Compliance guide
AI Acceptable Use Policy Template
An AI acceptable use policy sets the rules for how your business and its people use AI tools like ChatGPT, Copilot and Gemini, safely, securely and responsibly. With customers and security reviews increasingly asking "do you have an AI policy?", this guide gives you a free template, sample wording, and a path to a portal-ready version.
Last updated
Key takeaways
- An AI acceptable use policy (AI AUP) tells your people which AI tools they can use, for what, and what's off-limits.
- Its biggest job is preventing confidential, personal or customer data from being pasted into public AI tools.
- It's fast becoming a standard ask in vendor security reviews, procurement and tenders, having one is a competitive advantage.
- Emerging frameworks to reference include the EU AI Act, ISO/IEC 42001 (AI management systems) and the NIST AI Risk Management Framework.
- Write your own from the template below, or have a tailored, portal-ready document done for you.
What is an AI acceptable use policy?
An AI acceptable use policy (sometimes called an AI use policy or AI acceptable use statement) is an internal document that sets out how your people may, and may not, use artificial intelligence tools in their work. It covers approved tools, acceptable and prohibited uses, data protection, accuracy, and who is responsible.
It's the AI-specific cousin of a general acceptable use or IT policy, written for the unique risks of generative AI: data leakage, inaccurate or fabricated outputs, intellectual property, and bias.
Why your business needs one
- Data protection, the single biggest risk is staff pasting confidential, personal or customer data into public AI tools. A policy draws the line clearly.
- Procurement and security reviews, customers increasingly ask suppliers whether they have an AI use policy before sharing data or awarding work.
- Accuracy and accountability, AI can produce confident, wrong answers; a policy requires human review before outputs are relied on.
- Consistency, it gives every worker the same rules instead of everyone guessing what's allowed.
Allowed vs prohibited: quick examples
Concrete examples land with a team far better than abstract rules. Adapt this to your tools:
| Task | Public AI tool | Approved / enterprise tool |
|---|---|---|
| Draft a blog post or generic email | Fine (no sensitive data) | Fine |
| Summarise a public document | Fine | Fine |
| Summarise a customer contract | Not allowed | Allowed if approved |
| Enter personal or customer data | Never | Only if contractually permitted |
| Generate code for internal tools | Review before use | Review before use |
| Make a hiring or credit decision | Never without human review | Never without human review |
What to include: AI acceptable use policy template structure
Adapt this outline to your business. Keep it practical so people actually follow it:
- Purpose and scope, why the policy exists and who it applies to (staff, contractors), and which tools it covers.
- Approved tools, which AI tools are permitted and how new tools get approved.
- Acceptable uses, the kinds of tasks AI may be used for (drafting, summarising, brainstorming).
- Prohibited uses, never enter confidential, personal or customer data into public AI; no use for decisions that need human judgement without review.
- Data protection and confidentiality, rules for handling sensitive information and using enterprise vs public tools.
- Accuracy and human oversight, AI output must be checked by a person before it's relied on or published.
- Intellectual property, ownership of inputs and outputs, and respecting third-party IP and copyright.
- Bias, fairness and ethics, awareness that AI can produce biased or unfair results.
- Transparency, when and how to disclose that AI was used.
- Responsibilities, who owns the policy and who to ask for guidance.
- Breaches, the consequences of misuse.
- Training and review, how people are trained and how often the policy is reviewed (AI moves fast).
Sample policy statement
Download the editable AI acceptable use policy template
Drop your email below and we'll send the complete AI acceptable use policy template (Word and PDF) for you to brand, tweak and sign.
How to write and roll out your AI policy
A policy only works if people know the rules and the rules keep up with the tools.
- 1
Decide your approved tools
List the AI tools you allow and whether staff use enterprise or public versions, then set a path to approve new ones.
- 2
Draw the data line
Be explicit about what information must never be entered into public AI tools.
- 3
Require human review
State that AI output must be checked by a person before it's published or relied on.
- 4
Cover IP and disclosure
Set rules on ownership of outputs, respecting copyright, and when to disclose AI use.
- 5
Train your team
Share the policy at induction and refresh it as tools and risks change.
- 6
Approve and review often
Have it signed and dated, and review it more frequently than a typical policy, AI changes fast.
Free template vs done-for-you document
Two ways to land your AI policy: adapt the free template yourself, or have one written around your actual tools and ready for a customer security review.
| Free template | Done-for-you document | |
|---|---|---|
| Price | £0 | Fixed fee |
| Effort from you | A couple of hours editing | A short intake form |
| Built around your AI tools | You list them in | Done for you |
| EU AI Act / NIST references | You add them | Mapped for you |
| Security-review ready | Format it yourself | Supplied as a clean PDF |
| If a reviewer pushes back | You fix it | We revise it free |
Prefer your AI policy done for you?
Tell us which AI tools your team uses and we'll prepare a tailored, signed-ready AI acceptable use policy built to satisfy customer security reviews.
Requests for the AI acceptable use policy are reviewed and prepared manually, we'll follow up by email.