By the Shadow AI Policy team
**Marketing agencies are feeding client brand assets, campaign briefs, and competitive intelligence into AI tools every day — often with no policy, no disclosure framework, and no client consent.** This post covers the five policy problems that matter most for agencies right now: how to handle AI-generated content and brand voice integrity, what approval workflows should look like for AI-assisted deliverables, where to draw the line on client data inputs, how to manage AI use in competitive research, and how to extend your policy to contractors and freelancers who do much of the actual work.The biggest risk for marketing agencies isn't that AI produces bad copy — it's that client data, brand guidelines, and competitive intelligence get ingested into third-party AI training pipelines without the client ever knowing. Build your policy around data containment first, quality second.
Most AI acceptable use policies are written for internal operations — protecting the company's own data. Agencies have a harder problem. The sensitive data flowing through your AI tools mostly belongs to someone else: your clients. That changes the legal exposure, the disclosure obligations, and the trust stakes considerably.
When a client hands you their brand guidelines, customer personas, campaign performance data, and unreleased product information, they're trusting you with assets that can damage their business if mishandled. An AI tool that trains on user inputs — even in aggregate — is a real risk to that trust. Your AI policy needs to treat client data as a regulated asset, not just internal information.
The good news is that a well-structured agency AI policy doesn't have to slow teams down. The goal is clear boundaries and lightweight workflows, not prohibition. If you haven't built one yet, start with a structured AI acceptable use policy template before customizing for agency-specific needs.
Brand voice is one of the most valuable things an agency protects on behalf of a client. The problem with AI-generated copy isn't just quality — it's consistency. AI tools don't inherently know that a client's brand voice is "dry wit, never sarcastic" or that they never use certain competitor-adjacent terms. Without a human review layer, AI output can quietly erode voice consistency across campaigns.
Your policy should require that all AI-generated copy go through a brand voice review before delivery — not just a grammar check. This means someone on the team who knows the client's guidelines reads the output with that lens specifically. It's a separate step from general QA.
On disclosure: be direct with clients about whether AI tools are used in their work. Some clients will have contractual or reputational reasons to require human-authored content. Others won't care. The worst outcome is a client finding out after the fact. Build a standard disclosure clause into your client contracts or statements of work — something like "AI tools may be used in content development; all deliverables are reviewed and approved by [agency] staff before submission." That one sentence prevents most disputes.
An approval workflow for AI-assisted work doesn't need to be complicated, but it does need to be consistent. The risk without one is that individual team members make their own judgment calls about what AI output is "good enough" to send — and those calls won't always be right.
Here's a simple tier structure that works for most agencies:
The key is that your policy defines which tier applies to which deliverable types — not which tier the individual team member decides feels right in the moment. Lock this into your project management workflow so it's not optional.
This is the highest-stakes policy area for agencies. When team members paste client customer data, unreleased creative, campaign performance metrics, or proprietary audience research into an AI tool, they may be violating their client contracts — and potentially applicable data protection laws — without knowing it.
The specific risk depends on what the AI tool does with inputs. Many popular AI tools, including free tiers of widely used platforms, use conversation data to improve their models unless users explicitly opt out or use an enterprise plan with different data terms. That opt-out is buried in settings most users never check. This is a core shadow AI problem — for a fuller picture of how it plays out across organizations, see what shadow AI actually means and why it matters.
Your policy should establish a clear data classification ladder for client inputs:
| Data Type | Examples | AI Tool Permission |
|---|---|---|
| Public / non-sensitive | Published brand guidelines, public pricing, released creative | Approved tools, any tier |
| Internal / confidential | Unreleased campaign briefs, internal performance data, audience personas | Approved tools with training opt-out confirmed OR enterprise plan only |
| Restricted | Customer PII, financial data, health-related audience data, NDAs | Prohibited in AI tools unless a BAA or DPA is in place with the vendor |
If your clients are in regulated industries — healthcare, financial services, legal — the restricted category expands significantly. A client's customer email list is personal data under GDPR Article 4(1) and CCPA Section 1798.140. Pasting it into an AI tool without a Data Processing Agreement with that vendor is a potential compliance violation, not just a policy violation.
Competitive research is one of the most common AI use cases in agencies, and one of the least governed. Team members use AI tools to summarize competitor positioning, analyze public ad libraries, and generate SWOT comparisons. Most of this is fine. Some of it isn't.
The specific risk areas to address in your policy:
The practical rule: AI tools are fine for analyzing publicly available information. They're not a safe place to process confidential competitive intelligence your client has shared with you under a confidentiality agreement.
Agencies commonly use a mix of full-time staff and freelance contractors — and the freelancers often handle the most AI-adjacent work: copywriting, design, social content, research. Your AI policy is worth nothing if it stops at your payroll.
Your policy needs to explicitly cover anyone working on client deliverables, regardless of employment status. The practical mechanism for this is your contractor agreement or statement of work. Add a clause that requires contractors to follow your agency's AI acceptable use policy, confirms they won't input client data into unapproved tools, and requires them to disclose if AI was used in a deliverable. This isn't about restricting how contractors work — it's about establishing the same data protection boundaries that your staff operate under.
A freelancer who pastes your client's unreleased product brief into a consumer AI tool isn't breaking your policy if you never gave them one. The liability lands on the agency, not the contractor.
The three things to put in every contractor agreement or SOW addendum:
If you need a starting point for the broader policy your contractors are agreeing to, you can generate a tailored policy kit that covers both employee and contractor scope.
About Shadow AI Policy: We build AI acceptable use policy tools for HR and operations teams at 50–500 person companies. We publish guides on shadow AI, acceptable use policies, and AI governance, updated as regulations and AI tools change.
Add a single clause to your statement of work or master services agreement — something along the lines of "AI tools may be used in the development of deliverables; all client-facing work is reviewed and approved by agency staff prior to submission." This is cleaner than a verbal disclosure and creates a record. For clients who explicitly prohibit AI-generated content, flag that during scoping so you can price and staff accordingly — don't agree to a prohibition you won't keep.
Your internal policy doesn't automatically extend to independent contractors — employment law in most jurisdictions treats them as separate parties. You need to reference your AI acceptable use policy in your contractor agreements or statements of work and require explicit compliance as a condition of engagement. A brief addendum covering approved tools, data input restrictions, and disclosure requirements is enough. It doesn't need to be lengthy.
"Safe" depends on the tool's data terms, not just the tool's name. The key question is whether the vendor uses your inputs to train their models, and whether they offer a Data Processing Agreement (DPA) if your client data includes personal data covered by GDPR or CCPA. Enterprise plans for tools like OpenAI, Google Gemini, and Microsoft Copilot typically disable training on user inputs and offer DPAs — consumer or free tiers usually don't. Always verify the current terms directly with the vendor before approving a tool for use with restricted client data.
First, determine what category of data was involved using the classification framework in your policy — public, confidential, or restricted. If the data was genuinely restricted (customer PII, NDA-covered material), review the AI tool's data retention and training policies to understand what happened to the inputs, and assess whether your client contract or applicable data protection law requires notification. Going forward, add that tool to your prohibited list for client data, brief your team on the boundary, and update your onboarding so new staff and contractors understand the rules before they start.
Tailored to your industry and the AI tools your team uses. Free preview, $79 one-time or $149/mo with monthly updates.
Generate my policy kit →