AI Acceptable Use Policy: The 13 Sections Yours Needs

An AI acceptable use policy (AI AUP) is the document that tells your team what they may and may not do with AI tools at work. It's becoming a standard request in vendor security reviews, insurance applications, and enterprise sales processes — and it's the first thing an auditor or opposing counsel asks for after an AI-related incident. Here's the complete anatomy of a strong one.

The 13 sections of a complete AI acceptable use policy

• 1. Purpose and scope — who is covered (include contractors and volunteers) and what counts as an AI tool (include AI features embedded in other software)
• 2. Definitions — 'AI tool', 'confidential information', 'approved tool', 'AI output'
• 3. Approved tools — the named list, plus the approval path for new tools
• 4. Acceptable uses — the encouraged ones: drafting, brainstorming, summarizing public information
• 5. Prohibited uses and data rules — the categories of data that never enter prompts, and the uses that are off-limits
• 6. Privacy law compliance — GDPR, EU AI Act, CCPA, PIPEDA, depending on where you operate
• 7. Industry requirements — HIPAA, FERPA, GLBA, FINRA supervision, privilege, fair housing
• 8. Human review and accountability — output ownership, verification before reliance
• 9. AI in software development — account hygiene, code review, license contamination (if applicable)
• 10. Customer-facing AI — disclosure, scoping what a chatbot may promise, human escalation (if applicable)
• 11. Training and awareness — how the policy reaches people
• 12. Incident reporting — what must be reported, and protection for good-faith self-reporting
• 13. Enforcement and review — consequences, annual review, named approver

How industry rules change the document

The skeleton above is universal; the contents are not. A healthcare practice's policy must prohibit PHI in any tool without a Business Associate Agreement. A broker-dealer's policy must route AI-drafted client communications through FINRA-compliant supervision. A school's policy must handle FERPA's school-official requirements. A government contractor's policy must categorically exclude CUI and export-controlled data from commercial tools. Generic templates miss exactly these clauses — and they're the ones regulators and auditors look for.

Keep it enforceable

A policy is enforceable when a reasonable employee can apply it to a concrete situation without guessing. Test every rule against a scenario: 'Can I paste this customer email thread into ChatGPT to draft a reply?' If your draft doesn't answer that cleanly, tighten it. And collect signed acknowledgments — a policy nobody can prove was received protects nobody.

Our generator produces all thirteen sections customized to your industry, jurisdictions, and tools, with a free preview of the real document before any payment.