Did you know 68% of those who use AI at work haven’t told their bosses? How about the 6% that have entered sensitive company data into a conversational AI model? On the other hand, 47% of business leaders will consider using AI to carry out tasks over hiring new staff, too.
Clearly, the urge to rely on AI is well-established up and down the workplace hierarchy in our modern age. However, AI use brings with it a host of risks that will keep your HR representatives and cybersecurity experts from sleeping through the night.
Perhaps your business wants to amp up its AI use. Perhaps it wants to deny the use entirely, as it common in government, finance, or healthcare industries. Whatever the case, you’ll need an official AI policy.
Here’s what to know about creating one. This guide outlines the basic steps most companies take on their journey towards a policy, and then explains the core needs – unique to each business – that any AI policy should address.
In this guide:
Why Does My Business Need an AI Policy?
According to Tech.co’s Impact of Technology on the Workplace 2025 Report, a mere 27% of businesses have created policies that strictly limit the kind of data that can be shared with AI models. Worse, 35% of them don’t regulate how employees use chatbots in any way.
What risks does the lack of an AI policy pose to your organization? Thanks to the rampant use of generative AI over the past three years, that’s an easy question to answer: Companies must make sure they don’t spread inaccurate claims or inappropriately disclose sensitive information.
Here’s a quick look at the two biggest business concerns raised by popular generative AI models like ChatGPT or Deepseek.
Inaccuracies can lead to reputational damage
McKinsey has found that 63% of businesses cite “inaccuracy” as the biggest risk that AI poses to their company. That makes sense: Generative AI models are designed to deliver probabilistic answers, not definitive ones, which makes them poorly suited (at present) to many tasks in fields like math and science.
When businesses let AI hallucinations slip through the net, the resulting negative publicity can be huge. Your policy can address this by mandating some form of human oversight to maintain quality assurance.
Employee usage can lead to data leaks
Data handling guidelines are another crucial element of any AI policy worth its salt.
As wild as it might seem to most people, there have been several high-profile examples of employees at large companies uploading data as sensitive as software source code to AI tools. Cybsafe’s 2024 Cybersecurity Behavior and Attitudes Report, on the other hand, found that almost 40% of workers have entered sensitive information into AI tools without asking their employer.
Unless they’re running the AI model locally, a worker has leaked that sensitive data as soon as it’s entered into the third-party tool – it might even be saved and used for training. Once leaked, sensitive data can destroy a company in several different ways: It can open up the company to a cybersecurity attack, lawsuits from clients or customers, and potential violation of government data security laws.
To stop this situation from happening, your policy should mandate what categories of data are allowed to be used with AI programs.
How to Create an AI Policy in 5 Steps
Some AI guides are bloated with a dozen different steps to take on the path toward creating the perfect AI policy, but the truth is simpler than that.
You just need to figure out the key stakeholders to include in the conversation and the company goals that must be met. Then, it’s simply a matter of getting final approval and rolling it out to all employees.
1. Locate all key stakeholders
Board members, executives, or department heads: You’ll need to know who to include and consult during the policy creation process.
The company must be fully behind whatever policy is decided, which means you’ll need the top boardroom brass to sign off on it. In addition, you’ll need to have input from someone in charge of every department that will (or won’t) interact with AI, as well as IT team input.
2. Determine your company’s goals
One-on-one discussions with each key stakeholder may help the core goals of your company’s AI policy emerge organically. Will AI help to reduce budgets? Enhance the customer experience? How strongly does the company want to act to reduce the cybersecurity risks of AI?
3. Use the goals to shape your primary objectives
Each department should identify its primary objective since each one might use AI differently. Sales teams may use it for internal processing, while marketing teams might craft first drafts of marketing materials with it. Some departments may not need it at all, or might work with sensitive data too closely to open up to the risk of a potential leak.
4. Draft and finalize the policy
Create a policy that addresses all goals and objectives in a clear and coherent way. We’ve included an example template a little farther into this guide, but typical sections will include: A notice addressing the purpose and scope of the policy, definitions of concepts, all permitted uses, and all prohibited uses of AI.
5. Issue the policy
Once the policy is ready to go, pass it on through official channels the entire employee directory, and provide a way they can respond with their thoughts. The policy should be reviewed and updated regularly, to keep up with AI advancement.
What to Include in Your AI Policy
AI policies are all about establishing a company’s boundaries, and when dealing with generative AI, those boundaries tend to be the same. Your policy will likely need to cover these core concepts, with a section dedicated to each.
Definitions
Anyone who has taken a debate class can tell you the importance of a definition: Every single party involved in a policy must be operating under the same definitions, or else they’ll disagree on the application of those concepts. Opening with defining terms like “GenAI,” “Prompt engineering,” or “Foundational models” will help guide the rest of the policy.
Ethics statements
This section allows for broad statements that establish your company’s stance on typical ethical questions, which may include:
- Transparency: Explain AI decision-making where possible.
- Nondiscrimination: Prevent biases in AI models.
- Privacy: Ensure compliance with GDPR, CCPA, and other data laws.
- Accountability: Clearly define responsibility for AI outcomes.
- Human oversight: Specify when human intervention is required in AI decisions.
The rest of the policy should follow the spirit of these principles by explaining them in further detail.
Practical AI use
You’ll want to cover the practical uses of AI that are permitted for your employees. This might differ by department or by employee, but it establishes the boundaries of how generative AI should be used. This includes details like what data sets are allowed, what projects can include AI, and how employees should incorporate AI.
Legal AI use
Incorporate your legal concerns. To what extent is personal data allowed to be given to AI chatbots, if at all? How does such a practice conflict with the company’s pre-existing guidelines that protect their intellectual property and copyrighted material? Can AI be used to track employee output ethically, in an attempt to boost productivity? Establish what applications of AI are not allowed within your company.
Security concerns
Establish an AI system security protocol that addresses all internal AI use. If your company will be training its own AI model, you’ll want to establish a risk assessment process first. In most cases, however, you’ll just need to create a regular audit process to ensure that the policy is being followed.
Prohibited practices or tools
You may want to entirely ban the casual use of generative AI during company time. This isn’t an unpopular stance: Research from early 2024 found that one in four companies had banned the use of generative AI by their employees.
If you’re not outright banning the practice, you may want to outline which specific tools may be used. Should Deepseek be banned at your organization? If you’re the New York State government, it already is.
Your AI Policy Example Template
This three-page policy template outlines the general shape that a mid-sized software company might want its AI policy to take.
It includes sections for the purpose and scope of the policy, definitions of key concepts included in the policy, and lists both the permitted and prohibited uses of generative AI within the company. It also outlined the company’s approach to AI security, ethics, human oversight, and training, among others.
This particular policy was generated with the help of MagicMirror and is only designed to serve as an example of the general template that a policy often takes. To build a policy that serves your business needs and addresses your risks, you’ll need to modify it significantly. We recommend asking your legal team for their own template.
72% of respondents who use AI extensively report high organizational productivity, according to Tech.co research. It’s the wave of the future: Just 15% of businesses say that they have not used AI at all, according to our latest Tech in the Workplace report.
Develop your AI policy today, ensuring your company is addressing AI use in a practical, legal, and secure manner, and you’ll be on your way to that same productivity.
