted, Confidential, Internal, Public) and any tool-specific rules.

Name your reporting contacts

Replace [IT Security Contact] with a named person or team alias. Include an escalation path for incidents that may involve regulatory notification.

Set your review cycle

Define the review frequency (annually is the minimum), name the policy owner, and add a version history table so auditors can track changes.

From Policy to Enforcement

A policy PDF does not stop anyone from pasting client data into a chatbot. Each clause in the template above maps to a control you can run. This is the part most AI policy guides leave out, and it is what turns a written rule into something you can prove.

Policy clause

How Aona enforces it

Approved tools list (Section 2)

Aona discovers every AI tool in use through a browser plugin for Chrome, Edge, and Firefox and a native endpoint app for Windows and macOS, matching usage against a catalogue of 5,600+ AI tools. You see who is using which tool, including shadow AI no one approved, and get alerted when an unapproved tool appears, so the allow and block lists in your policy are backed by real visibility.

Data classification rules (Section 3)

When an employee submits a prompt or uploads a file, Aona inspects the content server-side before it reaches the model, classifies any sensitive data (PII, financial records, source code, confidential documents), and applies your policy. The data your policy says must never enter an AI tool is caught at the point of submission, not discovered in an audit later.

Prohibited uses (Section 4)

Where a prompt or file breaches the rules, Aona hard-blocks it with a modal and no acknowledge-and-continue override, or redacts the sensitive portion before the request goes through, depending on the policy you set per team, tool, and data type. The prohibition is enforced at the moment of use rather than relying on staff to remember it.

Accountability & reporting (Section 5)

Every inspection, block, and redaction is logged, giving your security team the audit trail that incident reporting and disciplinary processes depend on. Data stays resident in your chosen region across 7 live regions, and Aona is SOC 2 Type II certified.

See how this works for your whole workforce on Workforce AI Security, or explore the Aona platform. This page is informational and is not legal advice.

FAQ

Frequently Asked Questions

An AI acceptable use policy should cover: the scope of who it applies to (employees, contractors, third parties); a list of approved AI tools and the process for getting new tools approved; data classification rules specifying what data can and cannot be entered into AI tools; prohibited uses such as generating discriminatory content, creating deepfakes, or circumventing security controls; accountability and incident reporting obligations; and a review schedule. Without these elements the policy cannot be enforced and provides no legal basis for action.

Get started

Enforce Your AI Policy Automatically

A written policy is only the first step. Aona enforces your AI acceptable use policy in real time, blocking unapproved tools, detecting sensitive data entering AI services, and generating the audit trail your compliance team needs.

Book a demo

Related AI governance templates

AI Governance Committee Charter AI Risk Assessment Template AI Data Classification Guide AI Governance Maturity Assessment AI Regulatory Compliance Tracker Aona AI Platform AI Governance Framework All AI Governance Templates

AI Acceptable UsePolicy Template

Enforce Your AI Policy Automatically

AI Acceptable Use
Policy Template