AI Acceptable Use Policy Template
Purpose
Why this policy exists and what it aims to protect: our people, our clients and our reputation.
[Organisation] uses artificial intelligence (AI) tools to work more effectively, reduce administrative burden and improve the quality of what we produce. This policy sets out how we do that safely. It exists to protect the people we serve, the people who work here, the information entrusted to us and our reputation. It applies common sense rather than fear: AI is encouraged where it helps, within clear limits where it could cause harm.
Scope
Who and what this applies to: all staff, volunteers, contractors and board members using AI for [organisation] work.
This policy applies to everyone who uses AI tools for [organisation] business, including employees, volunteers, contractors and board members, whether on organisation-owned or personal devices. It covers all AI tools, including general assistants such as ChatGPT and Claude, AI features built into software we already use and any automation that relies on AI. If you are using AI to do work for [organisation], this policy applies to you.
Approved tools
The AI tools we permit and the account types (business, not personal) that must be used.
Only tools on our approved list may be used for [organisation] work. The current approved tools are: [list tools]. Where a tool offers business and personal accounts, you must use the organisation's business account, never a personal one, so that data and settings remain under our control. If you want to use a tool that is not on the list, request approval from [role] before using it for any work task. Do not assume a tool is safe simply because it is popular or free.
Prohibited uses
Uses that are never allowed, for example entering Red data or making unreviewed decisions about people.
The following are never permitted: entering Red data (see Data classification) into any general AI tool; using AI to make a final decision about a person such as hiring, dismissal or eligibility without human judgement and oversight; publishing or sending AI-generated content without human review; using personal accounts for organisation work; presenting AI output as professional advice where a qualified person is required. When in doubt, ask [role] before proceeding.
Data classification
We classify data using the traffic-light model (green / amber / red). See Appendix B.
We classify all information using the traffic-light model. Green data (public or non-identifying) may be used with approved tools freely. Amber data (internal but not highly sensitive) may be used only with approved business-account tools and care. Red data (personal, confidential, health, children's, financial or anything we would be horrified to see leaked) must never be entered into general AI tools. When you are unsure which colour applies, treat the information as the next colour up. The full model is in Appendix B.
Human review
A named human is responsible for checking every AI output before it is used or sent.
Every AI-assisted output that is used, sent or published must be reviewed by a named human who takes responsibility for it. AI produces drafts; people produce decisions. The reviewer is accountable for accuracy, tone, confidentiality and fairness. "The AI wrote it" is never an acceptable explanation for an error that reaches a client, a funder or the public.
Accuracy
AI outputs are drafts, not facts. Claims and figures must be verified against a trusted source.
AI tools can state false information with complete confidence. Treat every factual claim, figure, quote, citation or statistic produced by AI as unverified until checked against a trusted source. This is especially important for anything that goes to funders, customers, regulators or the public. If a claim cannot be verified, it must be removed or clearly marked as unconfirmed.
Bias and fairness
We do not use AI to screen or rank people without human oversight and a fairness check.
We will not use AI to screen, rank, score or select people without human oversight and an explicit fairness check, because AI can reproduce and amplify bias in ways that are hard to see. Where AI assists with any decision affecting people, a human reviews the basis for that decision and remains accountable for it. Concerns about biased or unfair AI output should be raised with [role].
Confidentiality
Confidential and personal information must never be entered into non-approved tools.
Confidential information and personal data must never be entered into tools that are not approved for that purpose. This includes client and customer details, staff and HR information, donor records, financial data, legal matters, passwords and credentials and confidential contracts. If you need to use AI to help with sensitive work, speak to [role] about an approved, governed way to do so. Removing or anonymising identifying details before using AI is good practice where the underlying task allows it.
Copyright and IP
We review AI-generated content for copyright, consent and ownership before publishing.
AI-generated text, images and media must be reviewed for copyright, consent and ownership before publication. Do not publish AI-generated images of real-looking people presented as our clients or beneficiaries without clear labelling and consent. Be aware that the ownership and licensing of AI-generated content can be uncertain; when in doubt, treat it cautiously and check with [role] before using it in anything public or commercial.
Record keeping
We keep a simple record of approved tools, key workflows and significant AI-assisted decisions.
We keep a simple, proportionate record of how we use AI: the approved tools in use, the key workflows that rely on AI and any significant decisions where AI played a material part. This is not bureaucracy for its own sake; it lets us answer questions from our board, our funders or a regulator and it helps us learn from what works. [Role] maintains this record.
Incident reporting
How to report a mistake or near-miss and who to tell, quickly and without blame.
If you make a mistake with AI or have a near-miss, for example you realise you pasted something sensitive into the wrong tool, report it to [role] as soon as possible. We treat honest reports without blame, because the alternative, people hiding mistakes, is far more dangerous. Quick reporting lets us contain a problem, learn from it and improve our controls.
Review cycle
This policy is reviewed every [6 / 12] months or sooner if tools or risks change.
This policy is reviewed every [6 / 12] months and sooner if the tools we use, the risks we face or the law that applies to us changes meaningfully. [Role] owns the review. The current version is [version] and it was last reviewed on [date]. All staff, volunteers, contractors and board members are asked to acknowledge that they have read and understood this policy.