1. Purpose & Scope

This policy governs the use of artificial intelligence (AI) tools by employees, contractors, and third parties acting on behalf of [Organization Name]. It applies to all AI tools, including but not limited to: ChatGPT, Claude, Google Gemini, Microsoft Copilot, GitHub Copilot, and any other AI-assisted service that processes text, code, images, or other data.

The purpose of this policy is to enable productive use of AI tools while protecting sensitive data, meeting regulatory obligations, and managing the risks associated with external AI services.

2. Definitions

AI Tool: Any software, service, or application that uses machine learning or large language models to generate, summarize, translate, or analyze content.
External AI Tool: An AI tool operated by a third party where data submitted may be used for model training, stored on external servers, or accessible to the provider.
Sensitive Data: Any data classified as Confidential or Restricted under this organization's data classification policy, including but not limited to: PII, PHI, financial records, credentials, source code, client data, and proprietary business information.

3. Data Classification for AI Use

Data Type	May Be Sent to External AI?
Publicly available information	Yes
Internal drafts (no sensitive content)	Yes, with caution
Personally Identifiable Information (PII)	No
Protected Health Information (PHI)	No
Authentication credentials (passwords, API keys, tokens)	No
Source code from proprietary systems	No
Client or customer data	No
Financial records	No
Legal documents under NDA	No

4. Approved AI Tools

The following AI tools are approved for business use, subject to the data restrictions in Section 3:

Tool	Approved Use Cases	Data Restrictions	Review Date
[Tool Name]	[Use cases]	[Restrictions]	[Date]

Employees must obtain written approval from [IT/Security] before using any AI tool not listed above.

5. Prohibited Uses

Employees may not:

Submit sensitive data (as defined in Section 3) to any external AI tool
Use AI-generated content as the final decision in high-risk contexts (legal, medical, financial advice to clients) without human review
Attempt to circumvent this policy through prompt engineering or indirect methods
Create deepfakes, impersonations, or synthetic media of real individuals
Use AI tools to access, process, or analyze data beyond their authorized scope

6. Employee Responsibilities

All employees who use AI tools must:

Complete the organization's AI governance training before using any AI tool for work purposes
Report suspected or confirmed accidental submission of sensitive data to [Security Team] within 24 hours
Obtain approval before introducing a new AI tool into any business workflow
Review the data restrictions in Section 3 before each use

7. New AI Tool Assessment

Before approving a new AI tool, [IT/Security] will evaluate:

The provider's privacy policy and data retention terms
Whether submitted data is used for model training
The provider's security posture (SOC 2, ISO 27001, or equivalent)
Contractual protections (DPA, data processing agreement)
Regulatory impact (HIPAA BAA required if PHI may be involved)

8. Incident Reporting

If an employee submits sensitive data to an AI tool in error:

Stop using the tool immediately
Report to [Security Team/IT Help Desk] within 24 hours
Document what data was submitted, to which tool, and when
[Security Team] will assess whether the incident triggers breach notification requirements

9. Enforcement

Violations of this policy may result in disciplinary action up to and including termination of employment or contract. [Organization Name] reserves the right to monitor AI tool usage on company-managed devices and networks.

10. Policy Review

This policy will be reviewed annually or following:

Adoption of a significant new AI tool
A security incident involving AI tools
Material changes to applicable regulations

AI Governance Policy