Samsung banned ChatGPT after engineers leaked proprietary source code through the tool. JPMorgan restricted employee use of generative AI before rolling out its own internal system. Apple, Amazon, and Verizon all imposed AI restrictions of varying scope. These are among the largest companies in the world, and even they got caught flat-footed.
The common thread? None of them had a comprehensive AI acceptable use policy before employees started experimenting. The bans were reactive, not strategic.
Your organization does not need to repeat that mistake. An AI policy — written before the incident, not after — gives employees clear guidance, protects the organization from preventable risk, and positions you to capture AI’s productivity benefits without the downside.
À retenir
- Over 60% of Fortune 500 companies now have formal AI policies — up from under 10% in 2023
- An effective AI policy covers 10 sections, from scope to enforcement to review cadence
- The best policies enable responsible use rather than restrict it — overly rigid policies drive shadow AI
- US-specific considerations include NIST AI RMF alignment, FTC guidance, state laws, and sector regulations
Why companies need an AI policy now
The AI policy gap in corporate America is closing fast, but not fast enough. According to a 2025 KPMG survey of US executives, 64% of organizations have a formal AI policy — up from 9% in 2023. That still leaves more than a third of US companies operating without guardrails.
Three forces make an AI policy urgent:
Regulatory pressure. The NIST AI Risk Management Framework recommends governance policies as a foundational element. The Colorado AI Act (effective 2026) requires documented risk management for high-risk AI, which includes acceptable use policies. The FTC has brought enforcement actions against companies for deceptive AI practices — and employee misuse of AI tools is a vector for exactly that.
Liability exposure. When an employee uses AI to make a hiring decision that discriminates, or generates a client report with hallucinated data, the liability sits with your organization. A policy establishes the standard of care. Without one, your legal exposure is effectively unlimited.
Productivity at stake. Organizations without AI policies see two equally bad outcomes: employees who refuse to use AI (leaving productivity gains on the table) and employees who use it recklessly (creating risk). A policy resolves this by defining the responsible middle ground.
64%
of US organizations now have a formal AI policy — but many lack enforcement mechanisms
Source : KPMG US AI Adoption Survey, 2025
The 10 sections every AI policy must include
1. Purpose and scope
State why the policy exists and who it covers. Be comprehensive: employees, contractors, temps, interns, and any third party using AI in connection with your business. Reference the regulatory drivers — NIST AI RMF, applicable state laws, industry guidance.
2. Definitions
Define your terms. “Artificial intelligence,” “AI system,” “generative AI,” “large language model,” “prompt,” “hallucination,” “model output.” Do not assume shared vocabulary. The number-one source of policy disputes is people disagreeing about what counts as AI.
3. Approved and prohibited tools
Maintain a living list:
- Approved: Enterprise-licensed tools with data protection (e.g., Microsoft 365 Copilot, ChatGPT Enterprise, Anthropic Claude for Work)
- Conditionally approved: Tools permitted for non-sensitive use only
- Prohibited: Tools that fail your security or privacy requirements
- Under review: With a process for employees to nominate tools for evaluation
Update this list quarterly. The AI vendor landscape shifts fast.
4. Data classification and handling
This section prevents the Samsung scenario. Map AI tool usage to your existing data classification:
- Restricted data (PII, PHI, financial records, trade secrets, source code): Never enter into any AI tool unless the tool has a compliant enterprise agreement with appropriate data processing terms
- Confidential data (internal strategies, unreleased product info): Approved enterprise tools only, with audit logging
- Internal data (meeting notes, process documentation): Approved tools with standard precautions
- Public data (published materials, general knowledge): Any approved tool
The most common AI data breach is not a hack. It is an employee pasting customer data into a free-tier AI tool. Your data handling section must be crystal clear and reinforced through training.
5. Output verification
Establish that AI outputs are suggestions, not facts:
- Every AI output used in business must be reviewed by a qualified human
- The person using the output is responsible for its accuracy — not the AI
- Outputs used in client deliverables, regulatory filings, financial reports, or legal documents require enhanced verification
- AI-cited sources must be independently confirmed
6. Intellectual property
Address the current US legal landscape:
- The US Copyright Office has ruled that AI-generated content without sufficient human authorship is not copyrightable (Thaler v. Perlmutter, 2023; subsequent guidance, 2024-2025)
- Do not rely on AI-generated content as proprietary IP without legal review
- Do not input third-party copyrighted material into AI tools without understanding the implications
- Document AI involvement in content creation
7. Transparency and disclosure
Define when AI use must be disclosed:
- Internally: When AI materially contributed to analysis, recommendations, or deliverables
- To clients: When AI was used in services delivered under contract
- To regulators: As required by applicable law and industry guidance
- Publicly: In marketing materials, publications, or any public-facing content
8. Training requirements
Link the policy to your AI training program:
- All employees must complete foundational AI literacy training within 90 days
- Role-specific training for high-risk roles (HR, finance, legal, customer-facing)
- Annual refresher requirement
- Documented completion records for compliance purposes
9. Incident reporting
Define what constitutes an AI incident and create a clear reporting path:
- Confidential data entered into an unapproved tool
- AI output used without verification that caused harm or error
- Discovery of shadow AI usage
- Bias or discrimination in AI-assisted decisions
- Regulatory inquiry related to AI use
Specify the reporting channel, response timeline, and escalation process.
10. Governance, enforcement, and review
Governance: Assign policy ownership — typically the Chief Information Officer, Chief Data Officer, or a dedicated AI governance committee.
Enforcement: Define consequences proportionate to severity. Minor violations warrant coaching and retraining. Serious violations — data breaches, willful circumvention — require escalation under existing disciplinary procedures.
Review: Commit to at least annual review, with interim updates triggered by regulatory changes, major AI incidents, or significant technology shifts.
3.2x
higher AI adoption rate in organizations with clear, enabling AI policies versus those with restrictive or no policies
Source : McKinsey Global Survey on AI, 2025
What Fortune 500 companies are doing
JPMorgan Chase developed an internal LLM (IndexGPT) and restricts use of external tools, with a detailed data classification framework tied to its existing information security policies.
Microsoft practices what it sells — with an internal AI policy covering Copilot usage, data handling, and output verification that mirrors the AI governance framework it recommends to customers.
Walmart rolled out a company-wide AI policy alongside its “My Assistant” internal AI tool, with mandatory training for all associates and specific guidelines for store-level versus corporate use.
Goldman Sachs restricts external AI tools and built GS AI, its internal platform, with usage policies embedded in the tool itself — preventing employees from entering restricted data at the interface level.
The best AI policies do not live in a PDF on the intranet. They are embedded in the tools themselves — through guardrails, prompts, and interface-level controls — and reinforced through ongoing training and regular communication.
US-specific regulatory considerations
Your AI policy should account for these US regulatory frameworks:
- NIST AI RMF: The Govern function explicitly calls for organizational policies around AI use
- FTC Act Section 5: The FTC has enforcement authority over unfair or deceptive AI practices — employee misuse creates organizational liability
- Colorado AI Act (2026): Requires risk management and disclosure for high-risk AI, including acceptable use policies
- Equal Employment Opportunity Commission (EEOC): AI used in hiring must comply with Title VII — your policy must address this if HR uses AI tools
- SEC disclosure: Public companies should address AI use in risk factor disclosures
- HIPAA, GLBA, SOX: Industry-specific data regulations apply to AI tool usage in healthcare, financial services, and public companies
Implement your AI policy with Brain
Writing the policy is step one. Ensuring every employee understands it, follows it, and knows why it matters — that is the hard part. Brain delivers practical AI training that turns policy into behavior. Role-specific modules on data handling, output verification, shadow AI prevention, and responsible use. Tracked, assessed, and documented.
Explore our plans to get started.
Related articles
AI Governance + Compliance: Unified Framework (GDPR, AI Act, NIST)
Integrate AI governance with GDPR and EU AI Act compliance in one framework. NIST AI RMF mapping, audit-ready checklist, real implementation playbook.
AI Governance Framework: 7-Step Checklist + ISO 42001 Template
Build your AI governance framework in 7 steps. Free checklist, ISO 42001 alignment, EU AI Act mapping, and the 4 governance principles that matter.
AI Workplace Policy Template: 10 Essential Sections
Free AI policy template with 10 sections every workplace needs. Includes example language and practical implementation tips for your organisation.