How to Create an AI Acceptable Use Policy That People Actually Follow

The failure modes of AI acceptable use policies are consistent:

Too abstract to apply. Policies that state 'employees must use AI responsibly and in accordance with the organisation's values' provide no actionable guidance for the employee deciding whether to paste a specific document into ChatGPT. Guidance must be specific enough to apply to real decisions.

Too long to read. A 20-page AI policy will not be read by the employees it is written for. The policy that influences behaviour is short enough to be absorbed in five minutes and specific enough to be remembered when a relevant situation arises.

Written for legal protection, not for guidance. Policies written primarily to provide the organisation with legal protection in the event of a breach typically read as liability disclaimers rather than practical guidance. Employees who sense that the policy is written to protect the organisation rather than guide them treat it as a formality rather than a genuine source of direction.

No examples. Abstract principles without specific examples require the employee to interpret the principle in the context of their specific situation. This interpretive work is where the policy fails most consistently; employees who are uncertain interpret conservatively (avoiding useful AI use) or permissively (using AI in ways the policy did not intend to permit).

Five design principles for an AI acceptable use policy that employees actually use:

Employee-facing language, not legal language. Write for the employee who will use it, not for the lawyer who will defend it. Plain English, short sentences, active voice. Have a non-specialist employee review the draft and identify every phrase they would need to look up or interpret.

Scenario-based guidance. For each major policy principle, provide two or three specific scenarios that illustrate the principle in practice: one scenario where the use is clearly acceptable, one where it is clearly not, and one in the middle where the employee should seek guidance. Scenario-based guidance dramatically reduces interpretive inconsistency.

A clear decision tree for uncertain cases. When an employee is unsure whether a specific AI use is acceptable, the policy should provide a clear escalation path: a named contact (typically the AI governance lead or their manager) and a response time commitment.

Regular updates. AI capabilities and organisational AI use evolve faster than traditional policy update cycles. An AI acceptable use policy should be reviewed and updated at least every six months, with updates communicated to all employees at each revision.

Employee involvement in design. Employees who were involved in designing the policy (through workshops, review panels, or feedback cycles) are more likely to follow it than those presented with a finished document. A small employee review panel for the policy draft costs little and produces significantly better compliance.

The core content of an AI acceptable use policy for a UK organisation should cover:

Approved tools: which AI tools employees may use for work purposes, in which contexts. The distinction between approved tools (Microsoft 365 Copilot, Claude Enterprise, ChatGPT Enterprise where licensed) and consumer tools (free ChatGPT, consumer Claude) is one of the most important distinctions the policy should make clear, with specific guidance on what work is appropriate for each category.

Data classification rules: which categories of organisational information may be entered into which AI tools. Confidential client data, personal data, commercially sensitive information, and board-level materials should all be covered with specific guidance. 'Do not enter personal data into consumer AI tools' is clear; 'use AI responsibly with confidential information' is not.

Output use requirements: AI outputs must be checked before use; AI-generated content used externally must be reviewed by a qualified human; AI-generated content must not be represented as human-created when the context requires disclosure. These requirements should be stated as specific obligations, not as general principles.

Prohibited uses: specific AI uses that are not permitted. For most UK organisations, this includes: using consumer AI to process personal data, using AI to generate deceptive content, using AI in regulated decision-making without appropriate oversight, and using AI to circumvent security controls.

A well-designed policy that is poorly communicated and inconsistently enforced will have the same practical effect as a poorly designed one.

Communication: the policy should be communicated at launch through manager-led team briefings (not an email attachment with an acknowledgement request), incorporated into AI training programmes, and made easily findable in the locations where employees are most likely to need it (linked from AI tool landing pages, included in onboarding for new joiners).

Enforcement: the policy must have teeth proportionate to the violation. Minor inadvertent policy breaches (using consumer AI for a non-sensitive task) should be handled through education and reminder; deliberate or serious violations (using AI to process customer personal data without authorisation) should be handled through the standard disciplinary process. The policy should specify the consequences of different types of violation.

Incident reporting: employees should have a clear, low-friction mechanism to report potential policy violations (their own mistakes as well as others') without fear of disproportionate consequences. An organisation that learns about AI policy breaches through incidents is managing them; an organisation that learns about them through external discovery is not.