How to Write an AI Acceptable Use Policy
If your team is using AI tools, you need an acceptable use policy. Not a thirty-page document nobody reads, but a clear set of rules that lets people use AI confidently while protecting your data and the people your work affects. This guide covers what to include, and gives you an editable template to start from today.
Why you need one now
AI tools spread through companies faster than any software before them, usually before anyone writes down the rules. That gap is where the risk sits: client data pasted into tools that train on it, AI output shipped without review, decisions about people made by a model with no human check. An acceptable use policy closes the gap. It is also increasingly expected. Buyers ask for it in security reviews, and standards like ISO 42001 and the EU AI Act assume you have clear rules for how AI is used.
What to include
A good AI acceptable use policy is short and specific. Cover these sections:
- Purpose and scope. Why the policy exists and who it applies to, including contractors and personal accounts used for work.
- Approved use. The things people can do freely with approved tools, so the policy enables rather than only restricts.
- Prohibited use. The hard lines: no sensitive data in unapproved tools, no unreviewed high-impact decisions, no passing off unverified output as checked.
- Data handling. The rule of thumb that every prompt might be stored by the vendor, so sensitive data only goes into approved tools.
- Human oversight. That people stay accountable for AI-assisted work, and that output is a draft until reviewed.
- Getting a new tool approved. A simple path to request tools, so people do not go around the policy.
- Reporting. Where to raise a problem, with no penalty for good-faith reports.
Keep it enabling
The most common mistake is writing a policy that only says no. People route around policies that block them. The best AI policies make the safe path the easy path: a clear approved-tool list, a fast approval route, and rules that are obvious rather than bureaucratic.
Start from a template, not a blank page
The free Extrasphere Starter Kit includes an editable AI Acceptable Use Policy with every section above, plus a readiness checklist. Fill in the brackets, have counsel review, and roll it out.
Map it to a framework
If buyers or auditors ask which standards you follow, a policy that maps cleanly to the common frameworks does a lot of work at once. The three that matter for most teams are ISO/IEC 42001, the first international AI management system standard, the EU AI Act if you have any European exposure, and the NIST AI RMF as a shared risk vocabulary. A well-built template notes where each section supports these, so you are not starting that mapping from scratch.
Once the policy is written, rolling it out to staff is the next step. The Generative AI Rollout Governance Kit covers that stage end to end, from the data-access review before you switch an assistant on to the monitoring after.
Frequently asked questions
Yes. Size does not remove the risk of data exposure or unreviewed output, and a short policy takes an afternoon to adopt from a template.
It depends on your jurisdiction and how you use AI, but even where it is not strictly required, it is fast becoming a baseline expectation in security reviews and standards like ISO 42001.
Two to three pages. Long policies go unread. Specific and short beats comprehensive and ignored.
At least once a year, and whenever regulations change or you adopt a materially new AI use.