How to Write an AI Policy for Your Company (Step-by-Step)

Most companies discover they need an AI policy the same way: someone notices an employee pasting customer data into ChatGPT, or a client asks 'what's your AI policy?' during a contract review, and there's no answer. The good news is that a workable AI policy is short — the best ones fit on a few pages — and you can produce one in a day if you make the key decisions first.

Step 1: Decide your stance before writing anything

Every AI policy implicitly takes one of three positions: permissive (encourage AI use with guardrails), balanced (approved tools with clear rules), or restrictive (approval required, narrow permissions). Pick deliberately. A law firm handling privileged information and a marketing agency producing volume content should not have the same stance — and a policy stricter than your culture will actually support gets ignored, which is worse than no policy because it creates the illusion of control.

Step 2: Inventory what's actually happening

Before writing rules, find out what AI tools your team already uses. Surveys repeatedly show that a majority of employees using AI at work do so without telling anyone. Your policy should legitimize the safe uses you find — banning what people already depend on guarantees non-compliance.

Step 3: Draw the data lines — this is the heart of the policy

The single most important section of any AI policy is the data rule: which categories of information may enter which tools. A prompt sent to an external AI service is a disclosure to a third party. Your policy should name the categories that are always prohibited (credentials, payment card data), the categories that need an approved tool (customer PII, confidential business information), and anything industry-specific (PHI under HIPAA, education records under FERPA, privileged client information).

Step 4: Make humans own the output

AI tools produce confident, plausible, frequently wrong output. The clause that prevents the expensive incidents is simple: the person who uses AI output is responsible for it, exactly as if they wrote it, and anything going to a customer, regulator, or the public gets reviewed by someone competent to evaluate it. 'The AI wrote it' must never be an available excuse.

Step 5: Cover the remaining essentials briefly

• Approved tools list and a lightweight process for approving new ones
• Privacy-law obligations for your jurisdictions (GDPR and the EU AI Act if you touch Europe)
• Customer-facing AI rules: disclosure, scope of what a chatbot may promise, escalation to humans
• Incident reporting — with self-reporting treated as a mitigating factor, so mistakes surface
• Enforcement and an annual review date

The mistakes that make AI policies useless

• Banning everything: drives use underground where you can't manage it
• Vague rules ('use AI responsibly'): nobody can follow a rule they can't apply to a concrete situation
• No tool list: employees can't guess which tools were vetted
• Forgetting contractors and volunteers: they cause incidents too
• Writing it and never collecting acknowledgments: unprovable training is nearly as bad as none

The fast path

If you'd rather not start from a blank page, our generator assembles a complete policy from your answers — industry compliance clauses included — in about three minutes, with a free preview before you pay anything.