ModelCharter
ModelCharter Team

What Is an AI Policy? A Plain-English Guide

Team reviewing an AI policy document together in an office meeting

Photo: Dylan Gillis / Pexels

Key takeaways

  • An AI policy is a short document that says which AI tools staff can use, what data they can put into them, and who's accountable.
  • It's different from an IT policy: it deals specifically with data leaving your business into a third-party model.
  • A working policy fits on one or two pages. Length isn't a sign of thoroughness here.
  • The weakest AI policies are the ones written once and never updated as new tools appear.
  • Most teams can go from nothing to a signed-off policy in an afternoon using a generator plus a short review.

An AI policy is the document that answers a simple question before anyone has to guess: what can our team actually do with AI tools, and what's off-limits? Without one, that question gets answered ad hoc, differently, by every person who opens ChatGPT for the first time. Some will be careful. Some won't think twice about pasting in a client's financial details. A policy isn't there to slow anyone down. It's there so the careful answer is the default one, not a matter of luck.

What an AI policy actually contains

Strip away the jargon and a working AI policy covers five things: scope (which tools and which staff it applies to), data rules (what can and can't be typed into an AI tool), an approved-tools list (with the free-vs-business-tier distinction spelled out, since that's where most of the real risk sits), a review process for adding new tools, and an owner (a named person, not a department). Some organisations add a transparency clause too, covering when customers need to be told AI was involved. That's the whole document. Anything beyond this is detail, not structure.

How is this different from an IT policy?

A general IT policy covers devices, passwords and approved software as a category. An AI policy is narrower and sharper on purpose: it deals with a risk an ordinary software policy was never built for, which is that the data you paste into a tool might train the model itself, not just sit in a database somewhere. A licence agreement for your accounting software doesn't need a clause about the software learning from your invoices. A free-tier AI tool genuinely might, which is exactly why a bolted-on paragraph in the general IT policy rarely covers it properly.

Does length matter?

Not in the way people assume. A twenty-page AI policy full of legal boilerplate is usually a worse document than a clear one-pager, because nobody reads the twenty pages and everybody can scan the one page in under a minute. The goal of an AI policy is that a new starter reads it in their first week and actually remembers the two or three rules that matter: what's approved, what data is off-limits, and who to ask when something new comes up. If your policy can't be summarised in three sentences by someone who just read it, it's too long.

Who should sign off on it?

In most small and mid-sized teams, whoever already owns IT, security, or HR policy is the right person, not because AI needs deep technical expertise, but because someone needs to be accountable for keeping it current. In regulated sectors, legal or compliance should sight it before it goes out, mainly to check the data rules line up with existing obligations like a HIPAA BAA or a client confidentiality clause. What matters far more than seniority is that one named person owns the document, so it doesn't quietly go stale the way unowned policies always do.

A short real-world example

A twelve-person design studio we've seen had never written anything down. Three designers used a free AI image generator for client mood boards, and nobody had checked whether the outputs could be used commercially or whether client briefs going into the prompt box were a problem. The fix wasn't complicated: a one-page policy naming the two approved tools, a line saying client-identifying details never go into a prompt, and a note that new tools get a five-minute check before anyone adopts them. It took under an hour to write and cost nothing, and it closed a real gap that had existed for months without anyone noticing.

Keeping it alive after launch

The most common failure mode isn't writing a bad policy, it's writing a good one and never touching it again. New AI tools appear constantly, and a policy that only lists the tools available when it was written will be visibly out of date within a few months. Set a calendar reminder to revisit it every six to twelve months, and treat any new tool adoption as a trigger to update the register immediately rather than waiting for the next scheduled review. A policy that's a living document beats a perfect one that nobody maintains.

Does an AI policy replace a confidentiality clause or NDA?

No, and this is a common point of confusion. An NDA or confidentiality clause in an employment contract deals with a person's general obligation not to disclose sensitive information; an AI policy deals with a specific, newer channel that obligation didn't originally anticipate, namely typing that information into a third-party model. The two work together rather than one replacing the other. An employee bound by a strong NDA can still create a real problem by pasting confidential material into a free AI tool, because the NDA was never written with that specific mechanism in mind, and most staff won't automatically connect the two unless the AI policy spells it out.

Common pitfalls worth avoiding

The three mistakes we see most often are worth naming directly. First, writing the policy once and never assigning an owner, which guarantees it goes stale within a year. Second, being too vague about data rules, 'use good judgement' isn't a rule anyone can be held to, and it leaves the door open to honest disagreement about what counts as sensitive. Third, treating the policy launch as complete once it's been emailed out, rather than as the start of an ongoing habit of checking new tools before they become embedded. Each of these is cheap to avoid and expensive to fix retroactively once bad habits have already formed.

What an AI policy looks like at different company sizes

The shape of an AI policy scales gently with team size, but the core structure barely changes. At five to ten people, it's genuinely one page, often written by the founder in an afternoon, covering two or three approved tools and a short data rule, with the founder themselves as the named owner by default. At fifty to a hundred people, the document grows slightly, usually to distinguish between departments with different risk profiles, finance and legal handling more sensitive data than marketing, for instance, and ownership typically moves to whoever runs IT or people operations. Beyond a few hundred staff, a policy often gains a formal review committee and sector-specific annexes, but even then, the core one-page summary staff actually need to remember stays roughly the same length. Size changes who signs off and how detailed the appendix gets, not how simple the day-to-day rules need to remain for the document to actually work.

Getting started without overthinking it

You don't need a lawyer or a consultant to produce a first draft. Our free AI usage policy generator builds a tailored policy in a few minutes based on your team size and sector, which you can then adjust rather than starting from a blank page. Pair it with a look at our AI tool risk directory so the approved-tools list reflects what's actually safe for your data, and circulate it for everyone to acknowledge. That's most of what an AI policy needs to be, done properly, in an afternoon rather than a quarter.

SectionWhat it coversTypical length
ScopeWhich tools and staff the policy applies to1-2 sentences
Data rulesWhat can and can't be typed into an AI tool3-5 bullet points
Approved toolsNamed tools, with tier (free vs business) specifiedA short table or list
Review processHow a new tool gets added2-3 sentences
OwnerNamed person accountable for keeping it current1 line
What belongs in a working AI policy
Organizations that develop and deploy AI risk management practices are more likely to enable more trustworthy AI systems.
NIST AI RMF 1.0

Frequently asked questions

How long should an AI policy be?
One or two pages for most small and mid-sized teams. Length isn't a proxy for thoroughness, and a policy nobody reads in full protects nobody.
Is an AI policy a legal requirement?
Not universally, but the EU AI Act's Article 4 AI-literacy duty has applied since February 2025 and reaches businesses well beyond the EU. Enterprise customers and SOC 2 auditors increasingly ask to see one regardless of legal minimums.
Who owns the AI policy day to day?
Usually whoever already owns IT or HR policy. What matters is that one named person is responsible for updates, not that the role is senior or full-time.
Do we need a different policy for every AI tool?
No. One policy with an approved-tools register underneath it covers most teams. A single generative AI policy addendum is worth adding only if image or code generators carry copyright questions a general policy doesn't cover.
How is an AI policy different from an AI usage policy?
In practice the terms are used interchangeably. Some teams use 'AI policy' for the broader document and 'usage policy' for the staff-facing summary of what's allowed day to day.

Put this into practice

Generate a free AI usage policy for your team, then see which of your tools are safe to use.

Open the generator