How to write an AI usage policy people will follow

Most company AI policies fail for one reason: they were written by lawyers for a report, not for the people who decide daily whether they can paste this email into ChatGPT. A 30-page document in legalese goes unread — and employees keep using AI at random. A working policy is different: short, concrete, with example wording and clear "do/don't." Below is a copy-paste template, section by section, that you can adapt to your company in an hour. Take it, swap the names for yours, and you'll have a policy people will actually follow.

Why most AI policies fail

Three typical failures:

• Too long. 30 pages = nobody reads it = the policy effectively doesn't exist.
• Too abstract. "Use AI responsibly" isn't a rule, because it's unclear what to do with a specific email.
• Bans only, no permissions. If the policy only says "don't," people either avoid AI entirely (lost productivity) or use it secretly (lost control).

A working policy answers one practical employee question: "I have this task and this data — what can I do right now, what can't I, and how do I do it right?" If a person finds the answer in 30 seconds, the policy works.

The structure of a working AI policy

A working document has 7 sections and fits on 2–3 pages. Here they are with ready-to-copy wording.

1. Purpose and scope

Briefly: why this policy exists and who it covers.

Template: "This policy defines how employees of [Company] use AI tools (ChatGPT, Claude, Copilot and others) in their work. The goal is to boost productivity while protecting the data of the company, its clients and partners. It applies to all employees, contractors and interns."

2. Data and confidentiality (the core)

The most important section — the three-tier data classification.

Template: "Before using AI, determine the data tier:

• 🟢 Green (free to use): public materials, draft copy, general questions, learning. Any approved tool is allowed.
• 🟡 Amber (with care): internal documents without personal data — SOPs, plans, non-confidential spreadsheets. Only via corporate tools from the approved list.
• 🔴 Red (forbidden): client personal data (names, contacts, payments), financial statements, source code, trade secrets, NDA material. Never paste into public AI."

Add an example: "If you're unsure which tier the data belongs to, treat it as red and ask the AI owner." Note: in the EU, red-tier handling is also a GDPR obligation, not just a policy choice.

3. Approved tools

A concrete list, not "use reputable services."

Template: "Approved tools (as of [date]):

• [ChatGPT Team] — for copy, analysis, drafts (amber/green tier)
• [Microsoft Copilot] — within Microsoft 365 (amber tier allowed)
• [Claude Team] — for working with long documents Using other AI tools requires approval from [owner/IT]. Free personal accounts — green tier only."

4. Disclosure of AI use

When and how to flag that material was created with AI.

Template: "Disclose AI use when:

• the material goes to a client as expert work (a report, analytics) — add a note about human review;
• it's public content and the client's or platform's policy requires a label;
• a colleague or manager directly asks how the work was done. Disclosure isn't needed for internal drafts, brainstorming and routine. The core rule: you're responsible for the output exactly as if you'd produced it entirely yourself."

5. Verification and accountability

AI makes mistakes — who's accountable for the output.

Template: "AI can output inaccurate facts, figures and links (hallucinations). Before use, you must verify:

• all facts, figures, dates, quotes and links;
• legal and financial wording — with the relevant specialist;
• alignment with the company's brand voice and tone. Accountability for the final material rests with the employee who released it, not the AI tool."

6. Security

Technical rules that lower leak risk.

Template: "Security rules:

• use work accounts with two-factor authentication enabled;
• don't disable the 'don't use data for training' option in tools where it exists;
• never store logins/passwords/keys in AI chat history;
• don't connect third-party AI extensions to work systems without approval."

7. What to do in an incident

If red data does end up in an AI — the action plan.

Template: "If you accidentally paste confidential data into an AI:

1. don't panic and don't hide it;
2. immediately notify [AI owner / manager];
3. where possible, delete the data from the chat history;
4. we'll assess the risk together and take action. There's no punishment for honestly reporting an incident — hiding it, by contrast, creates risk for everyone."

Comparison: a policy that works vs one that doesn't

Parameter	Doesn't work	Works
Length	30+ pages	2–3 pages
Language	legalese	plain, with examples
Data	"be careful"	green/amber/red with examples
Tools	"reputable services"	a concrete list with a date
Tone	bans only	permissions + bans
Incidents	punishment	amnesty + a plan
Updates	once and forever	reviewed quarterly

Example wording for different situations

The hardest part for employees isn't the rules in general — it's applying them to a specific case. Add a block of "do/don't" examples to the policy:

• ✅ OK: "Rewrite this draft Instagram post in a friendlier tone" (green tier — public content).
• ✅ OK: "Turn these meeting notes into a structured summary" (amber — internal doc without personal data, via a corporate tool).
• ❌ Not OK: "Here's our client list with phone numbers, draft a campaign" (red — personal data in public AI; a GDPR issue in the EU).
• ❌ Not OK: "Analyze our quarterly financial statement" in a free account (red — financial data).
• ⚠️ Instead: anonymize the data ("client A," "amount X") or use an approved corporate tool with a no-training guarantee.

These examples work better than any abstract rule, because the employee immediately sees the analogy to their own task.

Who's responsible for what

A policy works when it has owners. Distribute the roles:

Role	Responsibility
Leader / owner	Approves the policy, allocates training budget
AI owner	Maintains the approved-tool list, answers questions, handles incidents
IT / security	Sets up corporate accounts, access control, 2FA
Department heads	Monitor compliance in teams, collect new-tool requests
Every employee	Classifies data before use, verifies facts, reports incidents

Without a named AI owner, the policy stays a piece of text with no one to turn to. It must be a specific person with a name, not "contact IT."

How to roll out a policy so people read it

The document is only half the job. To get the policy followed:

1. Present it in a 20-minute meeting, don't email it silently. Explain the "why," not just the "what."
2. Show examples — a concrete case: "this email is red, here's the safe way."
3. Make it one click away — a pinned document, not a file buried on a drive.
4. Assign an owner to go to with questions about new tools.
5. Review quarterly — tools and terms change fast.
6. Pair it with training — the policy says "what," training gives the "how."

How to adapt the template to your industry

The base template is universal, but a few accents are worth strengthening depending on your field:

• Agencies and marketing. Add a section on AI disclosure in client materials and on the client's brand voice — so AI copy doesn't drift from the brand's tone of voice.
• E-commerce. Reinforce rules on client data and payment information (red tier), since this is where personal data is most concentrated.
• Legal and financial services. The strictest red tier: no client documents in public AI, mandatory specialist review of any wording.
• IT and engineering. A dedicated rule on code: what's allowed, what isn't, which repositories are off-limits for pasting into AI.
• Healthcare. The most stringent personal-data regime, with separate legal review of sensitive categories (and HIPAA/GDPR considerations).

Don't rewrite the whole document for your industry — just strengthen 1–2 sections and add industry-specific "do/don't" examples.

Common wording mistakes

Even with the right structure, a policy is easy to ruin with language. What to avoid:

• Vague verbs. "Be careful," "use wisely" aren't rules. Write concretely: "don't paste," "verify," "get approval from."
• No examples. Pair every abstract rule with an example: "this way is OK, that way isn't."
• Bans only. If the document is all "don'ts," people ignore it as "they're banning us again." A balance of permissions and bans is critical.
• A stale tool list with no date. Always put an update date next to the approved-tool list.
• Threatening punishment for incidents. That guarantees concealment. Amnesty is the only approach that works.

Policy readiness checklist

• Fits on 2–3 pages
• Has green/amber/red data classification with examples
• Has a concrete approved-tool list with a date
• Describes when to disclose AI use
• Spells out fact-checking and accountability
• Has security rules
• Has an incident plan with amnesty
• Has an assigned owner
• Schedules a quarterly review

If every box is ticked, you've got a policy people will actually follow — because it helps them work rather than scaring them.

How MaxICo Labs handles this

We write AI policies for your actual business — not an internet template, but a working document that accounts for your data, roles and tools. Plus we train the team so the policy is not only read but applied.

• Company-specific AI policy — a short working document built on your processes.
• Data classification green/amber/red for your specifics.
• Approved-tool selection with data security in mind.
• Team training on the rules and safe AI use.
• Review and updates as the market changes.

Ready for a policy people will follow?

Message Valeriy in the chat on maxicolabs.com — he'll suggest where to start in your specific company, or book a free call and we'll build your AI policy around your processes. No legal filler — just a working document that helps the team.