AI Acceptable Use Policy template download

1. Purpose and Scope

1.1 Purpose

This policy establishes clear guidelines for the acceptable use of artificial intelligence (AI) tools within [Organisation Name]. Its purpose is to:

• Enable employees to use AI tools productively and confidently, with clear boundaries
• Protect customer data, employee privacy, intellectual property, and commercially sensitive information
• Ensure compliance with UK data protection legislation (UK GDPR, Data Protection Act 2018, Data Use and Access Act 2025)
• Address the ICO's five core principles for AI governance: safety, transparency, fairness, accountability, and contestability
• Prevent shadow AI by providing clear, approved alternatives to unapproved tools

1.2 Scope

1.2.1 Who This Policy Applies To

This policy applies to all:

• Full-time and part-time employees
• Contractors and freelancers working on behalf of [Organisation Name]
• Temporary and agency workers
• Directors and senior leadership
• Volunteers (where applicable)

1.2.2 What This Policy Covers

This policy covers all AI tools and services, including but not limited to:

• Standalone AI applications: ChatGPT, Claude, Google Gemini, Midjourney, DALL-E, and similar services accessed via web browser or app
• Embedded AI features: Microsoft 365 Copilot, Grammarly, Adobe Firefly, GitHub Copilot, and AI features built into existing software
• Custom AI tools: Any AI models, chatbots, or automation tools built or deployed specifically for [Organisation Name]
• AI-powered search: AI-enhanced search features in Bing, Google, and other platforms

1.2.3 Related Policies

This policy should be read alongside:

• [Data Protection / Privacy Policy]
• [IT Acceptable Use Policy]
• [Information Security Policy]
• [Intellectual Property Policy]
• [Confidentiality / NDA Agreements]
• [Social Media Policy]

1.3 Edge Cases and Special Circumstances

Edge Case	Your Organisation's Position
Contractors and freelancers	[e.g., Must comply with this policy. AI policy compliance to be included in contractor agreements. Contractors may not use personal AI tool subscriptions for work involving our data.]
Personal devices (BYOD)	[e.g., Approved AI tools may be used on personal devices only if the device meets our minimum security requirements. Free-tier AI tools must not be used on any device for work purposes.]
Remote workers	[e.g., Same policy applies regardless of location. Remote workers must use VPN when accessing AI tools with amber-classified data.]
Embedded AI features	[e.g., AI features embedded in approved software (e.g., Smart Compose in Gmail, Copilot in M365) are approved by default under the same data classification rules as the host software.]
AI for personal learning	[e.g., Employees may use approved AI tools for professional development during work hours, provided no confidential data is entered. We encourage completion of the UK Government's free AI Skills Boost programme.]
Client-facing vs internal use	[e.g., Higher review requirements apply to client-facing AI outputs. All client-facing content must be reviewed by account lead before delivery. Internal use follows standard review requirements.]
International teams	[e.g., Team members operating in the EU must also comply with EU AI Act requirements. The most stringent applicable requirement applies. Contact compliance team for guidance.]

2. Approved AI Tools

2.1 Approved Tools Register

Tool	Subscription Tier	Approved For	Data Restrictions	Review Required?
[e.g., Microsoft 365 Copilot]	[e.g., Business Premium licence]	[e.g., All departments]	[e.g., Green and amber data only]	[e.g., Yes, for client-facing outputs]
[e.g., ChatGPT]	[e.g., Team account only - NOT personal free accounts]	[e.g., All departments]	[e.g., Green data only]	[e.g., Yes, for external communications]
[e.g., GitHub Copilot]	[e.g., Business licence]	[e.g., Engineering only]	[e.g., Internal code only, no client code]	[e.g., Yes, all outputs must pass code review]
[e.g., Midjourney]	[e.g., Pro plan]	[e.g., Marketing only]	[e.g., Non-client-facing concept work only]	[e.g., No, for internal concepts; yes, for published content]

2.2 Tools Not on This List

Any AI tool not listed in Section 2.1 is not approved for use with any work-related data or tasks. If you believe a tool should be added, submit an evaluation request using the process below.

2.3 New Tool Approval Process

To request approval for a new AI tool:

1. Complete the AI Tool Evaluation Form (Appendix B)
2. Submit to [email address / form link / person]
3. Evaluation will be completed within [5 business days]
4. You will receive a written decision: approved, conditionally approved, or not approved, with reasoning

Evaluation criteria include:

• Data handling and retention policies of the tool provider
• Whether the tool trains on user input data
• Compliance with UK GDPR requirements
• Security certifications (SOC 2, ISO 27001, or equivalent)
• Business justification and expected benefit
• Whether an existing approved tool can meet the same need
• Data residency and transfer locations (e.g., does the tool process or store data outside the UK/EEA without a valid transfer mechanism?)

2.4 Transitioning Existing Unapproved Tools (The Amnesty Period)

We recognise that in the absence of a clear policy, employees may have used unapproved AI tools to maintain productivity. For the first 30 days following the publication of this policy, we are operating an amnesty period:

• You may declare any unapproved AI tools you have been using to [IT contact / email / form] without risk of disciplinary action
• IT will evaluate declared tools for official approval and help you transition your workflows to approved alternatives where needed
• Any data exposure risks identified during this period will be treated as learning opportunities, not policy breaches
• After the amnesty period ends on [date], continued use of unapproved tools will be subject to the breach consequences in Section 10

3. Prohibited Uses

3.1 Absolute Prohibitions

The following uses of AI tools are prohibited under all circumstances, regardless of which tool or subscription tier:

Prohibition	Examples	Why
Entering special category personal data	Health records, ethnic origin, political opinions, religious beliefs, trade union membership, biometric data, sexual orientation	UK GDPR Article 9 imposes heightened protections; DUAA 2025 maintains restrictions for special category data in automated decisions
Entering customer financial data	Bank account numbers, payment card details, credit scores, salary information	Financial data requires specific legal bases for processing and heightened security controls
Entering authentication credentials	Passwords, API keys, access tokens, encryption keys, security certificates	Credentials entered into AI tools may be stored, logged, or exposed through data breaches
Entering legally privileged material	Legal advice, litigation strategy, settlement discussions, regulatory correspondence	Legal privilege may be waived if privileged material is shared with third-party AI tools
Making automated decisions about people without human review	Hiring decisions, performance ratings, disciplinary actions, credit decisions, customer risk scoring	UK GDPR and DUAA 2025 require meaningful human involvement in decisions significantly affecting individuals
Creating misleading or deceptive content	Deepfakes, impersonation of real people, fabricated testimonials, fake reviews	Legal liability under consumer protection, defamation, and fraud laws
Using AI outputs in regulatory submissions without senior review	Tax returns, regulatory filings, statutory declarations, compliance reports	AI tools generate plausible but sometimes inaccurate content; regulatory submissions require verification

3.2 Conditional Restrictions

The following uses require manager approval before proceeding:

• Entering confidential (amber-classified) data into approved business-grade tools
• Using AI-generated content in client deliverables
• Using AI to draft communications to regulators or government bodies
• Using AI to analyse employee performance data (even if anonymised)
• [Add organisation-specific conditional restrictions]

3.3 When in Doubt

If you are unsure whether a specific use case is permitted, do not avoid the tool entirely. Instead, contact [designated contact / email / channel] for guidance. We aim to respond within [1 business day].

4. Data Classification

4.1 Data Classification Framework

Classification	Description	Examples	AI Tool Rules
GREEN (Open)	Information that is already public or has no confidentiality requirement	Published marketing content, press releases, public website copy, job adverts, general industry knowledge	May be entered into any approved AI tool, any tier. No prior approval needed.
AMBER (Restricted)	Internal information that could cause harm if disclosed but is not subject to heightened legal protection	Internal meeting notes, project plans, process documentation, anonymised performance data, draft strategies, internal communications, standard B2B business contact information (e.g., a client's work email address)	May be entered into approved business-grade tools only (e.g., Microsoft Copilot Enterprise, ChatGPT Team/Enterprise). Not free-tier tools. Manager approval recommended for sensitive items.
RED (Prohibited)	Information subject to heightened legal protection, contractual confidentiality, or significant business sensitivity	Sensitive personal data (e.g., consumer details, home addresses), special category data, customer financial data, health records, employee personal data, trade secrets, proprietary algorithms, passwords, legal advice, contractual terms	Must never be entered into any AI tool under any circumstances. If AI analysis is needed, data must first be fully anonymised (see Section 4.2).

4.2 Anonymisation Guidance

You may use AI tools to analyse data that would otherwise be classified as red, provided you first remove all identifying information. Effective anonymisation means a reasonable person could not identify any individual or organisation from the data.

Before Anonymisation (DO NOT enter)	After Anonymisation (May enter into approved tools)
"Customer John Smith (account 12345) complained about delivery delays to Manchester on 15 March"	"A customer complained about delivery delays to a northern city in mid-March"
"Sarah Jones in Finance earned £45,000 last year and received a 3% raise"	"A mid-level finance employee earned between £40k-50k and received a standard annual increase"
"Our contract with Acme Ltd includes a 12% discount on orders over £50,000"	"Our supplier agreements typically include volume discounts of 10-15% on large orders"

4.3 Common Anonymisation Mistakes

• Removing only names - dates, locations, job titles, and transaction amounts can still identify individuals when combined
• Confusing pseudonymisation with anonymisation - replacing "John Smith" with "Employee A" is pseudonymisation, not anonymisation; the data is still personal data under UK GDPR
• Anonymising one dataset but not another - if your anonymised dataset can be cross-referenced with another dataset to identify individuals, it has not been effectively anonymised
• Assuming AI won't infer identity - AI tools can sometimes infer identity from contextual clues that humans might not notice

4.4 Data Classification Decision Aid

If you are unsure how to classify data, use this quick test:

1. Is it already publicly available? → GREEN
2. Could it identify a specific person? → RED (unless anonymised)
3. Is it subject to a confidentiality agreement? → RED
4. Would disclosure cause significant commercial harm? → RED
5. Is it internal but not sensitive? → AMBER
6. Still unsure? → Treat as AMBER and seek guidance from [designated contact]

5. Human Oversight Requirements

5.1 Mandatory Human Review

AI-generated content must be reviewed by a qualified human before being:

Output Type	Reviewer	Review Requirements
Content sent to clients or external stakeholders	[e.g., Line manager or account lead]	Check accuracy, tone, and appropriateness. Verify any factual claims against primary sources.
Published content (website, social media, marketing)	[e.g., Marketing manager or content lead]	Full editorial review including brand alignment, factual accuracy, and disclosure requirements.
Financial analysis or recommendations	[e.g., Finance director or qualified accountant]	Verify calculations independently. Cross-check against source data. AI-generated financial figures must never be trusted without verification.
Legal or compliance content	[e.g., Legal counsel or compliance officer]	Senior review required. AI-generated legal advice is not a substitute for qualified legal counsel.
Decisions affecting individuals (hiring, performance, customer scoring)	[e.g., Senior manager with HR]	Document whether AI recommendation was accepted, modified, or overridden, with reasoning. Required under DUAA 2025.
Code and technical outputs	[e.g., Senior developer]	Standard code review process. Check for security vulnerabilities, licensing issues, and correctness.
Autonomous actions (Agentic AI) executing workflows (e.g., sending emails, making purchases, altering database records)	[e.g., IT security lead]	AI agents must never be granted autonomous "write" or "send" permissions without explicit IT security clearance. All AI agents must operate in "human-in-the-loop" (draft only) mode by default.

5.2 Uses That Do Not Require Prior Review

The following uses of approved AI tools do not require prior review:

• Brainstorming and idea generation for internal purposes
• Drafting internal emails or messages (where the employee reviews before sending)
• Researching general (non-confidential) topics
• Summarising publicly available information
• Grammar and spelling checks on your own writing
• Learning and professional development activities
• [Add organisation-specific permitted uses]

5.3 Guarding Against Automation Bias

Automation bias occurs when human reviewers defer to AI recommendations without meaningful scrutiny. When reviewing AI outputs, you should:

• Treat AI outputs as a first draft, not a finished product
• Verify factual claims against primary sources - AI tools can present false information confidently
• Question whether the AI's recommendation makes sense given your professional knowledge
• Be aware that AI outputs may contain outdated information, biases from training data, or logical errors
• Document your review, including any changes made, for audit purposes
• If you almost never override an AI recommendation, examine whether you are conducting genuine review or simply approving outputs by default

6. Transparency and Disclosure

6.1 When Disclosure Is Required

You must disclose that AI tools were used in the following situations:

• Client deliverables where AI substantially contributed to the content (not just minor editing or grammar checks)
• Published content (blogs, reports, white papers) where AI generated significant portions of the text
• Recruitment decisions where AI tools were used to screen, score, or rank candidates
• Any decision affecting an individual where automated processing contributed to the outcome (required under DUAA 2025)
• [Add organisation-specific disclosure requirements]

6.2 When Disclosure Is Not Required

You do not need to disclose AI use for:

• Grammar and spelling checks
• Internal brainstorming and idea generation
• Research and information gathering for your own use
• Minor editing or reformatting of your own writing

6.3 Intellectual Property

All AI-generated content created using [Organisation Name]'s tools, accounts, or data is the property of [Organisation Name], not the individual employee.

Employees should be aware that:

• While UK law (CDPA 1988 s.9(3)) provides some protection for computer-generated works, content generated entirely by AI may not be eligible for copyright protection if it lacks sufficient human originality, and this protection is often not recognised internationally
• AI tools may generate content that inadvertently infringes third-party intellectual property - following the principles from the Getty Images v Stability AI litigation, prompting AI to reproduce copyrighted styles or works creates infringement risk
• Human review of AI outputs should include a check for potential IP issues (e.g., content that closely resembles known copyrighted works)
• Do not rely on AI-generated content as core intellectual property without understanding that ownership may be contested

7. Incident Reporting

7.1 What to Report

Report any of the following to [email address / person / channel]:

• Accidental entry of red-classified data into an AI tool
• Discovery that an AI output contained inaccurate information that was or could have been shared externally
• Use of an unapproved AI tool for work purposes
• Suspicion that AI-generated content has been published without required review
• Discovery of a data breach related to AI tool usage
• Any situation where you believe this policy has been violated (by yourself or others)

7.2 How to Report

You can report AI-related incidents through any of these channels:

• Email: [incident reporting email]
• Form: [link to incident report form]
• In person: Speak confidentially with [designated person / department]

7.3 What Happens After a Report

1. All reports will be acknowledged within [1 business day]
2. An investigation will assess what happened, the potential impact, and root causes
3. Findings will be documented and, where appropriate, used to update this policy or improve training
4. The reporter will be informed of the outcome and any actions taken
5. Significant incidents will be logged in a central register for pattern analysis

8. Training Requirements

8.1 Mandatory Training

Training	Who	When	Duration
AI Foundations Briefing	All staff	Within 30 days of this policy's effective date (or within 30 days of joining)	[e.g., 30 minutes]
Role-Specific AI Training	Staff in departments using AI tools	Within 60 days of this policy's effective date	[e.g., 1 hour per department]
Annual Refresher	All staff	Annually, aligned with policy review cycle	[e.g., 20 minutes]
Data Classification Workshop	Managers and team leads	Within 30 days of this policy's effective date	[e.g., 45 minutes]

8.2 Training Content

The AI Foundations Briefing covers:

• What AI tools are, how they work at a high level, and their limitations
• This policy's key requirements: approved tools, data classification, prohibited uses
• How to identify and report policy concerns
• Where to get help and ask questions

Role-Specific Training covers:

• Which approved tools are relevant to the department's work
• Specific use cases and worked examples for the department
• Data classification decisions common to the department's data
• Review requirements specific to the department's outputs

8.3 Free Resources

The UK Government offers free AI foundations training as part of its goal to upskill 10 million workers by 2030. Employees are encouraged to supplement organisational training with these resources for professional development.

9. Review Schedule and Version Control

9.1 Review Cycle

This policy will be formally reviewed:

• Every six months (at minimum), with the next scheduled review on [date]
• Whenever a new AI tool is deployed across the organisation
• Whenever relevant UK legislation or ICO guidance changes
• Following any significant AI-related incident

9.2 Policy Owner

This policy is owned by [Name, Role], who is responsible for maintaining, reviewing, and communicating updates. Feedback and improvement suggestions should be directed to [email address].

9.3 Change Log

Version	Date	Author	Summary of Changes
1.0	[Date]	[Name]	Initial policy published
[1.1]	[Date]	[Name]	[Summary of changes]

10. Breach Consequences

10.1 Graduated Response Framework

Level	Situation	Typical Response
Level 1 Unintentional	First-time violation due to misunderstanding, lack of training, or genuine mistake. Self-reported.	Informal guidance, additional training on relevant policy section, documentation of incident for learning purposes.
Level 2 Repeated or Negligent	Second violation, or first violation where the employee should reasonably have known the policy. Not self-reported.	Formal written warning, mandatory policy retraining, temporary restriction on AI tool access pending completion of training.
Level 3 Serious	Deliberate violation, or any violation involving regulated personal data, customer harm, or significant commercial risk.	Formal disciplinary action in accordance with [Organisation Name]'s disciplinary procedure, which may include suspension or termination of employment.

Appendix A: 30-Day Implementation Plan

Week 1: Audit and Discovery (Days 1-7)

Day	Action	Owner	Output
1-2	Survey all departments: which AI tools are currently in use (including personal/unapproved tools)?	[IT / Compliance]	AI tool usage inventory
3-4	Review existing policies (data protection, IT acceptable use, confidentiality) for potential conflicts with AI policy	[Compliance / Legal]	Policy conflict analysis
5-7	Classify organisational data into green/amber/red categories. Identify which data types each department handles.	[Department heads + IT]	Completed data classification table

Week 2: Draft and Review (Days 8-14)

Day	Action	Owner	Output
8-10	Customise this template: populate approved tools register, data classifications, and organisation-specific sections	[IT + Compliance]	Draft AI policy v0.1
11-12	Review draft with leadership team. Check alignment with business objectives and risk appetite.	[Senior leadership]	Leadership-approved draft v0.2
13-14	Legal review (if applicable). Ensure consistency with employment contracts and regulatory obligations.	[Legal advisor]	Final policy v1.0

Week 3: Communication and Training (Days 15-21)

Day	Action	Owner	Output
15	All-hands communication: announce the new policy. Explain the purpose (enable, not restrict). Share the document.	[Senior leader / CEO]	Policy announcement
16-18	Deliver AI Foundations Briefing to all staff (can be done in department groups)	[IT / Training lead]	Training completion records
19-21	Deliver role-specific training to departments that use AI tools regularly	[Department leads + IT]	Department-specific training completion

Week 4: Verify and Refine (Days 22-30)

Day	Action	Owner	Output
22-24	Department heads verify: all team members have completed training, approved tools are correctly configured, reporting channels are operational	[Department heads]	Compliance verification checklist
25-27	Collect feedback from employees: what's unclear? What's impractical? What use cases aren't covered?	[Compliance / HR]	Feedback log
28-30	Address feedback, update policy if needed (issue v1.1), document lessons learned, set next review date	[Policy owner]	Updated policy + review calendar

Appendix B: AI Tool Evaluation Form

Field	Response
Requested by	[Name, Department]
Date requested	[Date]
Tool name and provider	[e.g., Claude by Anthropic]
Subscription tier requested	[e.g., Team plan]
Intended use case	[What will it be used for?]
Department(s) that will use it	[Which teams?]
Estimated number of users	[Number]
What data will be entered?	[Green / Amber / Red classification]
Why can't an existing approved tool meet this need?	[Justification]
Does the provider retain user input for training?	[Yes / No / Depends on tier]
Provider security certifications	[SOC 2, ISO 27001, etc.]
Cost per user per month	[Amount]

Evaluation Decision

Decision	[Approved / Conditionally Approved / Not Approved]
Conditions (if applicable)	[Any restrictions or requirements]
Evaluated by	[Name, Role]
Date decided	[Date]

Appendix C: Glossary

Term	Definition
AI (Artificial Intelligence)	Technology that enables computers to perform tasks that typically require human intelligence, such as understanding language, generating text, analysing data, or creating images.
Generative AI	AI systems that can create new content (text, images, code, audio) based on patterns learned from training data. Examples include ChatGPT, Claude, Midjourney, and Microsoft Copilot.
Shadow AI	The use of AI tools by employees without organisational knowledge or approval. Often driven by lack of approved alternatives or overly restrictive policies.
Hallucination	When an AI tool generates information that sounds authoritative but is factually incorrect. AI tools do not "know" things - they predict likely responses, which can include plausible but false statements.
Automation Bias	The tendency for humans to defer to AI recommendations without sufficient critical scrutiny, particularly when the AI output is presented with confidence.
Data Anonymisation	The process of removing personally identifiable information from data so that individuals cannot be identified from the remaining information.
UK GDPR	The UK General Data Protection Regulation, the primary UK law governing the processing of personal data. Retained from EU law and supplemented by the Data Protection Act 2018.
DUAA 2025	The Data Use and Access Act 2025, UK legislation that reformed automated decision-making requirements, shifting from prohibition-based to principles-based governance with mandatory ex-post safeguards.
Special Category Data	Personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic or biometric data, health data, or sexual orientation. Subject to heightened protections under UK GDPR Article 9.
Conscientious Worker Penalty	The phenomenon where vague AI policies cause cautious employees to avoid AI entirely while less cautious employees use it without safeguards, resulting in worse outcomes than a clear, permissive policy.
Agentic AI	AI systems that can autonomously plan, execute, and adapt actions to achieve goals with minimal human intervention. The ICO confirmed in January 2026 that agentic systems remain fully subject to UK GDPR. Policies should be reviewed as agentic AI becomes more prevalent in workplace tools.

Appendix D: Sign-Off

By signing below, the parties confirm that they have reviewed this AI Acceptable Use Policy and approve it for implementation across [Organisation Name].

Policy Owner Sign-Off

Name:
Role:
Signature:
Date:

Senior Leadership Sign-Off

Name:
Role:
Signature:
Date: