Start Free Trial

How to Build an AI Acceptable Use Policy (With Free Template)

May 19, 2026 By ShadowLock Team AI governancepolicyAUPcompliance

An AI acceptable use policy is a short written document that defines which AI tools your employees may use, what data they may submit to AI tools, and how violations are handled. A good AUP is one page when possible, no more than two pages, and is paired with a technical enforcement layer so it is not just an unread intranet document. Below is a practical guide to building one, and a free downloadable AI acceptable use policy template you can adopt today.

A written AUP is the cheapest, fastest control in any AI governance program. It is also a prerequisite for the technical and audit controls that follow. Skip it and the whole program weakens.

What an AI Acceptable Use Policy Covers

A complete AUP answers six questions:

  1. What is in scope? Which employees, contractors, devices, and accounts does the policy apply to?
  2. Which AI tools are approved? A specific list with the categories of work each is approved for.
  3. What data is prohibited? The specific data categories that must never be submitted to any AI tool, approved or otherwise.
  4. How are personal accounts handled? Whether work activity through personal AI accounts is permitted (almost always: no).
  5. How is the policy monitored? Whether AI tool usage is monitored on company devices and how employees are informed.
  6. What happens when the policy is violated? Specific consequences scaled by severity.

If your AUP answers all six, you have the policy pillar of AI governance covered.

The Structure of a Strong AUP

Here is the structure we use in our free AI acceptable use policy template:

Section 1: Purpose

A one-paragraph statement of why the policy exists. Keep it grounded in concrete outcomes (data protection, compliance, intellectual property) rather than abstract values.

Section 2: Scope

Who and what the policy applies to. Should include: all employees and contractors, all company devices, personal devices when accessing company data, and both web-based and desktop AI applications.

Section 3: Definitions

Define the terms you will use throughout. Critical: define “Approved AI Tool,” “Sensitive Data,” “Regulated Data,” and your data classification levels. Pulling these from your existing data classification policy keeps everything consistent.

Section 4: Approved AI Tools

A table listing the specific AI tools your organization approves, what each is approved for, and confirmation that a DPA is on file. This table will be updated frequently, design the policy to allow that.

Examples of common entries:

  • Microsoft Copilot for M365, approved for internal document drafting, DPA on file
  • GitHub Copilot Business, approved for code assistance, DPA on file
  • ChatGPT Enterprise, approved for general productivity, DPA on file

Section 5: Prohibited Data

The data categories that must never be submitted to AI tools without specific written approval. This typically includes: PII, PHI, payment card data, credentials, confidential source code, materially non-public information, privileged communications, and any data classified Confidential or Restricted.

Section 6: Personal Accounts

The clearest single rule in the policy: work activity through personal AI accounts is not permitted. All AI use for company work must be on company-provisioned accounts on Approved Tools.

Section 7: Monitoring

The acknowledgement that AI tool usage on company devices is monitored. Important: laws around employee monitoring vary by jurisdiction. Have HR and legal review this section for the countries and US states you operate in.

Section 8: Violations

A scaled consequence structure: training and access restrictions for minor violations, disciplinary action up to termination for severe violations. Including specifics here is important, vague consequences communicate that the policy is not serious.

Section 9: Exception Requests

A process for employees to request approval for new AI tools. Without an exception process, employees will simply use the tool quietly. With one, you get a structured pipeline of evaluation requests instead.

Section 10: Review Cycle

Annual review at minimum, with a stated owner. The AI vendor landscape changes faster than most policy domains, a policy that has not been reviewed in two years is stale by default.

Section 11: Acknowledgement

A signature line. Collect acknowledgements through your HR system. Acknowledgement records are part of your audit evidence.

Common Mistakes

We see the same mistakes repeatedly:

Mistake 1: Making the policy too long

A six-page AUP loses readers by page two. The policies that change behavior are short, specific, and skim-friendly. If you cannot fit your AUP on two pages, it is doing too much.

Mistake 2: Listing prohibited tools instead of approved tools

A “prohibited list” approach assumes you can keep up with new AI tools as they launch. You cannot. The “approved list with default-deny” approach is operationally simpler and produces fewer policy gaps.

Mistake 3: No enforcement mechanism

A written policy with no technical enforcement is a known SOC 2 weakness. Auditors are explicitly asking how the policy is enforced. Without a technical control, your answer is uncomfortable. Pair the AUP with an AI governance platform that produces audit evidence.

Mistake 4: Forgetting personal accounts

If your AUP does not explicitly cover personal AI accounts, employees will rationalize using them. The single most common shadow AI pattern is “I used my personal ChatGPT account, so it does not count.” Closing this gap in writing is essential.

Mistake 5: Treating the AUP as a one-time document

The AI vendor landscape changes quarterly. Your approved tools list, prohibited data categories, and exception process will all need updating. Build a review cycle into the policy itself.

A Three-Step Rollout

The fastest path from no policy to a working AUP:

  1. Week 1: Customize the free template with your organization’s specifics. Populate the Approved AI Tools table.
  2. Week 2: Have legal and HR review. Adjust monitoring language for your jurisdictions.
  3. Week 3: Roll out via HR. Collect acknowledgements through your HRIS. Pair with a technical enforcement layer.

Most organizations can complete all three in under a month. The policy alone will not close your shadow AI risk, but it is the foundation on which the rest of the program is built.

Pairing the AUP with Technical Controls

A written policy is necessary but not sufficient. The complete picture combines four elements:

  • The AUP, the written rules
  • An AI governance platform, the technical enforcement
  • A vendor inventory, DPAs for every approved AI tool
  • Audit logs, evidence the policy is being followed

Each strengthens the others. The AUP without enforcement is unenforceable. The technical platform without a policy lacks the legal foundation. The vendor inventory without DPAs creates compliance gaps. The audit logs without the policy have nothing to map to.

ShadowLock provides the technical, enforcement, and audit pieces. The AUP is the missing piece most organizations write first, and it is the cheapest piece to deliver.

Frequently Asked Questions

What is an AI acceptable use policy?

An AI acceptable use policy is a written document that defines which AI tools employees may use for work, what data they may submit, and how violations are handled. It is one of the four pillars of AI governance.

Do I need a separate AI policy or can I update my existing AUP?

Either approach works. We recommend a separate AI-specific AUP initially because the AI vendor landscape changes faster than general technology policies, keeping AI rules separate makes them easier to update. Some organizations later merge the two once their AI policy stabilizes.

What should an AI acceptable use policy include?

At minimum: scope, definitions, approved tools list, prohibited data, personal account rules, monitoring acknowledgement, violation consequences, exception process, review cycle, and employee acknowledgement. Our free template covers all eleven sections.

Is a policy enough to satisfy SOC 2?

No. SOC 2 increasingly expects technical controls that enforce the written policy and produce audit evidence. A policy is necessary but not sufficient, see our deeper AI data leakage and SOC 2 compliance guide for the control mappings.

How long should an AI acceptable use policy be?

One page if possible, two pages maximum. Longer policies are not read. Shorter policies are more likely to actually shape behavior.

How often should I update my AI policy?

Annually at minimum. Trigger an interim update when: a new AI tool enters wide use in your organization, a regulation changes (EU AI Act, US state AI laws), a SOC 2 audit produces findings, or a material AI vendor changes its terms.

Should the policy mention specific AI tools by name?

Yes, name your approved AI tools explicitly. The “Approved AI Tools” table is where vendors get listed. The list of prohibited tools is shorter and harder to maintain, default-deny on anything not on the approved list is simpler.

A working AI acceptable use policy is the cheapest, fastest control in any AI governance program. Start there. Grab the free template, customize it, have legal review, roll it out. The harder pieces, technical enforcement, audit logs, vendor inventory, come next, and they all reference the policy as their foundation.

Stop shadow AI before it becomes a liability

ShadowLock detects and blocks unauthorized AI tool usage across every endpoint. Free 14-day trial.

Start Free Trial →