# AI Usage Policy Template

One working session to go from "people are quietly pasting things into ChatGPT" to a one-page policy your team has actually read, plus the email that rolls it out.

**Works with:** ChatGPT, Claude, Gemini, or any capable AI assistant. Nothing here depends on one vendor.

**What you get:** a fact-gathering checklist, a copy-paste prompt that drafts the policy, a second prompt for the rollout email, and a QA pass before you ship it.

## Prerequisites

- 30–60 minutes with someone who can approve policy (owner, ops lead, or office manager)
- A rough list of the AI tools people already use, official or not
- A clear idea of what sensitive data your business handles (client records, financials, contracts, health data)

## Step 1 — Gather the facts

Answer these before you open the assistant. The policy is only as good as these answers.

1. Which AI tools are officially approved today, if any? Note the account type — free consumer accounts and business accounts handle your data differently.
2. What data would hurt you if it leaked: client names, contracts, financials, employee records, health information, source code, pricing?
3. Who can approve a new AI tool or an exception? Name one person or role.
4. Do any regulations or client contracts restrict how you handle data (privacy law, HIPAA, NDAs)?
5. Where will the policy live, and who must acknowledge it?

## Step 2 — Draft the policy

Start a fresh chat and run this prompt with your answers filled in:

```
Draft a one-page AI usage policy for my company. Plain language, no
legalese. A new hire should understand it in five minutes.

Company facts:
- Company: {NAME, INDUSTRY, HEADCOUNT}
- Approved AI tools and account types: {LIST, or "none yet"}
- Sensitive data we handle: {LIST}
- Approver for new tools and exceptions: {NAME OR ROLE}
- Regulations or contract restrictions: {LIST, or "none known"}

Structure — use exactly these sections:
1. Why this policy exists. Two sentences, no scare tactics.
2. Approved tools: the list above, plus the rule that anything else
   needs approval before first use.
3. Green / yellow / red data rules:
   - GREEN (fine to paste): public information, fully anonymized text,
     general drafting with no company specifics.
   - YELLOW (ask first): internal documents, drafts containing company
     specifics. Name who to ask.
   - RED (never paste): concrete examples drawn from the sensitive-data
     list above, not vague categories.
4. Using AI output: whoever sends it owns it; review before it leaves
   the company; note where clients should be told AI was involved.
5. Getting a new tool approved: who to ask, what to include, expected
   turnaround.
6. If something goes wrong: report a paste mistake within one working
   day, no blame attached. Fast reporting is the point of the rule.
7. Acknowledgment line with name and date.

Rules:
- Do not invent tools, laws, or facts not listed above. If a needed
  fact is missing, write [FILL IN] instead.
- Keep it under 600 words.
```

## Step 3 — Draft the rollout email

In the same chat:

```
Now write the rollout email announcing this policy to the team.

- From {SENDER NAME AND ROLE}. Direct and human, not corporate, not
  scolding.
- Make clear AI use is encouraged inside these rules. This is a
  how-to-use-it policy, not a ban.
- State the three things to remember: check the approved-tool list,
  follow green/yellow/red, report mistakes fast without blame.
- Ask for acknowledgment by {DATE} and say where the policy lives.
- Under 200 words.
```

## Step 4 — QA before you ship (do not skip)

- Read the RED list against reality. Every example should be a real thing someone could paste tomorrow — "client claim files," not "sensitive data."
- Resolve every [FILL IN]. Never publish a placeholder.
- Walk two real scenarios past the policy ("can I paste this client email to draft a reply?") and check it answers them without interpretation.
- Confirm the named approver knows they are the approver.
- If you operate under regulation or client contracts restrict data handling, have a lawyer review before rollout. This is a starting draft, not legal advice.

Revisit the approved-tool list quarterly. The policy goes stale exactly as fast as the tools change.

## When this outgrows DIY

A policy tells people what not to paste. It cannot watch anything. Once AI use spreads into real workflows (client data flowing through prompts, multiple tools, multiple teams), the fix is infrastructure, not a longer document: approved tools with proper data agreements, workflows built so sensitive data never touches a consumer chatbot, and someone accountable for the whole thing. That is what we install and run at agentclaw. See https://agentclawhq.com/services, or book a free AI opportunity audit at https://agentclawhq.com/book.
