Your employees are already using AI tools at work — whether you've approved them or not. Only 37% of companies have any formal AI governance policy in place. This guide covers the seven sections every policy needs, written for HR managers and operations leads who need to act fast without a 50-page legal document.
A year ago, an AI policy was something large enterprises put in their roadmaps for next quarter. Today it's something employees are asking for by name — and something auditors, insurers, and enterprise customers are starting to require before signing contracts.
The good news: you don't need a legal team or a six-month project to have one. You need clarity on seven things. This guide walks through each one.
This guide is written for HR managers, operations directors, and compliance leads at companies between 50 and 500 employees. You probably don't have a dedicated AI governance team. You may not have a CISO. What you do have is employees who are using ChatGPT, Copilot, Claude, and a dozen other tools to do their jobs — and no documented rules about how.
Enterprise guides for this topic are written for IT departments with six-figure tooling budgets. This one isn't. The goal is a policy you can actually draft, communicate, and enforce with the team you have.
This section answers: why does this policy exist, and who does it apply to? Be specific about scope — does it cover contractors and vendors, or only direct employees? Does it apply to personal AI use on company devices, or only AI used for work tasks?
This is the heart of the policy. Employees need to know which tools they can use without asking, which require approval or have specific restrictions, and which are off-limits entirely. The three-tier structure works better than a binary approved/banned list because it prevents the policy from being so restrictive that people ignore it.
A basic tier structure looks like this:
| Tier | What it means | Example tools |
|---|---|---|
| Tier 1 — Approved | Use freely for work tasks with standard data handling | ChatGPT Enterprise, Microsoft Copilot (enterprise), Claude Teams |
| Tier 2 — Limited | Approved with specific restrictions on data types | ChatGPT Free, Gemini (personal), Perplexity |
| Tier 3 — Prohibited | Not approved for any work use | Unknown/unvetted AI tools, tools with no data processing agreements |
This is the section that prevents the actual expensive mistakes. Employees need to know which categories of information should never be entered into an AI tool, and why. The rule of thumb that works well in plain language: if you wouldn't post it publicly on the internet, don't put it in a free AI tool.
Categories to address:
AI output is the responsibility of the person who used it. This section makes that explicit. Every AI-generated output — whether it's a contract summary, a customer email, a performance review, or a code commit — must be reviewed by a qualified human before it's used or sent.
For higher-stakes decisions, go further: AI should not make final decisions on hiring, promotions, disciplinary action, or lending/credit without documented human review and sign-off.
When does your company require disclosure that AI was used? This varies by use case and industry. A marketing team using AI to draft a first-pass blog post may have different disclosure requirements than a legal team using AI to summarize a contract.
Common disclosure requirements to consider:
Employees need a simple, non-punitive way to report when something goes wrong — when they realize they pasted customer data into the wrong tool, when they notice a colleague doing something the policy doesn't allow, or when an AI output caused a problem with a client or partner.
The goal is to surface issues early before they become expensive. A culture where mistakes get reported quickly is worth far more than the threat of discipline that ensures mistakes get hidden.
A policy with no enforcement mechanism is a suggestion. Outline consequences for policy violations — typically a graduated scale from coaching conversation to formal warning to termination for serious or repeat violations.
More importantly: commit to a review schedule. AI tools, regulations, and best practices are moving fast in 2026. A policy that made sense when you wrote it in Q1 may need meaningful updates by Q3. Quarterly or biannual review is appropriate for most companies.
The worst AI policies are either so restrictive that everyone ignores them, or so vague that they provide no real guidance. Both failures are expensive.
A blanket "no AI tools" policy is effectively unenforceable at most companies. Research consistently shows that employees continue using personal AI accounts even after organizational bans — they just become less likely to tell anyone when something goes wrong. Driving shadow AI further underground is worse than the alternatives.
"Only 15% of organizations have updated their acceptable use policies to address AI tools — despite the behavior being near-universal." — ISACA, 2025
A good policy doesn't try to ban innovation. It creates a clear structure that lets employees use AI productively while protecting the company from the specific risks that actually matter: data leakage, compliance violations, and unreviewed AI output making its way to clients or regulators.
Most free AI policy templates are static documents — a Word file with a date at the top. They're missing two things that are essential for the policy to actually work:
A tool tier list. Telling employees what categories of data they can share with AI tools is half the job. Telling them specifically which tools fall into which tier — so they can look up whether the tool they just found is approved before using it — is the other half. Without a tier list, the data handling rules have no anchor.
An employee acknowledgment form. Distributing a policy document by email and assuming people read it is not the same as having employees formally acknowledge it. An acknowledgment form creates a documented record that the policy was communicated and understood — relevant if an enforcement conversation happens later, and increasingly relevant as cyber liability insurers and enterprise customers ask for evidence of AI governance programs.
Written from scratch by HR or legal, drafting an AI acceptable use policy typically takes two to four weeks — including stakeholder review cycles, legal sign-off, and rollout communication. That timeline is compressible if you start from a well-structured template rather than a blank page.
The rollout matters as much as the document itself. A policy communicated well — with a team walkthrough, a Q&A session, and a designated point of contact for questions — produces materially better employee behavior than the same policy distributed as a PDF attachment to an all-hands email.
Shadow AI Policy generates a tailored 4-document AI policy kit for your company — acceptable use policy, tool tier list, employee acknowledgment form, and manager FAQ — based on your industry, team size, and the specific AI tools your employees use.
Generate my policy kit →AI regulation is moving fast in 2026. Texas and Illinois both enacted AI-related employer regulations that took effect in January. Colorado's SB 24-205 takes effect in June. California's CCPA rules around automated decision-making require employer compliance by January 2027. The EU AI Act is rolling out enforcement for large AI models.
None of these require a 50-page enterprise compliance program for a 100-person company. But they do mean that an AI policy written in early 2026 will likely need at least one meaningful update before the end of the year. Build the review cycle into the policy from day one so it actually happens.