Here is a statistic that should concern every leadership team: according to Microsoft’s 2024 Work Trend Index, 78% of AI users bring their own AI tools to work. Most of them do it without telling anyone. Not because they are being subversive — because nobody told them the rules.
This is shadow AI, and it is the direct consequence of not having an AI policy. When people do not know what is allowed, they either do nothing (and your organisation misses the productivity gains) or do everything (and your organisation absorbs the risk).
An AI policy solves this. Not by banning AI — that horse left the stable in 2023 — but by setting clear boundaries that enable responsible use while managing risk.
À retenir
- 78% of AI users bring their own tools to work — an AI policy provides the guardrails they need
- An effective AI policy covers 10 sections, from scope and approved tools to data handling and incident response
- The EU AI Act Article 4 requires AI literacy for all staff — your policy is the foundation for compliance
- Policies should enable responsible use, not ban AI — overly restrictive policies drive shadow AI underground
Why you need an AI policy now
Three reasons make an AI policy urgent in 2026:
Regulatory obligation. The EU AI Act requires organisations to ensure AI literacy across their workforce (Article 4, in force since August 2025). An AI policy is the foundational document that defines what AI literacy means in your context and how it is maintained.
Risk management. Without a policy, you cannot manage what you cannot see. Employees paste confidential data into public AI tools, use AI-generated content without verification, and make consequential decisions based on hallucinated outputs. A policy establishes the controls that prevent these scenarios.
Competitive advantage. Organisations with clear AI policies report higher AI adoption rates and better outcomes. When people know the rules, they are more confident using AI tools productively.
78%
of AI users bring their own AI tools to work, often without employer knowledge
Source : Microsoft Work Trend Index, 2024
The 10 sections your AI policy must include
1. Purpose and scope
Define why the policy exists and who it applies to. Be explicit: this policy covers all employees, contractors, temporary workers, and third parties who use AI systems in connection with your organisation’s activities.
Example language: “This policy governs the use of artificial intelligence tools and systems by all personnel in the conduct of Company business. It applies to AI tools provided by the Company and to personal or third-party AI tools used for work purposes.”
2. Definitions
Do not assume everyone shares your understanding of AI. Define key terms: artificial intelligence, AI system, generative AI, large language model, prompt, output, training data, hallucination. Use plain language.
This section is more important than it appears. Disagreements about policy compliance often come down to disagreements about what counts as “AI.”
3. Approved and prohibited tools
Maintain a clear list of AI tools that are approved for use, with any conditions or restrictions. Equally, list tools that are explicitly prohibited and explain why.
Categories to consider:
- Approved without restriction — tools vetted and deployed by the organisation (e.g., Microsoft Copilot with enterprise data protection)
- Approved with conditions — tools that may be used for specific purposes with defined safeguards (e.g., ChatGPT for drafting non-confidential content only)
- Prohibited — tools that fail security or data protection requirements
- Pending review — tools under evaluation (with a process for employees to request reviews)
Update your approved tools list quarterly. The AI landscape moves fast — a tool that was insecure six months ago may have added enterprise features, and a previously approved tool may have changed its data processing terms.
4. Data classification and handling
This is the section that prevents disasters. Define clearly what data can and cannot be entered into AI tools:
- Prohibited — personal data (unless the tool has a compliant Data Processing Agreement), confidential business data, client data, financial data subject to regulatory obligations, intellectual property, source code
- Permitted with caution — non-confidential internal data, publicly available information, anonymised or aggregated data
- Freely permitted — general knowledge queries, publicly available information, creative brainstorming with no sensitive inputs
Map these categories to your existing data classification scheme. If you do not have one, build one before finalising your AI policy.
5. Output verification and accountability
AI outputs are not facts. They are predictions. Your policy must establish that:
- All AI-generated content must be reviewed by a human before use in any business context
- The person who uses an AI output is accountable for its accuracy, not the AI tool
- AI-generated content used in client-facing, regulatory, or legally significant contexts requires enhanced verification
- Sources cited by AI must be independently verified
Example language: “You are responsible for every output you use, regardless of whether it was generated by AI. AI outputs must be reviewed for accuracy, bias, and appropriateness before use.”
6. Intellectual property and copyright
AI and copyright is an evolving area, but your policy should address the current landscape:
- Do not input third-party copyrighted material into AI tools without understanding the licensing implications
- AI-generated outputs may not be protectable by copyright — do not rely on AI outputs as proprietary intellectual property without legal review
- Document the use of AI in content creation for transparency and future legal clarity
7. Transparency and disclosure
Define when and how AI use must be disclosed:
- Internally — colleagues should know when they are reviewing AI-assisted work
- Externally — clients, regulators, and partners should be informed when AI has materially contributed to deliverables, decisions, or advice
- Publicly — AI-generated content published on behalf of the organisation should be labelled where required by regulation or where transparency serves trust
The EU AI Act requires disclosure when people interact with AI systems (Article 50). Your policy should go further than the legal minimum.
89%
of consumers want to know when AI is used in decisions that affect them
Source : Edelman Trust Barometer, 2025
8. Training and competency
Link your AI policy to your training programme. Under EU AI Act Article 4, all staff using AI must have appropriate AI literacy. Your policy should specify:
- Mandatory AI training for all employees (with completion deadlines)
- Role-specific advanced training for teams that develop, deploy, or heavily use AI
- Annual refresher requirements
- How training completion is documented for compliance purposes
9. Incident reporting
Define what constitutes an AI incident and how to report it:
- AI producing biased, discriminatory, or harmful outputs
- Data breaches involving AI tools (confidential data entered into unapproved tools)
- AI systems making or influencing decisions that cause harm
- Regulatory queries or complaints related to AI use
Establish a clear reporting channel, response timelines, and escalation procedures.
10. Governance and review
Your policy is not a static document. This section defines:
- Who owns the policy (typically the AI governance board or a named executive)
- Review frequency (at least annually, with interim reviews triggered by regulatory changes or significant AI incidents)
- How policy changes are communicated
- How compliance is monitored and enforced
The best AI policies are living documents that evolve with the technology and the regulatory landscape. Build a review trigger into your AI governance framework — any major AI incident, regulatory update, or new tool deployment should prompt a policy review.
Implementation tips
Start with consultation, not dictation. Involve representatives from across the organisation in drafting the policy. People comply with rules they helped create.
Make it findable. A policy that lives in a SharePoint folder nobody checks is worthless. Publish it prominently, reference it in onboarding, and link to it from your AI tools’ landing pages.
Enforce proportionately. Minor violations deserve coaching. Repeated or serious violations — particularly data breaches — require escalation. Define the consequences clearly in the policy.
Measure adoption. Track policy awareness (through training completion), policy compliance (through spot checks and audits), and policy effectiveness (through incident rates and shadow AI prevalence).
Align with your governance framework. Your AI policy is one component of a broader AI governance framework. It should align with your risk assessment processes, your ISO 42001 management system (if applicable), and your data protection policies.
Get your teams AI-policy-ready with Brain
Writing the policy is the easy part. Making sure every employee understands it, follows it, and knows why it matters — that is the hard part. Brain delivers AI literacy training that turns policy requirements into practical knowledge, with role-specific modules covering data handling, output verification, responsible use, and regulatory compliance.
Tracked, documented, and audit-ready. Explore our plans to get started.
Related articles
AI Tools & Employee Work: Who Owns the Copyright? (2026)
When employees use ChatGPT or Copilot at work, who owns the output? Employer IP rights, work-for-hire rules, and 7 copyright risks for businesses.
AI Governance + Compliance: Unified Framework (GDPR, AI Act, NIST)
Integrate AI governance with GDPR and EU AI Act compliance in one framework. NIST AI RMF mapping, audit-ready checklist, real implementation playbook.
AI Governance Framework: 7-Step Checklist + ISO 42001 Template
Build your AI governance framework in 7 steps. Free checklist, ISO 42001 alignment, EU AI Act mapping, and the 4 governance principles that matter.