Skip to content
Playbook
IntermediateHRPeopleOpsManager

AI use policy for employees: a template HR can actually defend

A workable AI policy isn't a ban and isn't a free-for-all. Here's the four-tier model — green, yellow, red, prohibited — with the language, examples, and…

10 min read
On this page
60-Second Summary
  • Stop writing policies that say 'use AI responsibly'. Define the four tiers and give concrete examples.
  • Tie each tier to data classification — public, internal, confidential, regulated — not to tool brand names.
  • Require an AI register: every team logs the tools they use and the data they put in.
  • Refresh the policy quarterly. The tools change faster than annual reviews can keep up.

Most AI policies fail the same way: they're written for the lawyer, not the user. Engineers, marketers and recruiters need to know in 10 seconds whether the thing they're about to paste into a model is OK. A tier model gets you there.

The four-tier model

TierMeansExamplesApproval
GreenUse freely, log nothingPublic website copy, generic code, brainstorming on hypothetical dataNone
YellowUse with named tools, log the promptInternal docs, draft emails, JD generation, anonymised analyticsSelf-attest in the register
RedUse only with an approved enterprise tool + DPACustomer data, salary data, candidate PII, source code from monorepoManager + security sign-off
ProhibitedNeverHealth data, legal privileged comms, M&A artifacts, board minutes, regulated PII

Map tiers to data classes

Branding the policy around tools (ChatGPT good, DeepSeek bad) ages badly. Brand it around the data instead. Reuse your existing data classification — if you have public/internal/confidential/regulated, you already have the spine of the AI policy.

The AI register

  1. Every team nominates an AI owner. They keep a one-page register: tool, purpose, data class, owner, DPA link.
  2. Quarterly review with security + legal. Anything moving from yellow→red gets a 30-day plan.
  3. New tools enter via a 3-question intake: what does it do, what data goes in, who else uses it? 5 working days to approve.

Enforcement without theatre

What not to do

Don't run keyword surveillance on Slack to catch 'prohibited tool' mentions. It poisons the culture and your most senior engineers will route around you in 24 hours. Audit the register and the data flows instead.

  • Policy fits on one page; appendix has the tier examples.
  • Onboarding covers the policy in 10 minutes with real prompts.
  • Violations: first time = coaching, second = manager + HR, third = formal. Same as any other policy.
  • Refreshed quarterly with a public changelog so employees see it's a living document.
Written by Pawan Joshi.Sources cited inline.
First published 16 Jun 2026See site changelog →