Home / Guides / AI Acceptable Use Policy
AI Policy

How to Write an AI Acceptable Use Policy

If your team is using AI tools, you need an acceptable use policy. Not a thirty-page document nobody reads, but a clear set of rules that lets people use AI confidently while protecting your data and the people your work affects. This guide covers what to include, and gives you an editable template to start from today.

Why you need one now

AI tools spread through companies faster than any software before them, usually before anyone writes down the rules. That gap is where the risk sits: client data pasted into tools that train on it, AI output shipped without review, decisions about people made by a model with no human check. An acceptable use policy closes the gap. It is also increasingly expected. Buyers ask for it in security reviews, and standards like ISO 42001 and the EU AI Act assume you have clear rules for how AI is used.

What to include

A good AI acceptable use policy is short and specific. Cover these sections:

Keep it enabling

The most common mistake is writing a policy that only says no. People route around policies that block them. The best AI policies make the safe path the easy path: a clear approved-tool list, a fast approval route, and rules that are obvious rather than bureaucratic.

Free · No card required

Start from a template, not a blank page

The free Extrasphere Starter Kit includes an editable AI Acceptable Use Policy with every section above, plus a readiness checklist. Fill in the brackets, have counsel review, and roll it out.

Map it to a framework

If buyers or auditors ask which standards you follow, a policy that maps cleanly to the common frameworks does a lot of work at once. The three that matter for most teams are ISO/IEC 42001, the first international AI management system standard, the EU AI Act if you have any European exposure, and the NIST AI RMF as a shared risk vocabulary. A well-built template notes where each section supports these, so you are not starting that mapping from scratch.

Once the policy is written, rolling it out to staff is the next step. The Generative AI Rollout Governance Kit covers that stage end to end, from the data-access review before you switch an assistant on to the monitoring after.

Frequently asked questions

Does a small company really need an AI policy?

Yes. Size does not remove the risk of data exposure or unreviewed output, and a short policy takes an afternoon to adopt from a template.

Is an AI acceptable use policy a legal requirement?

It depends on your jurisdiction and how you use AI, but even where it is not strictly required, it is fast becoming a baseline expectation in security reviews and standards like ISO 42001.

How long should it be?

Two to three pages. Long policies go unread. Specific and short beats comprehensive and ignored.

How often should we update it?

At least once a year, and whenever regulations change or you adopt a materially new AI use.

The Governance Brief

Stay current in five minutes a month

One regulatory change that matters, one template to use. Free.