top of page
poppy logo guidelines_edited.png

AI Policy for Your Company: What to Include


Your employees are already using AI tools—with or without official guidance. ChatGPT, Copilot, various AI features built into everyday software. The question isn't whether AI is in your workplace; it's whether usage is governed appropriately.


An AI policy provides the framework for responsible use. Here's what it should include.


Why Your Company Needs an AI Policy


The Risk of No Policy


Without clear guidelines:


  • Employees enter sensitive data into unknown AI systems

  • Outputs go unreviewed into customer-facing work

  • Legal exposure accumulates without awareness

  • Quality varies dramatically across the organization

  • People don't use helpful tools out of uncertainty


The Purpose of Policy


Good AI policy isn't about restriction. It's about:


  • Enabling confident, responsible use

  • Protecting the organization from risk

  • Ensuring quality standards

  • Creating clarity for employees

  • Establishing accountability


Core Components of Your AI Policy Template


Include these essential elements:


1. Scope and Definitions


What it covers:

  • Which AI tools fall under this policy

  • Whether it applies to all employees or specific roles

  • How it relates to other technology policies

Key definitions:

  • What counts as "AI tools" for policy purposes

  • What counts as "company data"

  • What constitutes "business use"


Clear scope prevents arguments about applicability.


2. Approved Tools


Specify what's sanctioned:


  • Explicitly approved tools (ChatGPT, specific enterprise solutions, etc.)

  • Tools requiring specific approval before use

  • Tools explicitly prohibited

  • Process for requesting new tool approval


Why this matters: Employees need to know what's allowed without asking permission for every use case.


3. Data Guidelines


What can be input to AI systems:

  • Acceptable: General knowledge questions, publicly available information, properly anonymized data

  • Requires approval: Customer information, financial data, strategic plans

  • Prohibited: Personal identifiable information, confidential agreements, trade secrets, credentials

What to watch for:

  • Data retention by AI providers

  • Training data usage

  • Cross-border data transfer implications


This section protects your most sensitive information.


4. Quality and Review Requirements


When human review is required:

  • Customer-facing communications

  • Legal or compliance-related content

  • Financial figures and projections

  • Technical documentation

  • Anything going to senior leadership or external parties

Review standards:

  • Fact verification expectations

  • Editing requirements

  • Approval workflows


AI outputs shouldn't go directly to customers or critical uses without human validation.


5. Disclosure and Attribution


When to disclose AI assistance:

  • Internal communications: Often not required

  • External communications: Depends on context and industry

  • Published content: Consider transparency expectations

  • Client work: May depend on agreements

How to disclose:

  • Acceptable disclosure language

  • Where disclosure should appear

  • Documentation requirements


Transparency expectations vary by situation.


6. Intellectual Property Considerations


Key questions:

  • Who owns AI-generated content?

  • How does AI use affect IP in your outputs?

  • What about AI-assisted code or designs?

  • Are there industry-specific IP concerns?

Guidance needed:

  • How to handle AI in proprietary work

  • Client deliverable considerations

  • Patent and trademark implications


IP issues are evolving—your policy should acknowledge uncertainty while providing workable guidance.


7. Roles and Responsibilities


Define accountability:

  • Who approves AI tool usage

  • Who owns policy maintenance

  • Who addresses violations

  • Who answers questions

Support structure:

  • Where to get help

  • Escalation procedures

  • Training resources


People need to know who to ask.


8. Compliance and Consequences


Monitoring approach:

  • How is compliance assessed

  • What's tracked and audited

  • Privacy considerations in monitoring

Violation handling:

  • Severity categories

  • Response procedures

  • Consequences spectrum


Policy without accountability doesn't work.


Policy Development Process


Step 1: Assess Current State


Before writing policy, understand:


  • What AI tools are already in use

  • What data is flowing into AI systems

  • What concerns exist among employees and leadership

  • What industry-specific requirements apply


Step 2: Involve Stakeholders


Include perspectives from:


  • Legal (risk and compliance)

  • IT (security and infrastructure)

  • HR (employee relations and training)

  • Business leaders (practical application)

  • Actual users (ground-level reality)


Step 3: Balance Security and Enablement


Overly restrictive policy:

  • Drives usage underground

  • Prevents beneficial adoption

  • Creates resentment

Overly permissive policy:

  • Exposes organization to risk

  • Creates quality problems

  • Lacks meaningful guidance


Find the balance that enables responsible use.


Step 4: Write for Your Audience


Policy should be:


  • Clear and accessible

  • Practical and actionable

  • Free of unnecessary jargon

  • Easy to reference when needed


Complicated policy doesn't get followed.


Step 5: Plan for Evolution


AI capabilities and risks change rapidly. Build in:


  • Regular review schedule

  • Update procedures

  • Feedback mechanisms

  • Version tracking


Your policy should evolve as the technology does.


Implementation Considerations


Communication Plan


Policy alone doesn't create compliance. You need:


  • Clear announcement and explanation

  • Training on policy implications

  • Easy access to policy document

  • Q&A opportunities


Integration With Training


Policy and training should connect:


  • Training references policy requirements

  • Policy provides foundation for training

  • Both reinforce each other


Ongoing Reinforcement


After initial rollout:


  • Manager reinforcement

  • Regular reminders

  • Inclusion in onboarding

  • Updates as needed


Common Policy Mistakes


Too Restrictive

"Don't use AI for anything" drives usage underground and prevents legitimate value capture.


Too Vague

"Use AI responsibly" without specifics provides no actual guidance.


Not Communicated

Policy nobody knows about might as well not exist.


Never Updated

Policies written for 2023 AI don't address 2026 capabilities.


No Support Structure

Policy without resources for questions creates frustration.


Need help developing your AI policy? We'll help you create practical guidelines that enable responsible AI use. Free consultation.


bottom of page