AI use policy for employees: a template HR can actually defend
A workable AI policy isn't a ban and isn't a free-for-all. Here's the four-tier model — green, yellow, red, prohibited — with the language, examples, and…
- Stop writing policies that say 'use AI responsibly'. Define the four tiers and give concrete examples.
- Tie each tier to data classification — public, internal, confidential, regulated — not to tool brand names.
- Require an AI register: every team logs the tools they use and the data they put in.
- Refresh the policy quarterly. The tools change faster than annual reviews can keep up.
Most AI policies fail the same way: they're written for the lawyer, not the user. Engineers, marketers and recruiters need to know in 10 seconds whether the thing they're about to paste into a model is OK. A tier model gets you there.
The four-tier model
| Tier | Means | Examples | Approval |
|---|---|---|---|
| Green | Use freely, log nothing | Public website copy, generic code, brainstorming on hypothetical data | None |
| Yellow | Use with named tools, log the prompt | Internal docs, draft emails, JD generation, anonymised analytics | Self-attest in the register |
| Red | Use only with an approved enterprise tool + DPA | Customer data, salary data, candidate PII, source code from monorepo | Manager + security sign-off |
| Prohibited | Never | Health data, legal privileged comms, M&A artifacts, board minutes, regulated PII | — |
Map tiers to data classes
Branding the policy around tools (ChatGPT good, DeepSeek bad) ages badly. Brand it around the data instead. Reuse your existing data classification — if you have public/internal/confidential/regulated, you already have the spine of the AI policy.
The AI register
- Every team nominates an AI owner. They keep a one-page register: tool, purpose, data class, owner, DPA link.
- Quarterly review with security + legal. Anything moving from yellow→red gets a 30-day plan.
- New tools enter via a 3-question intake: what does it do, what data goes in, who else uses it? 5 working days to approve.
Enforcement without theatre
Don't run keyword surveillance on Slack to catch 'prohibited tool' mentions. It poisons the culture and your most senior engineers will route around you in 24 hours. Audit the register and the data flows instead.
- Policy fits on one page; appendix has the tier examples.
- Onboarding covers the policy in 10 minutes with real prompts.
- Violations: first time = coaching, second = manager + HR, third = formal. Same as any other policy.
- Refreshed quarterly with a public changelog so employees see it's a living document.
Read next
All playbooksVendors will sell you 'ethical AI'. The accountability stays with you. Here are the five HR-specific decisions — sourcing, screening, scoring, surveillance…
Banning AI doesn't stop AI. It just pushes it onto personal devices and personal accounts where you have zero visibility.
Forget the 99 articles. There are 12 GDPR obligations that show up in normal HR work — DSARs, lawful basis, retention, transfers, breach reporting — and most…