Policies & templates
AI usage policy template
A one-page policy you can adapt for your organisation. It covers approved-tool list discipline, data classification rules, training requirements, and incident reporting. Placeholders use the {{TOKEN}} syntax — search-and-replace each one before circulating internally.
Download as markdown · Legal advice it is not — review with your own counsel before adopting.
Template
The text below is the template. Copy it into your own document, replace each
{{TOKEN}}, and adjust the language to fit your company’s voice.
{{ORG_NAME}} — AI Usage Policy
Effective date: {{EFFECTIVE_DATE}} Owner: {{POLICY_OWNER_NAME}}, {{POLICY_OWNER_TITLE}} Review cadence: {{REVIEW_CADENCE}} (e.g., annually)
Purpose
This policy describes how staff at {{ORG_NAME}} may and may not use AI tools and AI-enabled features. It exists to (1) protect the company’s confidential and personal data, (2) comply with the EU AI Act and other applicable regulations, and (3) make AI adoption auditable.
Scope
This policy applies to all employees, contractors, and other personnel who use AI tools in the course of their work at {{ORG_NAME}}. It covers:
- Generative AI tools (ChatGPT, Claude, Gemini, Copilot, Perplexity, etc.).
- AI features embedded in other software (e.g., Notion AI, Linear AI, Slack AI).
- AI APIs called from internal code or third-party integrations.
Approved tool list
Only AI tools that appear in the approved list inside {{REGISTER_LOCATION}} (e.g., “AIRegistra → Tool Register, status = Approved”) may be used for {{ORG_NAME}} work. The list is maintained by {{REGISTER_OWNER}} and updated as new tools are vetted.
If you need a tool that is not on the approved list, submit a request through {{REQUEST_PATH}} (e.g., “AIRegistra → Requests”). Do not use unapproved tools for company work.
Data classification rules
When using an approved AI tool, respect the following data classification rules:
- Public data — fine to use with any approved tool.
- Internal data — fine to use with approved tools that have a signed DPA on file.
- Confidential data — only with approved tools marked as “confidential-cleared” in the register.
- Restricted data (PII, health data, payment data, regulated personal data) — never input into any AI tool unless the tool is explicitly approved for that data class and the use is documented.
If you are unsure of a data class, default to the higher restriction.
Training requirement
All staff who use AI tools for company work must complete AI literacy training as required by Article 4 of the EU AI Act. Training is recorded in {{TRAINING_LOCATION}} (e.g., “AIRegistra → Training”). Initial training: within {{INITIAL_TRAINING_WINDOW}} of starting AI use. Refresher: every {{REFRESHER_CADENCE}}.
Incident reporting
If you suspect an AI tool has been misused, has handled data inappropriately, or has produced output that may cause harm, report it to {{INCIDENT_CONTACT}} immediately. Reports are tracked in {{INCIDENT_LOCATION}} and investigated by {{INCIDENT_OWNER}}.
Consequences
Violations of this policy may result in disciplinary action up to and including termination. Specific consequences depend on the severity of the violation and the data involved.
Review and updates
This policy is reviewed every {{REVIEW_CADENCE}} by {{POLICY_OWNER_NAME}}. Material updates are communicated to all staff and recorded in the company’s policy register.
Acknowledgement. Each employee should acknowledge receipt of this policy on hire and again after each material update. Acknowledgements are stored in {{ACKNOWLEDGEMENT_LOCATION}}.
This template is provided by AIRegistra (Mindysm OÜ, Tallinn, Estonia) as a starting point. It is general guidance, not legal advice — review with your own counsel before adoption.
4 min read · Last updated