sympatric.aisympatric.ai
Template

AI Policy Template

A practical starting point for a corporate AI acceptable use policy. Use it as-is, or adapt the sections to your business and approval flow.

Get a tailored Playbook See the full AI Playbook

Most AI incidents inside companies are not exotic attacks — they are normal employees using normal tools without rules. A short, specific AI policy prevents most of them and unblocks the rest of the organization to actually use AI.

This template is intentionally short. Long policies do not get read. Use it as a baseline, tighten it for your industry, and pair it with training. When you are ready to operationalize it across teams — workspaces, approved tools, use cases, training, governance — the AI Playbook is the full version of this.

What to include

1. Purpose & scope

Why the policy exists, who it applies to (all employees, contractors, vendors with access to company systems), and which AI tools are in scope (chat assistants, coding agents, image and audio generators, embedded AI features in SaaS apps).

2. Approved tools

A short list of sanctioned AI tools, the accounts to use (company SSO, not personal), and the workspace tier required. A clear rule: do not paste company data into tools outside this list without written approval.

3. Data classification & handling

Three tiers — public, internal, confidential. What's allowed in each tier (e.g. public marketing copy is fine; customer PII and source secrets are not). Concrete examples beat abstract definitions.

4. Acceptable use

What AI is encouraged for (drafting, summarization, research, code review, internal Q&A) and what it must not be used for (final legal/financial/medical decisions without human review, generating content that violates IP, impersonation, surveillance of employees).

5. Review & accountability

Who is responsible for AI-assisted output. Default rule: the human who ships the work owns it. Required review steps for customer-facing copy, code, and any external communication.

6. Disclosure

When AI use must be disclosed — to customers, to candidates, in marketing, in research, and in regulated contexts. Include a short disclosure template teams can copy.

7. Security & access

MFA, SSO, no shared accounts, no API keys in prompts, no production credentials in dev tools. Reporting path for suspected leaks or prompt-injection incidents.

8. Vendor & model evaluation

Minimum bar for adding a new AI vendor: data processing terms, training opt-out, region, audit logs, SSO support. Who approves additions.

9. Training & onboarding

Mandatory short training for new hires, refresher on policy changes, and a single internal page that lists approved tools and examples.

10. Enforcement & exceptions

Consequences for violations, the exception request process, and the review cadence (at least quarterly while AI tools change this fast).

Rollout checklist

  • Name an accountable owner for the policy (usually CTO, COO, or Head of Ops).
  • Decide on 3–5 approved AI tools and the accounts employees must use.
  • Write data classification examples for your actual product and customers.
  • Define review rules for customer-facing AI output.
  • Set the disclosure rule and write the template line.
  • Pick a quarterly review date and put it on a calendar.

A short example clause

Employees may use the approved AI tools listed in the internal AI Tools page for drafting, summarization, research, and code assistance. Confidential data — including customer PII, unreleased product information, source secrets, and financial data not yet public — must not be entered into any AI tool outside the approved private workspace. Customer-facing output produced with AI assistance must be reviewed by a named human owner before sending.

Want this as your real policy, not a template?

The Sympatric AI Playbook turns this outline into a company-specific policy with your tools, data tiers, approval flow, and a 15-day rollout — paired with training and a private AI workspace.

Book a 30-minute call