There are two types of companies that claim to have an AI usage policy. Those who have a document that someone downloaded from the Internet, translated, signed and that the team does not know. And those who built something with their own hands, from their reality and that the team actually uses.
The difference is not in the format or the extension, it is in the process.
This guide explains what an AI usage policy really is, what it should include so that it is of some use, and how to build it with the team so that it does not end in a drawer.
An AI policy that the team does not know is not a policy. It is a document that protects the company on paper but not in practice. |
What is and what is not an AI use policy
An AI usage policy is the document that establishes how your organization has decided to use artificial intelligence: with what tools, for what, with what data, under what responsibilities and with what limits.
It is not a technical manual on how language models work. It is not a list of recommended tools. It is not a corporate securities statement on AI. And it is not a document that is signed once and is not touched in two years.
It is, above all, a position. The company has decided something about AI, has put it in writing and can defend it before its team, its clients or a regulator.
Why do you need a policy even if your company is small?
Exposure to risk does not disappear because it is a small company. An SME of twenty people whose commercials use ChatGPT with customer data has exactly the same GDPR risk as a multinational in that particular practice.
Since February 2025, Article 4 of the AI Act obliges any organization that uses AI systems to ensure that its personnel have the literacy necessary to do so. That commitment has no size threshold.
In addition, organizations that can demonstrate how they manage the use of AI begin to have a differential advantage to customers, partners and investors who ask. Not having it documented is already an answer and it is not the one you would like to give.
The 6 elements that every AI policy must include
1. Scope and purpose
To whom the policy applies (all staff, only certain roles, external suppliers), for what type of AI systems (generative AI tools, data analysis systems, automations) and what the objective is: It is not a list of prohibitions, it is a framework for making decisions with criteria.
2. Approved tools and approval process
What AI tools can use the equipment at work, under what conditions (Enterprise vs. Free version, required privacy settings) and how to request a new tool approval. Without this section, each person makes their own decisions about tools that have collective implications.
3. Classification of data and restrictions
What data can be processed with AI tools and which cannot. At a minimum: Personal data of clients or employees cannot be used with external tools without a treatment manager contract; Confidential business information requires tools with confidentiality contractual guarantees. This section is the one that most directly prevents the type of incident described in the article on customer data and ChatGPT.
4. Outputs responsibilities
Who is responsible for verifying that the output of an AI tool is correct before using it. The policy must make it clear that the AI can make mistakes and that the use of its output without verification is the responsibility of the person using it, not the tool. This includes: not sending proposals generated by AI without human review, not using AI for decisions that require human criteria (on people, strategy, values) without supervision.
5. Transparency and declaration
When and how the company declares, or its employees, who have used AI in a deliverable. This varies depending on the context: An internal report does not require the same as a proposal to a client or an external publication. The policy defines those lines.
6. Incident management
What the company does if it detects a use that does not comply with the policy: who reports it, who decides and what consequences exist. Without this section, the policy has no real application mechanism.
How to build it with the team and not just for the team
A policy imposed from above that the team does not understand or has validated has a very short useful life. What works is a participatory process, even if it is brief:
Step 1 — Diagnosis: Before writing anything, understand what AI tools already use the equipment, for what and with what data. That gives the real basis on which to build.
Step 2 — Define criteria with key managers: A CEO, an IT manager and a business manager should be able to answer the questions in the six sections together. Politics arises from that conversation, not from a template.
Step 3 — Writing and validating: The document is written, shared with who it will affect and space is given for questions and adjustments before publishing it.
Step 4 — Communicating and implementing: The policy is presented to the team with context — why it exists, what changes, what doesn’t change. Not as a legal notice, but as an explained decision.
Step 5 — Periodically review: AI changes. The policy must have a review date (at least annually) and a team of people responsible for updating it when there are relevant changes in the tools used by the company or in the regulations.
The policy arises from the conversation with the team, not from a template downloaded from the Internet. |
Frequent errors when creating an AI policy
Copy a generic template without adapting it to the reality of the company. The result is a document that does not respond to the actual uses of the equipment and that no one can apply.
Making it so restrictive that no one fulfills it: a policy that prohibits all use of AI in a company where the team already uses it daily generates silent disobedience, non-compliance.
Do not assign a manager: If no one knows who updates the policy when tools or regulations change, the policy ages rapidly.
Confusing politics with training: politics says what. The training explains why and how. Both are necessary and are not replaced.
Frequently Asked Questions
What should an AI use policy include for a business?
An AI usage policy should include: what tools are approved, what data can be used with AI, who can approve new tools, what responsibilities each person has over the AI outputs they use, and how an incident is managed. Without these elements, the document is not a policy: it is a declaration of intent.
How long does it take to create an AI policy for a company?
A basic operational policy, built with the management team, can be ready in 2 to 4 weeks of actual work. Projects that take months are usually blocked because they do not have a clear manager or a defined process.
Can an SME have an AI policy or is it only for large companies?
Any organization that uses AI tools needs to have a criteria on how it does it. For an SME, the policy may be shorter and more direct, but the essential elements are the same. Exposure to risk does not go away because it is small.
