AI ACCEPTABLE USE POLICY (AUP) — QUICK START

Company: [Company Name]
Effective date: [YYYY-MM-DD]
Policy owner: [Team / Role]
Applies to: All employees, contractors, interns, and temporary staff
Review cycle: [Quarterly / Semiannual]

1) Purpose
This policy defines acceptable use of AI tools to improve productivity while protecting Company data, customers, and intellectual property.

2) Approved AI tools
Use only AI tools approved by [IT/Security]. Approved tools list: [Link / List].
Do not use personal AI accounts for Company work unless explicitly approved.

3) Data rules (most important)
Do NOT enter into any AI tool:
- Passwords, secrets, API keys, private keys, access tokens
- Payment data (credit card/bank), authentication codes
- Customer personal data (PII) unless approved by [Legal/Security]
- Confidential contracts, legal documents, non-public financials unless approved
- Proprietary source code or architecture details unless approved

Allowed inputs (examples):
- Public information
- Sanitized/anonymized text with no identifiers
- General drafts that contain no confidential details

4) Output rules
- Treat AI output as a draft: verify facts, sources, calculations, and claims.
- Do not publish AI-generated content externally without human review.
- Do not rely on AI as the sole basis for legal/medical/financial decisions.

5) Intellectual property (IP)
Do not paste third-party copyrighted content into AI tools unless permitted.
Follow [Company IP/Attribution rules] for AI-assisted deliverables.

6) Security & integrations
- Use SSO (single sign-on) where available.
- Do not connect AI tools to Company drives/knowledge bases without approval.
- Report suspected data exposure immediately to [Security Contact].

7) Logging, monitoring & costs
AI usage may be logged for security, compliance, and cost management.
Employees must follow usage limits/budgets set by [Owner].

8) Violations
Violations may result in restricted access and disciplinary action up to termination.

Approval
[Name, Title]
[Date]

AI ACCEPTABLE USE POLICY (AUP)

Document control
- Company: [Company Name]
- Version: [1.0]
- Effective date: [YYYY-MM-DD]
- Owner: [Role / Team]
- Approved by: [Role]
- Review cycle: [Quarterly / Semiannual]

1. Purpose
1.1 Purpose
[Company Name] ("Company") enables employees to use artificial intelligence ("AI") tools to improve productivity while protecting Company data, customers, and intellectual property.

1.2 Goals
This policy aims to:
(a) protect Company, customer, and partner data,
(b) reduce legal and compliance risk,
(c) ensure high-quality outputs and responsible use,
(d) manage and control costs.

2. Scope
2.1 Covered persons
This policy applies to all employees, contractors, interns, and temporary staff.

2.2 Covered systems and data
This policy covers any AI usage involving Company systems, accounts, networks, or data, including third-party AI tools used for Company work.

3. Definitions
3.1 AI Tool
Any system that generates or transforms text, images, audio, video, or code using machine learning.

3.2 Confidential Data
Any non-public information relating to the Company, its customers, partners, or employees, including business, financial, legal, technical, or security information.

3.3 Personal Data (PII)
Information that can identify an individual directly or indirectly (e.g., name, email, phone, ID number).

4. Principles
4.1 Human accountability
Humans remain accountable for decisions and deliverables. AI does not replace professional judgment.

4.2 Least privilege
AI tools and integrations must be granted only the minimum access necessary.

4.3 Data minimization
Only provide the minimum data needed to accomplish the task.

4.4 Security by design
Use approved tools and secure configurations (SSO, encryption, access controls).

5. Approved tools and accounts

5.1 Approved tool list
Employees may use only tools approved by [IT/Security] and listed at: [Link].

5.2 Account requirements
- Use Company-managed accounts (SSO) where available.
- Do not use personal AI accounts for Company work unless approved by [IT/Security].

5.3 Tool requests
Requests for new AI tools must be submitted via [Process/Link] and will be evaluated for:
- security controls (SSO, RBAC, encryption)
- data handling/retention policies
- compliance (DPA, SOC 2 or equivalent)
- cost impact

6. Data handling rules
6.1 Prohibited inputs (never allowed)
Employees must not enter any of the following into an AI tool:
- Passwords, credentials, secrets, access tokens, private keys
- Payment card or bank account information
- Authentication codes (OTP), recovery codes
- Highly sensitive personal data (health, biometrics, etc.)

6.2 Restricted inputs (allowed only with approval)
The following may be used only with documented approval from [Legal/Security] and only with appropriate safeguards:
- Customer PII or customer content
- Non-public legal documents, contracts, or negotiations
- Non-public financial results or forecasts
- Proprietary code, system architecture, or security details

6.3 Allowed inputs
The following inputs are generally allowed:
- Public information
- Sanitized/anonymized text that cannot identify a person or customer
- General drafts that do not include confidential business details

6.4 Anonymization requirements
When using internal text, employees must remove or mask:
- names, emails, phone numbers, addresses
- customer identifiers and account numbers
- unique project names or confidential identifiers

6.5 Storage and retention
Employees must assume that content entered into third-party AI tools may be stored and reviewed by the provider unless a signed agreement states otherwise.

7. Output usage and quality controls
7.1 Verification
AI outputs must be verified for:
- factual accuracy
- citations/sources for claims
- calculations and reasoning
- compliance with Company standards

7.2 External publication
No AI-generated content may be published externally (marketing, documentation, code, customer communications, etc.) without human review.

7.3 Sensitive decisions
AI must not be used as the sole basis for legal, medical, HR, compliance, hiring, or financial decisions.

8. Intellectual property and licensing
8.1 Third-party materials
Employees must not input third-party copyrighted material unless permitted by license or explicit permission.

8.2 Company IP
AI-assisted work products are Company deliverables and must comply with [IP policy]. Where required, include attribution and retain records of sources.

9. Security and integrations
9.1 Integrations with internal systems
Connecting AI tools to Company systems (Google Drive, Notion, Confluence, databases, ticketing, etc.) requires approval from [IT/Security].

9.2 Access controls support:
- role-based access control (RBAC)
- user management (ideally via SSO)
- audit logs (where available)

9.3 Incident reporting
Employees must report suspected data exposure, prompt injection incidents, or policy violations to [Security Contact] immediately.

10. Privacy and compliance
10.1 Legal compliance
AI use must comply with applicable laws and Company policies (privacy, security, retention, HR, etc.).

10.2 Customer and partner restrictions
If a customer contract restricts AI usage, those restrictions override this policy.

11. Cost controls and usage tracking
11.1 Budgeting
[Owner] sets usage budgets and/or limits by team/role.

11.2 Monitoring
AI usage may be monitored and reported for security, compliance, and cost control.

11.3 Model restrictions
Where applicable, higher-cost models may be restricted to specific roles or use cases.

12. Training and support
12.1 Training
Employees must complete required AI training before using approved AI tools for Company work.

12.2 Support
Questions should be directed to:
- Security/IT: [Contact]
- Legal: [Contact]
- HR/People Ops: [Contact]