Free AI Use Policy Template (Copy-Paste) + 12 Clauses

Here's a free AI use policy template you can copy straight into a document, plus the clauses to fill in, how to get it signed off, and how it maps to the NIST AI RMF, ISO/IEC 42001 and the EU AI Act. An AI use policy is the document that tells your staff what AI tools they can use, what they can't put into them, who's accountable, and what happens when something goes wrong. Right now your team is already pasting company data into ChatGPT whether you've written a policy or not. The template below turns that free-for-all into a controlled, defensible position. Copy the sections, fill in the blanks for your organisation, get it signed, and train people on it.
What is an AI use policy?
An AI use policy is a written set of rules for how your organisation and its people use AI tools, both the ones you build and the ones you buy or download. It covers the public tools your staff reach for (ChatGPT, Claude, Gemini, Copilot) and any AI you deploy in your own products or workflows.
It does three jobs. It draws the line between allowed and banned uses, so staff aren't guessing. It protects your data and your customers by saying what can and can't go into a public model. And it names who's accountable, so an AI decision can't sit in a grey zone where nobody owns the outcome.
One thing to be clear about. A policy isn't a compliance ornament you write once and forget. AI tools change monthly, the law is still settling, and your own usage grows. A policy that's a year old is describing a company that no longer exists.
Why does every business deploying AI need a written policy?
Four reasons, and none of them are optional once you've got staff using AI.
Accountability. When an AI system or an employee using AI makes a bad call, someone has to own it. A policy names that person before the incident, not during the post-mortem.
AI literacy is now a legal duty. Under Article 4 of the EU AI Act, providers and deployers must take measures to ensure their staff and anyone operating AI on their behalf have a sufficient level of AI literacy (EU AI Act Article 4). This obligation has applied since 2 February 2025. A written policy plus training is the practical way most organisations meet it.
Security. Staff pasting confidential data, customer records or source code into a public tool is one of the fastest ways to leak it. Public tools may retain inputs, and some use them to train. A policy sets the rule before the leak.
Employee use of tools like ChatGPT is already happening. The question isn't whether your people use AI. It's whether they do it under rules you set or in a vacuum you'll answer for later. Shadow AI use is the default state of any company without a policy.
The free AI use policy template
Copy the twelve sections below into a document. Fill in the bracketed placeholders for your organisation. Where a clause doesn't fit your context, adapt it rather than deleting it, so a reviewer can see the topic was considered. This is a starting structure, not legal advice for your specific situation.
1. Purpose and scope
- Purpose. This policy sets out how [Company] and its people use artificial intelligence tools, to protect our data, our customers and our obligations while getting the benefit of AI.
- Scope. This applies to all employees, contractors, and third parties acting on behalf of [Company]. It covers public AI tools (such as ChatGPT, Claude, Gemini, Copilot), AI features inside other software we use, and any AI systems we build or deploy ourselves.
- Owner. This policy is owned by [named role, e.g. Head of Data / CISO / DPO] and approved by [senior sign-off, e.g. the board / executive team].
2. Definitions
- AI tool. Any software that uses machine learning or generative AI to produce content, predictions, classifications or decisions.
- Public AI tool. An AI service accessed over the internet on a consumer or standard tier, where inputs may be retained or used to train the provider's models.
- Enterprise AI tool. An AI service on a contracted tier with data-handling terms we've reviewed, typically including no-training and retention controls.
- Personal data. Any information relating to an identified or identifiable living person, as defined under UK and EU GDPR.
- Confidential information. Any non-public [Company] or customer information, including source code, financials, strategy, and trade secrets.
3. Approved tools and approval process
- Staff may only use AI tools from the approved list maintained by [owner]. The current approved list is held at [location].
- To request a new tool, submit [request route] to [owner]. Approval considers data handling, security, contract terms and cost before the tool is added.
- Do not use unapproved AI tools for any work involving [Company] or customer data. If in doubt, ask before you use it.
4. Permitted and prohibited uses
Permitted (with judgement and human review):
- Drafting, summarising and editing non-confidential text
- Brainstorming, research and first drafts you then check and own
- Writing and reviewing code that contains no secrets or proprietary logic, on approved tools
- Analysing non-personal, non-confidential data
Prohibited:
- Entering personal data, confidential information or customer data into a public AI tool
- Using AI output as a final decision on anything affecting a person's rights, employment, credit, health or legal position without human review
- Presenting AI-generated work as fully human-authored where disclosure is required (see section 7)
- Using AI to create misleading, discriminatory, or unlawful content
- Bypassing the approved-tools list or the approval process
5. Data handling
- Never enter into a public AI tool: personal data, customer data, confidential company information, source code containing proprietary logic, credentials, or anything covered by an NDA.
- What is allowed in a public tool: genuinely non-confidential, non-personal information, and content already public.
- For work that needs real company or personal data, use only an approved enterprise tool with reviewed data-handling terms.
- Assume anything typed into a public tool could be retained by the provider. Treat the prompt box like a public forum.
- Follow our data classification scheme [reference] when deciding what's safe to enter.
6. Human oversight and accountability
- Every AI system or significant AI-assisted process has a named owner accountable for its outputs and risks. See the ownership register at [location].
- A human reviews AI output before it's used in any decision that affects a person or carries material risk to [Company]. AI supports the decision; a person makes it.
- The person using the tool owns the result. "The AI produced it" is not a defence for a wrong or harmful output.
- Higher-stakes uses (decisions about people, money, safety, or legal position) require documented human review.
7. Transparency and disclosure
- Label AI-generated or AI-assisted content where a reader would reasonably expect to know, and where our clients, regulators or platforms require it.
- Where we deploy AI that interacts with people (chatbots, automated responses), tell them they're dealing with an AI system.
- If we generate synthetic or manipulated media, mark it as such in line with applicable transparency rules.
- Don't use AI to impersonate a real person or misrepresent authorship.
8. Security
- Use AI tools only through approved accounts with [Company] authentication. No personal accounts for company work.
- Apply the same access controls to AI tools as to any other system handling company data.
- Be alert to prompt injection and manipulated inputs in any AI system connected to your data or given the ability to act. Report anything suspicious to [security contact].
- Don't connect AI tools or agents to company systems, data stores or accounts without approval from [owner].
9. Compliance
- Using AI on personal data must follow UK and EU GDPR. Where AI processing is likely to be high risk, a Data Protection Impact Assessment is required before it starts.
- We identify our role for each AI system under the EU AI Act (provider, deployer, or other) and meet the duties that attach to that role and the system's risk tier.
- High-risk AI systems, as defined by the Act, carry heavier obligations including risk management, data governance, documentation and human oversight. [Owner] confirms classification before deployment.
- Sector rules (financial, healthcare, and others) apply on top of this policy where relevant.
10. Training and AI literacy
- All staff who use AI tools complete AI literacy training covering safe use, this policy, and the limits of AI, in line with EU AI Act Article 4.
- Training is refreshed [cadence, e.g. annually] and on any significant change to tools or the law.
- New joiners complete training as part of onboarding before using AI tools on company work.
- [Owner] keeps a record of who has been trained and when.
11. Breach and incident handling
- Report any suspected breach of this policy, or any AI-related incident (data leak, harmful output, security event), to [contact] without delay.
- Incidents are logged, assessed and handled under our incident response process [reference].
- Where an incident involves personal data, we assess whether it's a reportable breach under GDPR and notify within the required timeframe.
- We don't punish honest, promptly reported mistakes. We do act on hidden or repeated breaches.
12. Review, sign-off and version control
- This policy is reviewed at least [cadence, e.g. every 6 to 12 months] and on any material change to our AI use, tools, or the law.
- Owner: [name / role]. Approved by: [senior sign-off]. Approval date: [date]. Next review: [date]. Version: [x.x].
- Changes are recorded in the version history below and communicated to all staff.
How do you use this AI policy template?
The template is the easy part. Adopting it properly is what makes it hold up.
Adapt it to your organisation. Fill in every bracket. Delete clauses that genuinely don't apply, add ones specific to your sector, and match the language to how your company actually works. A policy copied without adaptation reads like one, and staff ignore it.
Get sign-off. A policy nobody senior approved has no weight. Get it approved by the board or executive team, and name the owner who maintains it. That's what turns a document into a rule.
Train your staff on it. A policy people haven't read changes nothing. Roll it out with short, practical training that covers what's allowed, what's banned, and why. This training is also how you meet the EU AI Act Article 4 AI-literacy duty.
Review it on a cadence. Diarise the review. AI tools change fast, the law is still moving, and your usage grows. Revisit the policy on schedule and whenever something material changes, then re-communicate the new version.
How does an AI use policy map to NIST, ISO 42001 and the EU AI Act?
A policy isn't a framework on its own. It's the governance artefact that helps you meet several at once. Here's how it connects to the three that matter most.
NIST AI Risk Management Framework (AI RMF 1.0). The framework is built around four functions: GOVERN, MAP, MEASURE and MANAGE (NIST AI RMF Core). A use policy is squarely a GOVERN artefact. GOVERN is about the culture, accountability structures and policies that make the rest of the framework work, and a written, owned, trained-on policy is exactly that. The framework is voluntary and US-published (NIST AI 100-1), but it's the reference most boards now point to, and your policy is where its governance function becomes concrete.
ISO/IEC 42001:2023. This is the first international standard for an AI management system, published in December 2023 (ISO/IEC 42001:2023). An AI management system runs on documented policies, and a use policy is one of the core documents an ISO 42001 auditor expects to see. Unlike NIST, you can be certified against ISO 42001 by an accredited body, and the policy is part of the evidence that your management system is real rather than aspirational.
EU AI Act. Two parts of the Act bear directly on a use policy. First, the Article 4 AI-literacy duty: providers and deployers must ensure staff operating AI have sufficient AI literacy (EU AI Act Article 4), and a policy plus training is how most organisations meet it. Second, the transparency duties in Article 50: providers and deployers must tell people when they're interacting with an AI system and label certain AI-generated or manipulated content (EU AI Act Article 50). Sections 7 and 10 of the template map to those two duties. The Act also sorts systems into risk tiers, with heavy obligations on high-risk systems (EU AI Act high-level summary); your policy's compliance clause is where you commit to classifying systems and meeting the duties that attach.
For the full picture, see our EU AI Act compliance checklist by industry and test your position with the EU AI Act readiness tool.
A policy is a living control, not a filed document
The most common mistake isn't writing a weak policy. It's writing a solid one, circulating it once, and never mentioning it again. A policy that lives in a shared drive that nobody opens is worse than none, because it creates the illusion of control.
The version that earns its keep is trained on, referenced when someone asks "can I use this tool," updated when a new tool or a new rule appears, and reviewed on a schedule. New tool, update the approved list. New law, revisit the compliance clause. New incident, check whether the policy should have caught it. The policy is a habit, not a document.
Frequently asked questions
Does my company need an AI policy?
If anyone in your organisation uses AI tools, yes. Your staff are almost certainly already using ChatGPT or similar, with or without your permission. A policy sets the rules on data, approved tools, human oversight and accountability before something goes wrong. It's also how you meet the EU AI Act Article 4 AI-literacy duty, which has applied to providers and deployers since February 2025. Without a policy you're carrying the risk of shadow AI use with none of the control.
What should an AI use policy include?
At minimum: purpose and scope, definitions, an approved-tools list and approval process, permitted and prohibited uses, data-handling rules (what can and can't go into public tools), human oversight and named accountability, transparency and disclosure, security, compliance with GDPR and the EU AI Act, training and AI literacy, breach and incident handling, and a review cadence with sign-off. The template above covers all twelve.
Can employees use ChatGPT at work?
They can, under rules you set. The safe position is: allow it for non-confidential, non-personal work on approved accounts, and ban entering any personal data, customer data, confidential information or source code into public tools. For work that needs real company data, use an enterprise tier with reviewed data-handling terms instead. The risk isn't the tool, it's what people put into it. A policy draws that line clearly.
Is an AI policy legally required?
There's no single law that says "you must have an AI policy" in those words. But the obligations behind one are real. The EU AI Act's Article 4 requires providers and deployers to ensure staff have sufficient AI literacy, and Article 50 sets transparency duties, and a policy plus training is the practical way to meet both. GDPR obligations apply whenever AI touches personal data. So while the document itself isn't mandated by name, a written policy is the standard way organisations discharge duties that are.
The bottom line
Most companies don't have an AI policy. They have staff quietly using public tools and a hope that nothing leaks. That gap is where the confidential data goes out, the biased decision goes unchecked, and the AI-literacy duty goes unmet.
Start with the template above. Fill in the brackets for your organisation, get it signed off by someone senior, train your people on it, and put a review date in the calendar. That single habit puts you ahead of most of the market and gives you something concrete to show a regulator, a customer's security team or your own board.
The harder part is judgement: which tools to approve, where to draw the data line for your sector, and how to classify your systems under the EU AI Act. Get that wrong and a tidy policy still leaves you exposed. That's the work we do. For the wider view, read our free AI risk register template, our free AI DPIA template and our AI compliance audit guide.