Once your team is using Claude or ChatGPT routinely, you need a written policy. Not because regulators are coming — but because employees need clarity on what they can and can't paste into AI tools, and clients are starting to ask. Here's a practical template you can adapt in 30 minutes.
A useful AI policy covers three things:
1. Permitted uses. What AI tools are approved, and what work is OK to do in them.
2. Prohibited uses. What's never OK to paste into an AI tool.
3. Verification standards. What level of human review is required before AI-assisted work goes to a customer.
You don't need pages of legalese. You need 1–2 pages of clear, actionable rules.
# AI Usage Policy — [COMPANY] Last updated: [DATE] ## Approved AI tools - Claude (Pro / Team / Enterprise) — primary - Perplexity Pro — for research - [Other tools your team uses] ## Permitted uses You MAY use approved AI tools for: - Drafting external content (proposals, emails, marketing copy) - Research and synthesis from public sources - Internal documentation and process work - Code review and drafting (with review) - Meeting summaries from your own internal meetings ## Prohibited uses You MAY NOT paste into AI tools: - Client-confidential information unless we have written consent - Personally identifiable information (PII) of clients or employees - Financial data marked as confidential - Anything covered under an NDA without explicit AI-use carveout - Authentication credentials or API keys ## Verification standard Any AI-assisted work that goes to a client MUST: - Be reviewed for factual accuracy by a human before sending - Be checked for any hallucinated facts, numbers, or names - Match our brand voice and quality standards - Be attributable to a specific employee responsible for accuracy ## When in doubt Default to: don't paste it. Ask [DESIGNATED PERSON] if uncertain. ## Updates This policy is reviewed quarterly. Send suggestions to [EMAIL].
Use this as a starting template. Adapt the tool list, the verification standard, and the "when in doubt" routing to your business.
Different industries need different additions:
Legal: Add explicit reference to client confidentiality, ABA Model Rule 1.6, and a rule that no client matter information enters an AI tool without partner approval.
Healthcare: Add HIPAA-specific language and a list of which Claude tier (Enterprise) is permitted for any PHI-adjacent work.
Finance: Add SEC/FINRA-specific clauses for any client-portfolio-related work.
Agencies/Consultants: Add a "client consent" clause — some clients require notification or approval before their work is processed in AI tools.
A policy published in a wiki and never discussed gets ignored within a month. A 30-minute team walkthrough with examples makes it stick.
Cover: 3 specific examples of work that's clearly OK to put in Claude. 3 specific examples of work that's clearly NOT OK. 3 ambiguous examples and how to think about them. The decision tree for "when in doubt."
Set a recurring calendar event. Each quarter: audit the policy against new tools your team has started using, new client agreements that changed AI obligations, and any incidents (real or near-miss) that surfaced policy gaps.
Most policies degrade by becoming outdated rather than being violated. Schedule the review.
1. Writing a policy that bans AI entirely. In 2026 this is functionally unenforceable and signals you don't understand the workflow. Write policy that channels AI use, doesn't prohibit it.
2. Copying an enterprise policy template wholesale. Enterprise policies have governance overhead small businesses can't maintain. Write what you'll actually enforce.
3. No verification standard. The single most important clause. Without it, AI-generated mistakes go to clients with nobody accountable. Always require human verification.
4. Forgetting client consent. If you work in any industry with confidentiality obligations, your client agreements may need explicit AI-use language. Check with your attorney before assuming.
Yes — for two reasons. First, your team needs clarity on what they can and can't do. Second, your clients are increasingly asking. A 1-page policy you can send proves you're thoughtful.
Varies by industry. For most B2B services, the bigger risk is reputational (clients losing confidence) rather than regulatory. For regulated industries (healthcare, finance, legal), the regulatory risk is real and you need attorney input.
Depends on the client and the industry. Best practice: build the disclosure decision into the policy itself rather than making it case-by-case. For most B2B service work, disclosure isn't required if you're meeting the verification standard.
Probably insufficient. Existing confidentiality language was written before AI tools were common. The specific risk patterns (paste sensitive data into external AI; AI generates content that gets sent to clients) need their own clauses.