Series: Establishing AI the Right Way – AI Usage Policy

Reading Time: 2 minutes

With more and more talk around AI and the use of generative AI within every business these days, Atlantic Digital is starting a series in our newsletter that will include information on informing staff on the accepted use of generative AI models, how to police them, how to enforce them and how to get the most out of what you have chosen.

To start this series off we have included an example template below. This is a great starting point that you can build and develop depending on your needs.

AI USAGE POLICY FOR [COMPANY NAME]

PURPOSE
This policy establishes guidelines for the ethical, secure, and compliant use of generative AI tools within [Company Name]. It aims to protect client data, mitigate risks, and align AI usage with organizational values.

SCOPE
Applies to all employees, contractors, and third parties using AI tools for [Company Name] business.

PERMITTED USE

1. Microsoft Copilot (Preferred Tool)
   • Mandatory Preference: Use Microsoft Copilot for all generative AI tasks (e.g., drafting, coding, analysis) due to its enterprise-grade security, compliance with data privacy standards, and integration with Microsoft 365.
   • Benefits: Encrypted data handling, adherence to GDPR/CCPA, and minimal retention of user inputs.
2. ChatGPT (Restricted Use)
   • Privacy Settings Required: Users must enable “Privacy Mode” (disable chat history and data retention) via ChatGPT settings.
   • Data Restrictions: Never input client names, sensitive project details, or personally identifiable information (PII).

PROHIBITED USE

1. DeepSeek AI Models [Example]
   • All DeepSeek AI models, APIs, or derivatives are strictly banned. Violations will result in disciplinary action.
2. Unapproved Tools
   • Using AI tools not explicitly permitted in this policy without prior approval is prohibited.

DATA PRIVACY REQUIREMENTS

• Anonymization: Remove client-specific identifiers from AI inputs.
• Encryption: Use company-approved encryption for data shared with AI tools.
• Audits: Regular audits will ensure compliance.

REQUEST PATHWAY FOR UNNAMED AI MODELS
To request approval for an AI tool not listed in this policy:

1. Submit a Request Form to [IT/Compliance Team Email] with:
   • Purpose and use case.
   • Data types involved and safeguards.
   • Vendor’s security certifications (e.g., ISO 27001).
   • Compliance with GDPR/CCPA/other regulations.
2. Approval Process:
   • The IT/Compliance team will review within [X] business days.
   • Unapproved tools must not be used until written authorization is provided.

COMPLIANCE & ENFORCEMENT

• Violations: May result in revoked access, disciplinary action, or legal consequences.
• Reporting: Report suspected breaches to [Compliance Email].

POLICY REVIEW
This policy will be reviewed annually or as AI regulations evolve.

DEFINITIONS

• PII: Data that identifies individuals (e.g., names, emails).
• Generative AI: Tools creating text, code, or media via machine learning.

 

ACKNOWLEDGMENT

I have read and agree to comply with this policy:

Name: _____________________________________
Date: ______________________________________
Title: ______________________________________
Company Name: _____________________________