Generative AI Policy: A Starter Guide for Teams

A generative AI policy is a specific form of AI usage policy that addresses how employees may use tools that create or transform content: writing assistants, image generators, code completers and audio/video tools. It's distinct from traditional software policies because the risk profile is different: your inputs train models, your outputs may be wrong, and attribution is unclear.

Scope: which tools need to be covered

Obvious candidates: ChatGPT, Claude, Gemini, Copilot, Midjourney, DALL-E, GitHub Copilot, Grammarly Go. Less obvious: AI features inside Canva, Notion, Slack, Zoom and your CRM. Your policy should either name approved tools or set a principle (e.g., 'tools that use your data for model training are not approved for work use without explicit sign-off').

The three rules most policies need

1. Data: do not enter confidential, personal or client data into a non-approved generative AI tool. 2. Accuracy: treat AI output as a draft; a human with domain knowledge must review before it's finalised or sent. 3. Transparency: disclose AI involvement where required by law, contract or context (e.g., legal filings, regulatory submissions, client reports).

How strict should you be?

That depends on your sector and data sensitivity. A marketing agency can be permissive with public-facing creative. A law firm handling client documents needs a stricter rule. Most teams land on 'conditional approval': generative AI is encouraged for productivity, but specific guardrails apply to specific data types and output uses.

Get a policy in minutes

Greenlightly's free policy generator asks about your sector, data types and regulatory context, and outputs a generative AI policy you can edit and send for team attestation. Start here.