josecustom.ai josecustom.ai Book
AI Strategy

AI Acceptable Use Policy Template: Free Download + Implementation Guide

A free AI acceptable use policy template for businesses with a section-by-section walkthrough, industry-specific addendums for healthcare, legal, and financial services, and a 30-day implementation plan.

Jose Lugo · · 12 min read

If your employees are using AI at work and you do not have a written policy governing how they use it, you have a problem. Not a future problem. A right-now problem.

78% of employees already use AI tools their employer never approved. They are pasting client data into ChatGPT, using AI browser extensions that read everything on their screen, and making decisions based on AI output nobody has verified. All without guidance, because nobody wrote the rules.

An AI acceptable use policy fixes that. Not by banning AI. By putting clear boundaries around how your team uses it so you get the productivity gains without the data exposure.

I have written these policies for businesses across healthcare, legal, and financial services. Below is the full template, a section-by-section breakdown of what each clause does and why it matters, industry-specific addendums, and a 30-day rollout plan.

The full AI acceptable use policy template

This is a working template. Copy it, customize the bracketed sections for your business, and distribute it to your team. It is intentionally short. If your employees cannot read and understand your AI policy in five minutes, they will not read it at all.

[COMPANY NAME] Artificial Intelligence Acceptable Use Policy

Effective date: [DATE] Last reviewed: [DATE] Policy owner: [NAME/TITLE]

1. Purpose This policy defines how employees of [COMPANY NAME] may use artificial intelligence tools for work-related tasks. It exists to protect client data, maintain regulatory compliance, and ensure consistent quality in AI-assisted work.

2. Scope This policy applies to all employees, contractors, and temporary staff who use AI tools for any work-related purpose, whether on company devices or personal devices used for work.

3. Approved AI tools The following AI tools are approved for business use:

  • [LIST APPROVED TOOLS, e.g., “Company AI Assistant (Azure OpenAI deployment)”]
  • [TOOL 2]
  • [TOOL 3]

All other AI tools, including but not limited to personal ChatGPT accounts, Google Gemini, AI browser extensions, and AI writing assistants, are not approved for use with company or client data.

4. Prohibited uses Employees must NOT:

  • Enter client personally identifiable information (PII) into any unapproved AI tool
  • Upload confidential documents, contracts, or internal communications to unapproved AI tools
  • Use AI-generated output in client-facing communications without human review
  • Use AI to make decisions that require professional judgment (legal advice, financial recommendations, medical diagnoses)
  • Share login credentials for approved AI tools with anyone
  • Use AI to generate content that misrepresents its origin (e.g., presenting AI-written legal analysis as attorney work product without review)

5. Data handling

  • Client data may only be processed through approved AI tools listed in Section 3
  • No client PII, financial records, health information, or privileged communications may be entered into unapproved tools
  • If you are unsure whether data is safe to enter, do not enter it. Ask [DESIGNATED CONTACT] first

6. Human review requirement All AI-generated output used in client deliverables, external communications, or decision-making must be reviewed by a qualified human before use. AI assists your work. It does not replace your judgment.

7. Incident reporting If you believe client or company data was entered into an unapproved AI tool, report it to [DESIGNATED CONTACT] within 24 hours. Early reporting allows us to assess and mitigate the exposure. Honest reporting will not result in disciplinary action for first-time incidents.

8. Enforcement Violations of this policy will be addressed on a case-by-case basis. Repeated or intentional violations involving client data may result in disciplinary action up to and including termination.

9. Questions Direct questions about this policy to [DESIGNATED CONTACT] at [EMAIL/PHONE].

Section-by-section breakdown

Purpose (Section 1)

Keep this short. One paragraph. Employees want to know why the policy exists, not read a mission statement. The three reasons that matter: protecting client data, staying compliant with regulations, and maintaining quality. That covers it.

Scope (Section 2)

This has to include personal devices. If an employee uses their personal phone to type a client’s name into ChatGPT during their commute, that is still your business’s data leaving a controlled environment. The policy covers the data, not the device.

Contractors and temps get included too. They often have less training and less loyalty to your policies. If they touch your data, they follow your rules.

Approved tools (Section 3)

This is the most important section. A policy that says “do not use unapproved AI” without telling employees what IS approved is just a ban with extra steps. And bans do not work.

List the specific tools by name. If you have deployed a private AI system, name it. If you have licensed ChatGPT Enterprise, name it. If the answer is “we do not have any approved tools yet,” then step one is deploying one. A policy without an approved alternative is a policy that will be ignored.

Prohibited uses (Section 4)

Be specific. “Do not misuse AI” is meaningless. “Do not enter client PII into unapproved tools” is actionable. Employees need concrete examples of what not to do so they can recognize the situation when they are in it.

The prohibition on AI-generated content without human review is non-negotiable for any business in a regulated industry. The Mata v. Avianca case showed what happens when someone trusts AI output without checking it.

Data handling (Section 5)

The “if you are unsure, do not enter it” rule is the safety valve. Employees will encounter situations the policy does not explicitly cover. Rather than trying to list every possible scenario, give them a default action (do not enter it) and a person to ask. That person needs to respond within the same business day or the system breaks down.

Human review (Section 6)

This section exists because AI gets things wrong. Confidently. An AI tool can generate a legal brief with fabricated case citations, a financial analysis with incorrect calculations, or a client email with the wrong tone. The output looks polished. That makes it more dangerous, not less.

Human review is not optional for anything that goes to a client, a regulator, or the public.

Incident reporting (Section 7)

The 24-hour reporting window matters. Data exposure is time-sensitive. The sooner you know, the sooner you can assess whether client data was compromised, whether you have a notification obligation, and what remediation steps to take.

The no-punishment clause for first-time honest reporting matters more than you think. If employees fear discipline, they will hide incidents instead of reporting them. Hidden incidents become bigger incidents.

Enforcement (Section 8)

Keep this proportional. A first-time accidental violation gets training, not termination. A repeated deliberate violation with client data gets escalated. The goal is compliance, not punishment.

Industry-specific addendums

The base template works for most businesses. If you operate in a regulated industry, add the relevant addendum below.

Healthcare addendum (HIPAA)

Add to Section 4 (Prohibited uses):

  • Protected Health Information (PHI) as defined by HIPAA must never be entered into any AI tool that is not covered by a Business Associate Agreement (BAA) with [COMPANY NAME]
  • This includes patient names, dates of birth, medical record numbers, diagnoses, treatment information, insurance details, and any combination of data that could identify a patient
  • De-identified data (per HIPAA Safe Harbor or Expert Determination methods) may be used with approved AI tools

Add to Section 3 (Approved tools):

  • [APPROVED TOOL] is covered under a BAA with [AI PROVIDER]. Only this tool may process PHI.

Add to Section 4 (Prohibited uses):

  • No information subject to attorney-client privilege may be entered into any AI tool unless that tool operates within [FIRM NAME]‘s controlled environment with no external data transmission
  • Case details, client communications, legal strategy, and work product must only be processed through approved AI tools operating under the firm’s data controls
  • Any AI-assisted legal research must be independently verified against primary sources before inclusion in any filing, brief, or client communication

Add to compliance notes:

  • Reference your state bar’s guidance on AI use. The ABA Model Rule 1.6 (confidentiality) applies to AI tools that process client information. The Florida Bar, New York Bar, and California Bar have all issued specific AI guidance.

Financial services addendum (FINRA/SEC)

Add to Section 4 (Prohibited uses):

  • Client financial data, account numbers, portfolio information, and investment communications must not be entered into unapproved AI tools
  • AI must not be used to generate investment recommendations, compliance reports, or regulatory filings without review by a licensed professional
  • All AI-assisted client communications must be reviewed and archived per FINRA/SEC recordkeeping requirements

Add to compliance notes:

  • Reference FINRA’s guidance on AI in financial services (updated 2025) and SEC staff bulletins on AI-related compliance obligations

30-day implementation plan

Writing the policy is step one. Getting your team to follow it is the actual work.

Week 1: Finalize and distribute

  • Customize the template for your business (fill in bracketed sections, add industry addendum if applicable)
  • Have legal counsel review (if available)
  • Distribute to all employees via email and company intranet
  • Require written acknowledgment of receipt within 5 business days

Week 2: Deploy approved tools

  • If you do not already have an approved AI tool, deploy one. A policy without an alternative is a ban, and bans fail.
  • Configure the approved tool with appropriate access controls and data handling settings
  • Create basic user accounts for all employees who will use AI

Week 3: Train

  • Hold a 30-minute training session covering: why the policy exists, what tools are approved, what data can and cannot be used, how to report incidents
  • Provide a one-page quick reference card employees can keep at their desk
  • Record the session for employees who could not attend and for future onboarding

Week 4: Verify and adjust

  • Check that all employees have acknowledged the policy
  • Review initial usage patterns on approved tools
  • Address any questions or confusion that came up during training
  • Set a calendar reminder to review the policy quarterly

Common policy mistakes to avoid

Writing a 15-page document. A policy that nobody reads is worse than no policy at all, because it creates a false sense of compliance. “We have a policy” means nothing if your employees cannot tell you what it says. Keep the policy short. Put the detail in training.

Banning AI without providing an alternative. A policy that says “do not use ChatGPT” without saying “use this instead” will be ignored the moment an employee faces a deadline. The approved tool list is the most important section of the entire policy.

Using vague language. “Exercise caution when using AI tools” gives employees nothing to act on. “Do not enter client PII into any tool not listed in Section 3” gives them a clear line they can see.

Treating the policy as a one-time event. AI tools change monthly. Your policy needs a review cadence. Quarterly is right for the first year. After that, semi-annual reviews are usually sufficient unless your industry faces new regulatory guidance.

Forgetting about personal devices. If your policy only covers company-managed devices, every employee with a smartphone has an unmonitored path to ChatGPT. The policy must cover company data, regardless of what device it is entered from.

Making the penalty disproportionate. If the punishment for a first-time accidental violation is the same as the punishment for repeated deliberate misuse, you will get one result: employees stop reporting incidents. Proportional enforcement and a safe harbor for honest first-time reporting are what make a policy actually work.

Policy is half the solution

A policy tells your employees the rules. An approved AI tool gives them a way to follow the rules without losing the productivity they want.

Most shadow AI happens because employees have no legitimate alternative. The policy says “do not use ChatGPT with client data.” Fair enough. But if you do not give them something they CAN use, they will go back to ChatGPT the moment they are under deadline pressure.

I build secure AI work environments that give teams the same capability as ChatGPT with full data control. The AI runs in your own Azure tenant. Client data stays in your environment. Every interaction is logged. Your policy becomes enforceable because the approved tool is actually better than the unapproved one.

If you need help putting together a policy and deploying the tools to back it up, that is exactly what I do. See the 13 systems I have built or book an assessment.

Frequently asked questions

Do I really need an AI acceptable use policy?

If your employees use AI for work (and the data says 78% of them do), yes. Without a written policy, you have no basis for enforcement, no protection in a compliance audit, and no way to demonstrate due diligence if a data incident occurs.

How long should an AI policy be?

One to two pages. The template above is designed to be read in five minutes. If your policy is longer than that, most employees will not read it. Put the detailed guidance in training, not in the policy document itself.

Should I ban AI entirely instead?

No. Samsung, Apple, and Amazon tried blanket bans. They do not work when employees can access AI from personal devices in 30 seconds. A better approach is to provide approved tools with clear usage rules.

How often should I update my AI policy?

Review it quarterly. AI tools change fast. New tools emerge, existing tools change their data handling, and regulations evolve. A policy written in January may need updates by April.

What if an employee violates the policy?

For first-time unintentional violations, provide additional training. For repeated or deliberate violations involving client data, escalate per your existing HR disciplinary procedures. The key is proportional response. Excessive punishment discourages honest incident reporting.

Do I need a lawyer to write an AI policy?

For most small businesses, the template above is a strong starting point. If you are in a heavily regulated industry (healthcare, financial services, legal), having counsel review the final version is worth the cost. The review should take an hour or less if you start from a solid template.

Jose Lugo is a CISSP-certified security engineer with 12 years of U.S. Army intelligence experience. He builds secure AI work environments for businesses at josecustom.ai. See his portfolio of 13 live client systems at portfolio.josecustom.ai.