Phase 4 · Weeks 4–6

The AI Use Policy and employee manual.

Your policy must be specific enough to be enforceable, simple enough to be followed, and flexible enough not to block legitimate use. Below are the four sections every policy must contain.

Section 1 — Approved tools and access tiers Policy excerpt

Tool approval process

No AI tool may be used for company business unless reviewed and approved by the AI Governance Committee. Unapproved tools — including free consumer AI products — are prohibited for work-related use.

Three-tier access model

Tier 1 — All employees: Approved general-purpose AI with public or sanitized data only. Tier 2 — Department leads: Enterprise AI with internal (non-sensitive) data. Tier 3 — AI Committee: Full-capability enterprise tools with mandatory audit logging.

Personal account prohibition

Employees may not use personal AI accounts — free or paid — for company work. Company-licensed enterprise accounts with data isolation agreements are required for all work-related AI activity.

Section 2 — Data handling rules Policy excerpt

Prohibited inputs

Never enter into any AI system: customer PII, financial forecasts, employee HR records, pending litigation, trade secrets, passwords, or any data subject to HIPAA, FINRA, GDPR, or applicable regulatory frameworks.

Output verification requirement

All AI-generated content shared externally must be reviewed and approved by a human employee before distribution. "The AI wrote it" is not a defense.

Vendor data agreements

All enterprise AI contracts must include: data isolation, zero training on company inputs, breach notification within 72 hours, and right to audit.

Section 3 — Acceptable and prohibited uses Policy excerpt

✓

Approved use cases

Drafting communications with public information · Summarizing meeting notes (no sensitive content) · Writing and reviewing code · Research using public data · Creating training materials · Drafting marketing copy for human review.

✗

Prohibited use cases

Making hiring or termination decisions based solely on AI · Generating synthetic media of real people · Using AI to surveil employees without HR and Legal approval · Submitting AI-generated work as original human-authored work.

Section 4 — Reporting, violations, and incident response Policy excerpt

Reporting channel

Employees who discover potential violations or suspect a data exposure must report to the AI Committee within 24 hours. Good-faith reports are protected — no retaliation policy applies.

Violation consequences

First offense, unintentional: mandatory retraining. Intentional violation: formal disciplinary action up to termination. Data breach from AI misuse: immediate access suspension, Legal escalation, regulatory notification.

Incident response sequence

1. Committee Chair notified within 1 hour · 2. Legal engaged within 4 hours · 3. IT isolates affected tool within 8 hours · 4. Full report completed within 72 hours · 5. Remediation plan within 2 weeks.

Is your AI Use Policy enforceable?

The Enterprise AI Adoption Index measures whether your policy is real — written, approved, communicated, and actually applied to day-to-day decisions.

Begin free assessment →