Free Resource

Free AI Acceptable Use Policy Template

A drop-in AI acceptable use policy template for IT, security, and compliance teams. Covers approved tools, prohibited data, personal-account use, monitoring, violations, and exception requests. No email required. Copy or download below.

The template

# AI Acceptable Use Policy

**Effective Date:** [DATE]
**Owner:** [POLICY OWNER, e.g. CISO, IT Director]
**Review Cycle:** Annual

## 1. Purpose

This policy establishes how [COMPANY NAME] employees and contractors may use generative AI tools (including ChatGPT, Claude, Gemini, Microsoft Copilot, GitHub Copilot, and similar services) in connection with their work. It protects [COMPANY NAME]'s sensitive data, customer information, and intellectual property while enabling productive use of approved AI tools.

## 2. Scope

This policy applies to:
- All employees, contractors, and authorized agents of [COMPANY NAME]
- All [COMPANY NAME]-owned devices and accounts
- Use of personal devices or accounts when accessing [COMPANY NAME] data
- Both web-based and desktop AI applications

## 3. Definitions

- **Approved AI Tool:** An AI service that has completed [COMPANY NAME]'s vendor security review and has an executed Data Processing Agreement (DPA) covering the relevant data categories.
- **Sensitive Data:** Customer personal data, employee data, financial records, source code, credentials, contracts, board materials, and any data classified as Confidential or Restricted under [COMPANY NAME]'s data classification policy.
- **Regulated Data:** Data subject to HIPAA, GDPR, PCI-DSS, or other regulatory regimes applicable to [COMPANY NAME].

## 4. Approved AI Tools

The following tools are approved for use, subject to the data restrictions in Section 5:

| Tool | Approved For | DPA on File |
|------|--------------|-------------|
| [e.g. Microsoft Copilot for M365] | [e.g. Internal documents only] | Yes |
| [e.g. GitHub Copilot Business] | [e.g. Code assistance] | Yes |
| [e.g. ChatGPT Enterprise] | [e.g. General productivity] | Yes |

All other AI tools are considered Unapproved and must not be used with any [COMPANY NAME] data.

## 5. Prohibited Data

The following data must never be submitted to any AI tool, approved or otherwise, without prior written approval from [POLICY OWNER]:

- Personally identifiable information (PII) of customers, prospects, employees, or any third party
- Protected health information (PHI)
- Payment card data (PAN, CVV)
- Authentication credentials (passwords, API keys, tokens, connection strings)
- Source code marked Confidential or higher
- Materially non-public information (MNPI), including pre-announcement financial results, M&A activity, or product roadmaps
- Privileged communications (legal advice, attorney-client matter)
- Contract terms marked Confidential
- Personal data of EU residents (any category) unless a Data Processing Agreement covers the specific AI tool and use case

## 6. Permitted Use

Employees may use Approved AI Tools for:
- General productivity (drafting emails, summarizing public content)
- Code assistance (with non-confidential code)
- Research using publicly available information
- Internal brainstorming with non-sensitive content

## 7. Personal Accounts

Use of personal accounts on AI tools while performing [COMPANY NAME] work is prohibited. All AI use must be through [COMPANY NAME]-provisioned accounts on Approved Tools.

## 8. Monitoring

[COMPANY NAME] monitors AI tool usage on [COMPANY NAME]-managed devices. This includes:
- Detection of AI tool access (which tools, which users, when)
- Classification of content submitted (without storing content)
- Audit logs of policy violations

Employees are expected to acknowledge this monitoring as part of their employment agreement.

## 9. Violations

Suspected violations should be reported to [POLICY OWNER] or the IT helpdesk. Violations may result in:
- Required completion of additional AI training
- Restriction of AI tool access
- Disciplinary action up to and including termination, depending on severity and intent
- Notification to affected parties and regulators where required by law

## 10. Exception Requests

If an Approved Tool does not exist for a needed use case, employees may submit an exception request to [POLICY OWNER]. Requests will be evaluated within 5 business days and may result in an expedited vendor review.

## 11. Review and Updates

This policy is reviewed annually, or more frequently as the AI vendor landscape evolves. Material changes will be communicated to all employees.

## 12. Acknowledgement

I acknowledge that I have read, understood, and agree to comply with this AI Acceptable Use Policy.

Employee Name: ____________________________
Signature: ____________________________
Date: ____________________________

---

*This template was published by ShadowLock and may be freely used, modified, and adapted to your organization. ShadowLock does not provide legal advice; have your counsel review this template before adopting it.*

Replace bracketed placeholders ([COMPANY NAME], [DATE], etc.) with your organization's information. Have your legal counsel review the final policy before formal adoption.

How to use this template

A three-step rollout

Customize: Replace placeholders, populate the Approved AI Tools table with your organization's specific tools and DPAs, and adjust the data categories to match your data classification policy.
Review: Have your legal counsel and HR review the policy. Adjust monitoring language to comply with the jurisdictions where you operate (employee notification requirements vary by country and US state).
Roll out: Distribute via your HR system, collect acknowledgements, and pair the policy with a technical enforcement layer like ShadowLock's shadow AI detection so the policy is enforceable rather than aspirational.

Frequently asked

Template FAQ

What should an AI acceptable use policy include?

A strong AI acceptable use policy covers: which tools are approved, which data is prohibited from being submitted to AI tools, rules about personal accounts, employee acknowledgement of monitoring, how violations are handled, and an exception request path for new tools. Our free template covers all seven sections.

Is this AI acceptable use policy template free?

Yes. The template is published under a permissive use license: you can copy it, modify it, and adopt it inside your organization at no cost. We ask only that you have your legal counsel review it before formal adoption.

Do I need to write a separate AI policy if I have an acceptable use policy already?

You can either embed AI-specific language into your existing AUP or maintain a separate AI policy. We recommend a standalone AI policy initially because the AI landscape changes faster than general technology policies. Keeping AI rules separate makes them easier to update.

How often should I update my AI policy?

Annually at minimum, with interim updates triggered by major events: a new AI tool entering wide use in your organization, a new regulation (EU AI Act, US state AI laws), a SOC 2 audit finding, or a material AI vendor change (a tool changing its data retention terms, for example).

How does ShadowLock help enforce this policy?

ShadowLock provides the technical enforcement layer that makes a written policy real. It detects AI tool usage on managed endpoints, classifies content on paste, and blocks sensitive data from reaching unapproved AI tools, producing the audit log that auditors and underwriters increasingly expect. See our AI governance platform for details.

Make the policy enforceable

A written policy without a technical control is a SOC 2 weakness. ShadowLock turns your AUP into a working program.

See the governance platform