New

Our AI-first training platform is live – safe AI skills, tracked, certified, and audit-ready.

All Articles
AI
4 min read

Write an AI Policy People Will Actually Follow

Most AI policies are two pages of 'thou shalt not' that nobody finishes reading. Here's how to write one that enables good work instead of pretending the tools don't exist.

Christina Arcane

Most AI acceptable-use policies share a fatal flaw: they were written to protect the organisation from its employees, so employees ignore them. They open with a wall of prohibitions, define "Artificial Intelligence" in a way no human has ever spoken aloud, and end up filed next to the policy on fax-machine etiquette.

A policy people follow does the opposite. It assumes your team wants to do good work, gives them a clear lane to do it in, and spends its energy on the handful of decisions that actually carry risk.

Lead with permission, not prohibitionLink to this section

The first thing your policy should say is yes. Yes, you can use AI here; yes, it's encouraged for the right tasks; here's how to do it safely. A policy that starts with "you may not" tells people the safe move is to hide their usage – which is precisely the outcome you're trying to avoid.

Rules that enable get followed. Rules that only forbid get routed around.

Anchor everything to data classificationLink to this section

You can't write a sensible rule for "AI" in the abstract, because the risk lives entirely in what data goes in. Give people a simple traffic-light system they can apply in two seconds:

TierExamplesAI rule
🟢 PublicMarketing copy, published docsUse freely, in any approved tool
🟡 InternalDraft plans, non-sensitive notesApproved tools only
🔴 ConfidentialCustomer data, financials, secrets, anything personalNever in public tools; private/enterprise tools only

If your people remember nothing else, they should remember the red row. Most real incidents are a red-tier paste into a green-tier tool.

Spell out the human's jobLink to this section

The most important sentence in any AI policy is the one that keeps a person accountable for the output. "The AI wrote it" transfers no responsibility whatsoever. Make the expectation explicit:

  • A human reviews AI output before it ships, every time.
  • Decisions about people – hiring, performance, access, anything with consequences – keep a human in the loop and a record of the reasoning.
  • If output is AI-assisted in a context where that matters, disclose it.

Keep it short enough to readLink to this section

A policy nobody reads protects nobody. Aim for something a new hire can absorb in five minutes. Here's the shape of a usable core:

AI Acceptable Use – the short version

1. You may use approved AI tools for your work. Encouraged, even.
2. Match the data to the tool:
   - Public data: any approved tool.
   - Internal data: approved tools only.
   - Confidential / personal data: private tools only, never public ones.
3. You own the output. Check it before you use it.
4. A human decides anything that affects a person.
5. Not sure? Ask in #ai-help. No bad questions.

Everything else – the formal definitions, the approved-tools list, the legal language – can live in an appendix the auditors read and the staff don't have to.

Roll it out like training, not like a memoLink to this section

A policy emailed once is a policy forgotten once. Launch it the way you'd launch any behaviour change: a short live session with real examples, a couple of "what would you do here?" scenarios, and a named, friendly place to ask questions. Then revisit it – the tools change every few months, and a policy that mentions last year's models tells everyone it's already out of date.

Done well, an AI policy isn't a brake. It's the thing that lets you say "yes, go ahead" with a straight face – because you know the guardrails are real.