If you run a small or mid-sized business, there’s a good chance your employees are already using AI at work. Maybe they rely on it to create and then summarize meeting transcripts, draft emails or marketing copy, do spreadsheet magic, or even code internal tools that make them vastly more productive.
The problem is that most of them are doing it with tools they signed up for on their own, on personal accounts your IT team can’t see or control. You could try banning AI outright, but that hasn’t worked well for the companies that tried because people just get quieter about it.
What works is giving your team clear rules as to what’s allowed, what isn’t, what never goes into a prompt, and who to ask when they’re not sure. That’s what an AI acceptable use policy is for, and this article walks through how to write one that will actually be followed.
Banning AI Is Never the Right AI Policy
When ChatGPT launched in November 2022, it reached 1 million users within five days and 100 million within two months. Employees across every industry quickly discovered they could use it to draft emails, summarize documents, debug code, and accomplish in minutes tasks that used to eat up entire afternoons. For company leadership, the speed of adoption was alarming because nobody knew what data employees were feeding into AI tools.
The response from many of the world’s largest companies was to shut it down. In 2023, Apple banned ChatGPT and GitHub Copilot internally. JPMorgan restricted access across its workforce. Verizon, Goldman Sachs, and Deutsche Bank did the same. The reaction was understandable, but as AI capabilities continued to improve at a staggering rate, it became increasingly clear that any policy that simply bans AI does more damage than good for the following reasons:
- It kills productivity gains. AI tools can compress hours of work into minutes. When your policy is “don’t use it” and your competitor’s policy is “use it smartly,” you’re falling behind in ways that compound over time.
- It creates shadow AI. When employees can’t use approved tools, they sign up for free consumer accounts your IT team can’t see, monitor, or control. In fact, IBM’s 2025 Cost of a Data Breach Report found that one in five organizations reported a breach caused by shadow AI.
- It makes your data less safe. As we just said, that data is going in whether you have a ban in place or not. The only question is whether it’s going into tools you’ve vetted or tools you don’t know about.
The companies that led the ban wave figured this out quickly. JPMorgan went from restricting ChatGPT in early 2023 to building its own AI platform (essentially ChatGPT in a JPMorgan-approved wrapper) and rolling it out to 200,000 employees by mid-2024. Samsung restored ChatGPT access with new guardrails after initially banning it. Apple built its own AI capabilities instead.
The lesson from all of this is that banning AI never works. What works instead is giving your team a clear set of rules that acknowledges AI is here to stay, defines how it can be used safely, and draws firm lines around what should never go into a prompt. In other words, an acceptable use policy.
Building a Policy People Will Actually Follow
McKinsey’s 2024 survey found that 65% of organizations regularly use generative AI in at least one business function. Unfortunately, policy hasn’t kept up. Gallup research found that only 30% of organizations have even general guidelines or formal policies for AI use, and fewer than half of workers say they actually know and understand their company’s rules. That gap between “we have a policy” and “our people follow it” is where the risk lives.
To bridge this gap, your policy needs to answer a few specific questions that employees actually care about: which tools am I allowed to use, what data is off-limits, and who do I ask when I’m not sure?
Start by Classifying Your AI Tools
A good AI acceptable use policy doesn’t need to be long, but it needs to be specific, so it’s a good idea to start by classifying AI tools into three tiers:
- Approved tools are vetted by IT, covered by enterprise licenses with proper data handling agreements, and cleared for use with non-sensitive business data. Tools in this category might include something like Microsoft Copilot through your existing Microsoft 365 environment or a ChatGPT Enterprise account your organization manages.
- Limited-use tools are allowed for specific tasks but come with restrictions. For example, a team might use a free-tier AI tool for summarizing public information or creating images to accompany social media posts, but nothing confidential goes in.
- Prohibited tools are blocked entirely. This typically includes any AI tool that doesn’t offer enterprise data protections, trains on user inputs by default, or can’t meet your compliance requirements.
The point of this system is that employees don’t need to make judgment calls about which tools are safe because the policy tells them.
Define What Never Goes Into a Prompt
Employees need a clear, short list of data types that are never allowed in any AI tool, regardless of which tier it falls into. At a minimum, that list should include:
- Customer personal data (names, contact information, financial records)
- Employee personal or HR data
- Proprietary source code, trade secrets, or internal business strategies
- Legal documents, contracts, or anything covered by attorney-client privilege
- Passwords, API keys, or access credentials
If your organization handles Controlled Unclassified Information (CUI) as a government contractor, the importance of this section increases even more.
Under DFARS 252.204-7012, any cloud service that processes or stores CUI must meet FedRAMP Moderate authorization. Consumer versions of ChatGPT, Claude, Gemini, and most other AI tools don’t carry that authorization. Submitting CUI to an unauthorized AI tool is a potential compliance incident that could jeopardize your contracts.
Download the Compliance as a Service (CaaS) Explainer Document.
Give Employees Somewhere to Go With Questions
No policy can anticipate every scenario, especially because AI tools are evolving incredibly fast. As a result, employees will inevitably run into situations the policy doesn’t explicitly cover.
In such situations, employees tend to do one of two things depending on how easy it is to get clarification:
- If there’s no one to ask, they’ll make their own call, and that call will often be “it’s probably fine.”
- If there’s a designated person who responds quickly, most employees will actually check before doing something that could create a problem.
Needless to say, you should always designate someone in IT, compliance, or management as the go-to for AI-related questions, and make sure employees know who that person is. Just as importantly, those questions need to be met with quick, practical answers instead of lectures. If an employee asks “can I use this tool for X?” (and hasn’t actually broken any rules by using it prior to asking), a well-meaning but long-winded response about data governance and risk frameworks will discourage them from asking again.
Don’t Forget: Make the Policy Readable and Findable
The biggest enemy of any policy is length, and the second one is its language (if your AI acceptable use policy reads like a legal contract, it won’t get read).
Aim for two to three pages at most. Cut anything that doesn’t directly answer the questions employees actually have: what can I use, what can’t I put in, and who do I ask? If a section doesn’t serve one of those questions, it probably doesn’t need to be there.
Write the policy the way you’d explain the rules to a new hire in a ten-minute conversation. “Don’t paste client data into any AI tool” is better than “employees shall refrain from inputting personally identifiable information pertaining to clients or stakeholders into artificial intelligence systems absent prior authorization.” Both say the same thing, but only the first one will be remembered.
Last but not least, put the policy somewhere people can actually find it. For example, you can pin it in your company’s Teams channel or even build a simple internal chatbot trained on it, so employees can ask a question in plain language and get an answer based on the rules you’ve already written.
Conclusion
AI is already part of how employees work. The only question is whether it’s happening with your knowledge and under your rules, or in the background on tools you’ve never vetted. A good acceptable use policy gives the people in your organization the permission to use AI productively while drawing clear lines around the things that could put your organization at risk, and it does so in a concise, easy-to-understand language.
We at OSIbeyond can help you put one together and more. Whether you need help drafting the policy itself, choosing which AI tools are safe for your environment, or making sure everything aligns with your cybersecurity compliance obligations, don’t hesitate to schedule a meeting with us to get started.