Skip to content
Playbook
IntermediatePillarHRFounderCEO

AI policy templates for HR: what to write, what to forbid, what to leave open

A practical AI usage policy for HR teams to issue to employees — what to allow, what to forbid, training requirements, monitoring, and incident response.

20 min read
On this page
60-Second Summary
  • Every company with 20+ employees should have an AI usage policy by 2026. Most don't. The default is unmanaged shadow AI use — risky and unenforceable.
  • A working AI policy has 8 sections: scope, approved tools, prohibited use, data classification, IP & ownership, transparency requirements, training, and incident response.
  • The biggest mistake is banning AI outright — it drives use underground and prevents the company from getting any benefit. The second-biggest mistake is having no policy and assuming common sense.
  • Policy alone doesn't work. Pair it with a list of approved tools, an enablement program, and an exceptions process. A policy with no enablement is decorative.

By mid-2026, most employees at most knowledge-work companies use AI in some form weekly — often without telling their employer. Without a policy, this means leaked customer data, IP confusion, biased outputs treated as authoritative, and quiet legal exposure that surfaces only when it's already a problem. An AI usage policy is the cheapest insurance you can buy.

Why every company needs this in 2026

  • Shadow AI is universal. Surveys consistently find 50–80% of knowledge workers use AI tools the employer hasn't sanctioned.
  • Regulators expect a policy. The EU AI Act, NIST AI RMF, and emerging US state laws presume employers have an internal governance baseline.
  • Customer contracts increasingly require it. Procurement asks 'do you have an AI policy?' on vendor questionnaires.
  • Incidents will happen. Without a policy, your incident-response plan defaults to 'figure it out in the moment.'

Anatomy of an AI usage policy

The 8 sections every AI policy needs
  1. 1
    1. Scope
    Who and what does this cover? All employees and contractors using AI for company work, with company data, or on company devices.
  2. 2
    2. Approved tools
    Named list with what they're approved for. Updated quarterly. Default: anything not on the list requires approval before use for company work.
  3. 3
    3. Prohibited uses
    Specific use cases that are not allowed regardless of tool. Examples: autonomous candidate rejection, customer data in non-enterprise tools, medical/legal/financial advice to customers.
  4. 4
    4. Data classification
    What kinds of data can go into which kinds of tools. Public, internal, confidential, restricted — each with allowed AI tools.
  5. 5
    5. IP and ownership
    Who owns AI-generated work product? (Usually the company, for work-related output.) How are AI tools' outputs attributed? When must employees disclose AI involvement?
  6. 6
    6. Transparency to others
    When must we disclose AI use to candidates, customers, employees? (Increasingly: always, when AI materially affects them.)
  7. 7
    7. Training & enablement
    Required training before use. Ongoing learning resources. Designated experts.
  8. 8
    8. Incident response
    What to do if data leaks, output causes harm, or a tool produces biased/incorrect results. Who to notify, how fast.

Starter policy (copy this)

Below is a starter policy you can adapt. Anonymize, customize per jurisdiction, and have legal counsel review before publishing. Plain language is intentional — policies people don't read are not policies.

1. Purpose & scope

This policy describes how all employees, contractors, and interns at [Company] may use Artificial Intelligence (AI) tools — including but not limited to large language models (ChatGPT, Claude, Gemini, Copilot), image generators, code assistants, and AI features embedded in other tools — when doing work for the Company, using Company data, or on Company-owned devices.

2. Approved tools

The current list of approved AI tools is maintained at [link]. As of [date], the approved tools are: [Microsoft 365 Copilot] for general work; [ChatGPT Enterprise] for content and research; [Claude for Work] for long-document analysis; [GitHub Copilot] for code; [vendor-specific HR AI] for HR workflows. Free or personal versions of these tools are NOT approved for work involving Confidential or Restricted data (defined below). Use of any tool not on this list for company work requires written approval from [function head / IT / Legal].

3. Prohibited uses

The following are prohibited regardless of tool:

  • Entering customer Personally Identifiable Information (PII), Protected Health Information (PHI), payment card data, or any data protected under GDPR / DPDP / CCPA / HIPAA into any AI tool that is not contractually covered for that data type.
  • Using AI to make autonomous decisions that significantly affect individuals (hiring rejection, performance termination, pay determination, customer denial) without documented human review and accountability.
  • Representing AI-generated output as your own original work where attribution is expected (regulatory filings, research publications, customer communications stating you analyzed something personally).
  • Using AI to generate content that infringes third-party IP (long verbatim reproduction of copyrighted content) or that violates our Code of Conduct (harassment, discrimination, defamation).
  • Bypassing safety features of AI tools (jailbreaking, prompt injection, role-play instructions to override safety policies).

4. Data classification

Data typeExamplesAllowed AI tools
PublicMarketing copy, published research, website contentAny approved tool, any tier
InternalInternal docs, anonymized analysis, generic emailsEnterprise-tier approved tools
ConfidentialCustomer data (de-identified), comp data, strategyEnterprise-tier with DPA only
RestrictedPII, PHI, payment data, M&A pre-announcement, sealed legalNo AI use without specific written approval

5. IP and ownership

Output generated by AI tools using company prompts, in the course of company work, is owned by the Company to the maximum extent permitted by law. Employees may not assert personal copyright over such output. The Company recognizes that AI outputs may not be eligible for copyright protection in some jurisdictions (US Copyright Office — non-human authorship); we treat such outputs as Company-owned material regardless. Employees must not paste material protected by third-party copyright (e.g., copyrighted books, paid datasets, confidential vendor materials) into AI tools.

6. Transparency to others

Employees must disclose AI use in the following contexts:

  • To candidates: when AI tools are used to screen applications, assess submissions, or schedule/conduct interviews (legally required in NYC, Illinois, EU; best practice everywhere).
  • To customers: when AI generates customer-facing content that the customer would reasonably believe was authored by a person (e.g., AI-generated personalized advice).
  • To employees: when AI is used to inform performance, comp, or promotion decisions.
  • In academic, regulatory, or legal filings: per the recipient's stated rules.

7. Training and enablement

Every employee using AI for company work must complete the [Company AI Foundations] course within 30 days of starting. Specialized roles (HR, Legal, Finance, Engineering) complete a function-specific module. Refresher training is required annually. The People Ops team maintains a Prompt Library, a list of approved use cases, and runs a monthly office hour for AI questions.

8. Incident response

If you suspect any of the following has occurred, report to [security@company.com] within 4 business hours:

  • Confidential or Restricted data was entered into a non-approved AI tool.
  • AI output was acted on that turned out to be materially incorrect, with consequence to a customer, employee, or financial outcome.
  • An AI tool produced output that violates our Code of Conduct (discrimination, harassment, defamation).
  • A vendor disclosed a security incident affecting the AI tool we use.

Good-faith reporting will not result in disciplinary action. Concealment of incidents will.

Common mistakes to avoid

MistakeWhy it backfiresBetter approach
Banning AI entirelyDrives use underground; loses competitive advantageAllow approved tools; forbid specific uses
A 30-page policy nobody readsUnenforceable; managers don't know what to allowUnder 5 pages; plain language; one-page summary
No approved-tool listEmployees can't comply because they don't know what's approvedMaintained, dated, accessible list
No incident response processFirst incident becomes a crisisClear reporting path, no-blame for good-faith reports
Policy without trainingEmployees follow folk practices, not the policyMandatory short training; refresh annually
Treating AI as just another IT issueMisses the legal, HR, and IP dimensionsCross-functional AI committee (Legal, IT, HR, Engineering)

Rollout playbook

  1. Week 1–2: Draft policy. Convene Legal + IT + HR + Engineering for review.
  2. Week 3: Pilot with one team. Collect feedback for 2 weeks.
  3. Week 5: Revise based on pilot. Lock approved-tool list.
  4. Week 6: Build training (60-min video + quiz works).
  5. Week 7: All-hands announcement. CEO sends.
  6. Week 8–12: Training rollout. Track completion.
  7. Month 4+: Quarterly review of policy, approved tools, incident log.

Enforcement & incidents

Disciplinary response should be proportionate and calibrated. A first-time good-faith mistake (e.g., pasting a customer name into free ChatGPT without realizing it counted) calls for coaching and process improvement — not termination. Repeated violations, willful concealment, or breaches with material harm escalate through your existing progressive discipline framework. Document all incidents (anonymized) and share patterns to drive policy improvement.

FAQ

Frequently asked questions

Should we forbid free ChatGPT entirely?

Yes for work involving company data. No for genuinely public-information tasks. The cleanest rule: 'free tools may not be used with any company data; paid enterprise tools may be used per the data classification table.'

What about AI features in tools we already use (Notion AI, Slack AI, Google Workspace Gemini, Office Copilot)?

Treat them as separate tools requiring evaluation. Check the vendor's data-handling terms (do they train on your data? what's the retention?). Most enterprise tiers of these tools now contractually exclude training on customer data — the free tiers may not.

How do we audit compliance?

Three signals: (a) data leak alerts from your DLP / browser tools detecting pastes into AI domains, (b) AI tool usage telemetry from your IT-approved tools, (c) self-report through the incident channel. Most companies don't actively monitor employee AI use — they make the policy clear, train, and respond to incidents.

Does the policy apply to executives?

Yes, and visibly. Executive non-compliance is the single fastest way to make the policy unenforceable for everyone else.

What if a customer asks if we use AI?

Tell them, in proportion to how AI affects them. If AI processes their data, they have a right to know — and increasingly a contractual right to ask for specifics. A 'How we use AI' page on your website is a low-cost way to handle this systematically.

Is this guidance specific to the US?

The structure is global; the legal references are not. Adapt the data-classification section to local data-protection law (GDPR in EU, DPDP in India, PIPEDA in Canada). Adapt the transparency section to local AI laws (EU AI Act, Colorado SB 24-205). Local counsel review is required for any multi-jurisdiction rollout.

Written by Pawan Joshi.Sources cited inline.
First published 15 Jun 2026See site changelog →