A use policy for .
| Effective | |
|---|---|
| Owner | |
| Questions |
AI can draft, summarize, organize, research, and explain. Used well, it makes a small team feel larger and a busy day feel manageable.
It is not a person. It does not understand context the way a colleague does. It does not know which information should leave the building and which should not. It does not own the result.
This policy applies to employees, contractors, temporary staff, vendors, and anyone else using AI tools for company work or accessing company information through AI-enabled systems.
This policy is not about saying no to AI. It is about using it well.
Employees are responsible for everything they send, publish, or rely on, even when AI helped create it. The company owns the work product. AI helps us make it. People review, decide, and sign.
AI does not make final decisions for people. Hiring, firing, financial, legal, and safety decisions are made by humans. AI can inform; people decide.
Only the tools listed in the appendix at the back of this policy, or others approved in writing by the company, may be used for company work. Tools must be accessed through company-approved licensing on company-approved devices.
Free, personal, or trial accounts are not approved tools, even when the underlying product is on the approved list.
Personal AI accounts can put company data under consumer terms, weaker admin controls, and default settings that may allow submitted content to be used for model training unless the user opts out. Company work belongs in company-approved accounts.
Do not enter the following into any AI tool unless the company has approved the tool, the account type, and the specific use case in writing:
Credentials. Passwords, MFA codes, security keys, recovery codes, or any login credentials.
Personal and protected information. Social Security numbers, banking, payment cards, payroll, tax data, medical, health, student records, or other protected personal information.
Confidential business information. Client records, contracts, invoices, account details, employee records, internal financials, system access information, or anything covered by a confidentiality agreement.
Anything you would not be comfortable sending to an outside vendor without approval.
When in doubt, do not paste. Ask first.
This policy applies to standalone AI tools and to AI features built into other software: browsers, email clients, meeting apps, PDF readers, CRMs, accounting platforms, ticketing systems, mobile apps, and vendor portals.
If a feature, plugin, browser extension, or mobile app asks to read company email, calendars, files, contacts, customer records, or financial data, get approval before granting access. The moment of authorization is the moment of risk.
Meeting bots and transcription services are the easiest place to leak something important without realizing it. Do not invite, install, or enable them unless approved. Recording, transcription, AI note-taking, and meeting-summary tools must follow company policy and applicable consent laws. Third-party meeting bots, the kind that join a call as a guest under a personal account, should never be brought into client, HR, legal, financial, or otherwise confidential meetings.
Some AI tools can do more than answer questions. They can read your files, send emails, change records, or take action on your behalf. Tools like that require approval before use.
Before approving an agent or connected app, the company should review:
Once an agent is connected, it can read or change far more than the user expects. Treat every “Allow access” prompt the way you would treat handing over a key.
Before using AI output, check facts, names, dates, numbers, and citations. Read it for tone, accuracy, and judgment. Confirm no confidential information was added or exposed. Have a manager review anything client-facing, legal, financial, HR-related, or sensitive.
AI output should not go directly to a client, vendor, employee, or the public without human review. Do not claim something is true just because AI generated it. The employee sending the message owns the final communication.
Do not use AI to copy, recreate, or republish material the company does not have the right to use. Extra care with marketing, customer-facing, legal, financial, technical, HR, and security content.
If you enter sensitive, confidential, or regulated information into an unapproved AI tool, even by accident, report it to your manager or IT contact immediately.
Do not try to delete, hide, or fix it on your own. Prompt reporting allows the company to review the situation, reduce risk, and take appropriate next steps. Speed matters; secrecy does not.
The tools below are common business-tier AI platforms. Listing them here is not pre-approval. Your company should evaluate each before adoption based on your industry, data sensitivity, and account licensing.
| Tool | Vendor | |
|---|---|---|
Every row is editable. Remove the tools your company has not approved, and add your own as needed. Personal accounts are not a substitute, even temporarily.
Questions or unsure? Ask the contact at the top of this policy. Exceptions are granted in writing, before the tool is used or the information is shared. This policy will be reviewed at least annually, and sooner if company systems, AI vendors, legal requirements, security needs, or business processes materially change.
I have read and understand the AI Use Policy. I agree to follow it when using AI tools for company work.