Writing an AI Policy That Actually Works
The 1,000-word AI policy template that employees actually read. Specifics, examples, decisions — not principles or aspirations.
TL;DR
The 1,000-word AI policy template:
- Approved use cases (200 words) — what employees can do with AI today.
- Prohibited use cases (150 words) — what’s never OK.
- Data handling rules (200 words) — what data goes where, with examples.
- Approval process (150 words) — how to get a new use case greenlit.
- Incident reporting (100 words) — what to do when something goes wrong.
- Roles and decision rights (100 words) — who decides, who’s notified.
- Review cadence (100 words) — how often the policy gets revised.
Skip the values statement. Skip the principles. Specifics or it didn’t happen.
The 1,000-word policy that employees actually read. Specifics, examples, decisions — not principles, values, or aspirations.
The typical AI policy is unread because it’s unreadable. Twenty pages of principles, frameworks, and aspirational statements that don’t tell a marketing manager whether they can paste a customer email into ChatGPT. This piece is the alternative: a 1,000-word document that says specifically what’s allowed, what isn’t, and how decisions get made when the policy doesn’t cover the case.
Why most AI policies fail
Three failure modes.
1. Too abstract. “We use AI ethically and responsibly” tells nobody anything. The employee paste-test: can a person reading this policy decide whether the specific thing they’re about to do is allowed? If not, the policy is decoration.
2. Too long. Nobody reads twenty pages. Policies that don’t get read don’t shape behavior. The 1,000-word version is what works.
3. Too inflexible. A static policy can’t keep up with AI tooling that changes every quarter. The policy needs a defined revision cadence and a process for approving new use cases between revisions.
The 1,000-word template
Section 1: Approved use cases (200 words)
List 8–15 specific things employees can do with AI today. Be concrete. Examples:
- Use [approved tool list] for drafting internal documents.
- Use AI coding assistants for code generation, with review by a human before commit.
- Use AI for marketing copy drafts, with editorial review before publication.
- Use AI for data analysis on non-sensitive data sets (defined below).
- Use AI summarization for meeting notes from internal meetings.
The list grows as new use cases are approved. Update quarterly.
Section 2: Prohibited use cases (150 words)
List 5–10 things that are never OK. Examples:
- Don’t paste customer PII into any AI tool.
- Don’t paste source code into non-approved AI tools.
- Don’t use AI for any decision affecting employee status (hiring, firing, performance).
- Don’t use AI for legal or financial advice to clients without human review.
- Don’t use AI to generate content that’s published as if written by a human (without disclosure).
Each item should have a short reason (so people understand the principle, not just the rule).
Section 3: Data handling rules (200 words)
What data goes where. Concrete examples beat abstract categories.
| Data type | OK in approved AI tools | OK in non-approved AI tools |
|---|---|---|
| Public data | Yes | Yes |
| Internal documents (no customer/employee data) | Yes | No |
| Customer data | No | No |
| Employee data | No | No |
| Source code | Yes (approved coding assistants only) | No |
| Financial / regulatory data | No | No |
The “approved AI tools” list is maintained by IT/security and updated as new tools clear review.
Section 4: Approval process (150 words)
For use cases not on the approved list, here’s how to get approval.
- Email [AI program lead] with: the use case, the data involved, the tool you want to use, and the business reason.
- AI program lead routes to security and legal for review (typically 5 business days).
- Decision communicated within 10 business days.
- Approved use cases get added to the list.
This is the release valve that prevents the policy from being a constant blocker. People who want to do something not on the list have a path; they don’t have to either bypass the policy or give up.
Section 5: Incident reporting (100 words)
If you accidentally violate this policy, or if AI produces a harmful output, report immediately to [security@yourcompany.com]. No retribution for honest mistakes; the goal is to fix issues before they compound.
If you observe a colleague violating the policy, raise with [your manager / ethics line]. Don’t let things slide.
Section 6: Roles and decision rights (100 words)
- AI program lead: owns the policy, runs the approval process.
- Security: reviews tools and data-handling cases.
- Legal: reviews regulatory and IP-adjacent cases.
- Function leads: own use case approvals within their function.
- Employees: comply with the policy; report incidents; suggest new use cases.
If decision rights are unclear in a specific case, escalate to AI program lead.
Section 7: Review cadence (100 words)
This policy is reviewed quarterly by the AI program lead. Updates communicated to all employees. Major changes (new prohibitions, new data categories) require sign-off from CTO, CISO, and General Counsel.
The next scheduled review is [date]. Send suggestions to [ai-policy@yourcompany.com] anytime.
What to skip
- Values statements (“We believe AI should benefit humanity”).
- Long ethical frameworks borrowed from external sources.
- Aspirational principles that don’t translate to specific decisions.
- Comprehensive coverage of every possible scenario.
These belong in adjacent documents (a public-facing AI principles statement, a board-level governance charter). They don’t belong in the operational policy.
What to do this quarter
- Audit your current AI policy. Is it readable in 5 minutes? Does it tell a person whether a specific thing is allowed?
- Rewrite to the 1,000-word format. Use the template above. Customize for your specific organization.
- Get sign-off from CTO, CISO, and Legal. Don’t ship without their input on specifics.
- Publish, communicate, train. Most employees won’t read the policy unless you make it easy and obvious.
FAQ
Should the policy be public? A summary is increasingly useful (customers, investors, regulators ask). The full operational policy is internal. Don’t publish the version with specific approval lists and tool names.
What about role-based variations? Engineers, marketing, HR, finance often need slightly different guidance. Either build a single policy with role-specific sections, or layer role-specific addenda on a common base. Don’t fragment into different policies.
How often should we update the approved-tools list? Monthly is typical for organizations actively expanding AI use. Quarterly is the minimum.
What about contractors and vendors? They should comply with the policy or sign an addendum. Vendor AI use is increasingly visible in contracts and SOWs.
What happens when the policy and a specific tool’s TOS conflict? The policy wins for your employees’ use. The tool’s TOS may also apply legally — flag conflicts to legal for review.
Working with JAIN on your AI policy? We help executive teams write the 1,000-word version that employees actually read and that legal and security can stand behind. Book a 30-minute call.
Related reading:
Want to talk through this for your team?
30 minutes, no slides. We'll work the specific call your company is facing.