ModelCharter
ModelCharter Team

How to Write an AI Usage Policy Staff Actually Follow

Person writing and signing an AI usage policy document

Photo: Romain Dancre / Pexels

Key takeaways

  • The failure mode for most AI usage policies isn't bad content, it's zero recall after the launch week.
  • Three rules, remembered, beat twelve rules, forgotten.
  • Policies that name specific tools and specific data types get followed more than abstract ones.
  • A five-minute walkthrough at rollout does more than a long email nobody reads.
  • Building in a fast path to ask about new tools keeps the policy relevant instead of static.

Most AI usage policies aren't badly written. They're well written, circulated once, and then quietly forgotten by the third week, which produces exactly the same practical risk as never having written one at all. The gap between 'we have an AI usage policy' and 'our team actually follows our AI usage policy' is where most of the real risk still sits, and closing it has almost nothing to do with the quality of the prose and everything to do with a handful of practical choices made at rollout.

Why policies get forgotten

A policy circulated as a PDF attachment in a company-wide email competes with everything else in someone's inbox that day, and it loses. People skim it once, if that, and then default back to whatever felt fastest when a real task came up weeks later. This isn't a discipline problem on the staff side. It's a design problem on the policy's side: a document optimised to be comprehensive rather than memorable will always lose to the path of least resistance in the moment someone actually needs to decide something.

Three rules beat twelve

The policies that get followed tend to be the ones with a small number of rules staff can actually recall without looking anything up: what's approved, what data never goes in, who to ask about something new. A comprehensive twelve-section document with subsections might be more thorough on paper, but thoroughness that nobody remembers isn't protecting you from anything. If you can't summarise your policy's core rules in three sentences, it's a sign the document needs trimming, not that the risk needs more coverage.

Be specific, not abstract

'Use AI responsibly' is a sentence nobody can act on, because it doesn't tell anyone what to actually do differently. 'Use [named tool] on the business tier; never paste a client's name, account number or financial details into any AI tool' is a rule someone can follow without interpretation. Specificity is what turns a policy from a values statement into an operational guide, and it's the single biggest difference between policies that get followed and ones that get nodded at and ignored.

How the policy gets introduced matters as much as its content

A five-to-ten-minute walkthrough in an existing team meeting, where someone actually talks through the two or three rules that matter and takes questions, produces dramatically better recall than the same content sent as a standalone email. This isn't about the policy being more complete; it's about giving people a moment to actually process it rather than skim it once and move on. For a small team, this costs almost nothing and is worth doing every time the policy meaningfully changes, not just at initial launch.

Keep the approval path faster than the workaround

A policy that staff experience as a slow, bureaucratic approval process for new tools will get routed around, quietly, by people who need to get work done today. The fix isn't stricter enforcement; it's making the approved path genuinely faster than finding a workaround. If asking about a new AI tool takes a five-minute conversation with a named person rather than a formal ticket that sits unanswered for two weeks, people are far more likely to ask first, which is the entire point of having a policy in the first place.

A short example of what changed

A twenty-person agency had a perfectly reasonable written AI policy that nobody could recall three months after rollout, confirmed when a spot survey found half the team couldn't name a single approved tool. They cut the policy from three pages to one, named exactly two approved tools with tier specified, ran a ten-minute walkthrough in an all-hands rather than an email, and set up a Slack channel where anyone could ask about a new tool and get an answer same-day. A follow-up check three months later found recall had gone from roughly half the team to nearly everyone. Nothing about the underlying rules changed; how the policy was written and introduced did.

Building this for your team

Start with our AI usage policy generator, which produces a short, specific draft by default rather than a lengthy one, then trim it further if it still reads as more than three or four core rules. Introduce it in person or on a call rather than purely by email, and set up a genuinely fast way for staff to ask about new tools, even something as simple as a dedicated Slack channel with a named responder. The content matters less than most teams assume. How the policy reaches people, and how easy it is to follow day to day, is where the real difference sits.

How to test whether your policy is actually working

Don't assume compliance because nobody's complained. A quick, low-pressure spot check, asking three or four staff members at random to name the approved AI tools and the one rule they remember most clearly, tells you more in five minutes than any formal audit. If most people can answer without hesitation, the policy is doing its job. If they can't, that's useful information now, before an incident forces the same discovery under worse circumstances.

What to do when a rule genuinely doesn't fit anymore

Policies that never change eventually stop matching reality, and staff notice when a written rule contradicts what everyone actually does day to day, which quietly undermines trust in the rest of the document too. If a rule stops making sense, a tool gets discontinued, a new one clearly deserves approval, update the policy promptly and say so explicitly, rather than letting the gap between the written document and actual practice widen. A policy that visibly keeps pace with real AI use earns far more genuine compliance than one that's technically comprehensive but quietly out of date.

The role of managers in keeping the policy alive

A policy launched centrally and never reinforced by day-to-day managers tends to fade fastest, since most staff take their cues from what their direct manager actually references, not from a document HR circulated months ago. The teams with the best recall tend to have managers who occasionally mention the policy in context, reminding a team to check the approved-tools list before trying something new, rather than leaving all reinforcement to a single annual training session. This costs nothing beyond a manager remembering the policy exists themselves, which is worth checking, since a policy a manager has forgotten can't realistically be reinforced by them at all.

What new starters need that existing staff don't

A policy rollout to an existing team and a policy handover to a new starter are different problems that deserve different handling. Existing staff have context, they know why the policy exists and what prompted it. A new starter has neither, and dropping a standalone AI policy into a first-week induction pack without any context tends to produce the same forgettable-document problem all over again. Pair the policy with a thirty-second verbal explanation of why it exists during onboarding, not just the document itself, and recall among new joiners tends to match, rather than lag behind, the rest of the team.

A final test worth applying to your own policy

Before calling any AI usage policy finished, hand it to someone outside the process, a friend, a colleague from another team, and ask them to summarise the three most important rules after one read. If they can, in their own words, without prompting, the policy is doing its job. If they struggle, or reach for jargon rather than a plain-English rule, that's a clear, cheap signal to simplify further before it ever reaches the wider team, rather than discovering the same gap later through a spot survey that costs more time to run.

ChoiceEffect on recall/compliance
Three core rules vs twelve sectionsHigher recall; people can act without re-reading
Named tools and specific data types vs abstract languageRemoves ambiguity, so there's no judgement call to get wrong
Live walkthrough vs email-only rolloutMeaningfully higher recall weeks later
Fast approval path for new toolsReduces incentive to work around the policy quietly
What makes an AI usage policy get followed
Human-AI configuration refers to how humans and AI systems will interact, communicate, and collaborate to achieve a given task.
NIST AI RMF 1.0

Frequently asked questions

Why do employees stop following AI usage policies?
Usually because the policy was long, abstract, or introduced once by email and never reinforced, not because staff are being deliberately careless.
How many rules should an AI usage policy have?
As few as it takes to cover approved tools, prohibited data, and who to ask about something new. Three well-remembered rules outperform twelve forgotten ones.
Should an AI usage policy name specific tools?
Yes. Naming the tool and its tier removes ambiguity that abstract language like 'use AI responsibly' leaves open to interpretation.
How often should an AI usage policy be reintroduced to staff?
Any time it materially changes, plus a brief annual refresher, ideally live rather than by email, to keep recall from decaying.

Put this into practice

Generate a free AI usage policy for your team, then see which of your tools are safe to use.

Open the generator