AI Acceptable Use Policy Template: A Fill-in-the-Blank AI Governance Policy

Copy the full policy below, swap in the bracketed fields, and adopt it. It is written for small and mid-sized teams that need real AI governance fast.

An AI acceptable use policy is a short, plain document that tells your team which AI tools they can use, how to use them safely, and what is off limits. It protects your company data, your customers, and your reputation without slowing people down.

This page gives you the complete policy, not a summary. Every section below is real, usable text with [bracketed] fields you fill in. Read it, edit the brackets, add your logo, and you have a working AI governance policy. When you are ready for an editable copy, the download link is in the callout.


How to Use This Template

Use this template by copying each policy section below and replacing the bracketed fields with your own details.

Work top to bottom. Most fields take a name, a tool, a role, or a number. If a section does not fit your business, delete it. If you need a stricter rule, add it. Keep the whole document short enough that a new hire will actually read it.

  • Fill in every [bracketed] field with your company name, tools, roles, and timelines.
  • Have your policy owner and one leader review it before you publish.
  • Share it during onboarding and require a quick acknowledgment.
  • Store the signed version where you keep other HR and security policies.
Download the editable template (DOCX/Google Doc) to customize this policy with your own branding, roles, and approved tool list in minutes.

Want help turning this AI acceptable use policy template into a governance program your team actually follows? We can build your approved tool list, data-handling rules, and review process with you.

Book a Consultation

Section 1 — Purpose and Scope

This section states why the policy exists and who it covers.

Copy the text below and adjust the bracketed fields.

  • Purpose: This AI Acceptable Use Policy explains how staff at [Company Name] may use artificial intelligence tools in their work. Our goal is to use AI safely, protect data, and stay compliant.
  • Scope: This policy applies to all [employees, contractors, and interns] at [Company Name] who use any AI tool for company work, on any device.
  • Covered tools: This policy covers generative AI (such as chat assistants, image and code generators), AI features built into other software, and AI agents that act on our behalf.
  • Effective date: This policy takes effect on [date] and is owned by [role, e.g., Head of Operations].

Section 2 — Approved Tools and Approval Process

This section lists the AI tools your team is allowed to use and how to request a new one.

Keep the approved list short and current. Review it often.

  • Approved tools: Staff may use these AI tools for company work: [Tool 1], [Tool 2], [Tool 3]. Use the paid or business tier where one exists.
  • Default rule: If a tool is not on the approved list, do not use it for company data until it is approved.
  • Request process: To request a new tool, send [role/email] the tool name, the vendor, what data it will touch, and the business reason.
  • Approval owner: [Role] reviews each request for security, data handling, and cost, and responds within [number] business days.
  • Free personal accounts: Do not use free personal AI accounts for company data. Public tiers may train on your inputs.

Section 3 — Prohibited Uses

This section names the things staff must never do with AI tools.

These rules protect your data, your customers, and your legal standing.

  • Do not enter confidential company information or trade secrets into public AI tools.
  • Do not enter customer or employee personal data (PII) into any tool that is not approved for it.
  • Do not use AI to make final decisions about hiring, firing, pay, credit, or other high-impact outcomes without human review.
  • Do not present AI output as human work when a client or regulation requires disclosure.
  • Do not use AI to create content that is illegal, deceptive, harassing, or that violates someone else’s copyright.
  • Do not bypass security controls, share your login, or use AI to access data you are not permitted to see.

Section 4 — Data Handling Rules

This section sets clear rules for what data can go into which tools.

When in doubt, treat data as confidential and ask [role].

  • Public / general data (marketing copy, public research): allowed in approved tools.
  • Internal data (drafts, internal notes): allowed only in approved business-tier tools that do not train on your inputs.
  • Confidential data (contracts, financials, source code, strategy): allowed only in tools explicitly approved for it, listed here: [approved tools].
  • Regulated / PII data (customer records, health, payment, employee data): never enter into a public tool. Use only tools with a signed data processing agreement and approval from [role].
  • Redaction: Remove names, account numbers, and identifiers before using AI when you only need the general pattern, not the specifics.

Section 5 — Human Review Requirements

This section requires a person to check AI output before it is used or sent.

AI drafts. Humans decide.

  • A qualified person must review any AI output before it goes to a customer, a regulator, or the public.
  • AI must not be the sole basis for a decision that materially affects a person (employment, credit, benefits, safety).
  • Fact-check AI claims, numbers, and quotes before you rely on them. AI can be confidently wrong.
  • Keep a human in the loop for any AI agent that can send messages, move money, or change records.

Section 6 — Security, Incident Reporting, and Roles

This section covers account security, what to do when something goes wrong, and who owns the policy.

Fast reporting limits the damage from a mistake.

  • Security: Use company-approved accounts with strong, unique passwords and multi-factor authentication. Do not install unapproved AI browser extensions or desktop agents.
  • Incident reporting: If confidential or personal data is entered into the wrong tool, or you suspect an AI-related security issue, report it to [role/email] within [number] hours.
  • What to report: what data was involved, which tool, when it happened, and what you have done so far.
  • Roles: [Role] owns this policy and the approved tool list. [Role] handles security incidents. [Role] approves new tools and exceptions.
  • Consequences: Violations may lead to loss of AI access or disciplinary action, up to and including termination.

Section 7 — Review Cadence

This section sets how often the policy is reviewed and updated.

AI changes fast, so this policy should be a living document.

  • Review schedule: [Role] reviews this policy at least every [6 months / 12 months].
  • Trigger reviews: Review sooner when you adopt a major new tool, when a new law such as the EU AI Act adds duties, or after any incident.
  • Version control: Record the version number and date each time you change the policy.
  • Acknowledgment: Ask staff to re-acknowledge the policy after a major update.

How to Customize This Policy for Your Business

Customize this policy by matching its strictness to the sensitivity of your data and your industry rules.

A marketing agency and a healthcare provider need very different versions of the same document.

  • Regulated industries: Add specific duties from HIPAA, GDPR, SOC 2, or the EU AI Act, and name your compliance owner.
  • Client work: Add a rule requiring client consent before using their data in AI tools.
  • Engineering teams: Add rules for AI coding assistants, such as no secrets in prompts and mandatory code review.
  • Small teams: Combine roles. One owner can hold the policy, approvals, and incident response.
  • Tone: Keep sentences short and concrete so people follow the rules instead of guessing.

Frequently Asked Questions

  • Yes. You can copy the full policy on this page, replace the bracketed fields with your own details, and adopt it. The callout above links to an editable DOCX and Google Doc version so you can add your branding and approved tool list.
  • Yes. Even a small team can leak confidential data or PII into a public AI tool in seconds. A short, clear policy prevents most of these mistakes and shows customers and auditors that you take AI risk seriously.
  • They overlap. An acceptable use policy focuses on what staff may and may not do with AI tools. An AI governance policy is broader and can also cover ownership, risk assessment, and vendor review. This template covers the acceptable-use core plus roles, incidents, and review cadence.
  • Review it at least every 6 to 12 months, and sooner when you adopt a major new tool, when a new law such as the EU AI Act adds duties, or after any incident. Record a version number and date on each change.
  • It is a strong starting point. Clear rules on prohibited uses, data handling, human review, and incident reporting map directly to what frameworks like the EU AI Act, NIST AI RMF, and SOC 2 expect. For a full audit you will also need evidence such as approvals and logs.

Turn This Template Into a Real Governance Program

We help SMBs adopt AI safely — approved tool lists, data-handling rules, human-review workflows, and monitoring that fit how your team actually works.

Book a Consultation