AI Policy for Employees: Rules That People Actually Follow

Photo: Walls.io / Pexels
Most AI policies are written by legal or compliance teams for legal or compliance purposes. They are long, formal, and full of conditions. Staff do not read them. An AI policy for employees should be different: a practical, plain-English document that helps people make better decisions every day, not a document they sign and promptly forget. Here is how to write one that actually works.
Start with the three daily decisions
Most employees face the same three questions when they use AI at work: Can I use this tool? Can I put this data into it? Do I need to tell someone I used AI for this? Your policy should answer all three clearly and without jargon. Approved tools should be named or linked directly (not 'check with IT'). Data rules should be concrete: 'do not paste client names or email addresses into any AI tool' is clearer than 'do not process personal data'. Disclosure rules should be specific to context rather than left open to interpretation.
Length: one to two pages
There is an inverse relationship between policy length and compliance. A one-page AI policy with clear rules that staff can scan in under three minutes will be followed more reliably than a ten-page policy covering every edge case. Save the edge cases for an FAQ document or a conversation with the policy owner. Your goal is a document whose key points people can remember after reading it once, because remembered policies get applied; forgotten ones do not.
Plain English over legalese
Write in the second person ('you must', 'you can'). Use short sentences. Avoid defined terms unless essential. If your legal team wants to add definitions and liability clauses, ask them to put those in an appendix and keep the main body readable for someone who is not a lawyer. Compare: 'Employees shall ensure that all processing activities involving AI systems are conducted in accordance with applicable data protection legislation' versus 'Do not paste customer data into an AI tool unless it is on the approved list.' The second version is the one people follow.
Make acknowledgement easy and automatic
Send the policy to every employee with a one-click acceptance mechanism. Set a reminder for anyone who has not acknowledged it within two weeks. When the policy is updated materially, re-send for re-attestation. This does not need to be a complex workflow system: ModelCharter handles policy generation, distribution, and attestation in one place. It takes a morning to set up and runs automatically after that, including sending re-attestation when policies change.