Policy sections
- Purpose: why the company uses AI and what the policy controls.
- Approved tools: which AI tools staff may use.
- Prohibited data: customer secrets, regulated data, credentials and confidential material unless approved.
- Human review: when AI outputs must be checked before use.
- Customer disclosure: when AI use should be explained to customers.
- Vendor approval: how new AI tools are reviewed before adoption.
- Incident handling: what to do if sensitive data is entered into an AI tool by mistake.
Strong rule
The policy should be short enough for staff to follow. A long policy nobody reads is not control. The minimum useful version is one page plus an approved tool list.