Company AI Policy: A Template You Can't Copy, and the Employee Rules That Work in 2026
Looking for a company AI policy template? A copied template is exactly what fails. A working policy is short, specific to your real tools and data, and enforced. Employees already use AI, usually on private accounts, so a blanket ban just makes it invisible. See what an employee AI policy actually needs to contain.
A company AI policy is a short, enforceable document that tells employees which AI tools they may use, on which accounts, and with which data. A copied template fails, because the value is in mapping the rules to your real tools and data, not in the length of the template. You start from the fact that people already use AI, and you organize it rather than banning it.
Quick answer
You are searching for a "company AI policy template" because you want something ready to sign. Honestly: a ready-made template is the weakest version of this document. A copied policy usually bans things nobody does and stays silent about what people actually do, so it gives compliance on paper and none in practice.
A working AI policy has three traits: it is short (it fits on two pages, so someone will read it), it is specific to your company (it names your tools, your data, your processes), and it is enforced (it has an owner, a review date, and an incident path). That is why we do not publish a fill-in template here: the value is created in the mapping to a specific company, and a generic template creates false confidence. This text is input to your own documentation, not legal advice.
Why a copied template fails (and what shadow AI is)
Start with the fact most policies refuse to accept: employees already use AI. Usually on private accounts, in the browser, for draft emails, translations, summaries, and code. When the only rule is "no AI," the use does not disappear, it goes underground. That is shadow AI: AI tools used at work outside the company's knowledge and control.
Shadow AI is worse than open use, because company data flows into tools nobody approved, with no data-processing agreement and no trail at all. A ban does not reduce the risk, it makes it invisible. So the policy's job is not to pretend AI is not there. It is to make safe use easier than unsafe use: give an approved tool on a company account, state clearly what must not go into it, and take the guesswork off the employee.
A copied template cannot do this, because it does not know your tools or your data. A policy for a B2B services firm differs from one for a clinic or a software house, because the sensitive data and the processes differ.
What a working AI policy actually contains
This is the spine of the document. Seven parts, each in one or two honest sentences, because a shorter policy gets read, and a policy that gets read gets enforced.
- Which tools are approved and on which accounts. Name specific tools and require company accounts on business plans, not private ones, because only a business plan gives control over whether content is used to train the model and where it is stored. A private account means no contract and no control.
- Which data classes may enter a model and which never can. Separate public and internal data from customer data, personal data, and trade secrets. This is the heart of the policy, and we expand it in the table below.
- Disclosure rules. Decide when the recipient should know a model produced the content: usually for external communication, client-facing material, and anything that looks like a human conversation. From 2 August 2026 the AI Act introduces transparency obligations, including marking AI-generated interactions and content. That is a fact to plan for, not a reason to panic.
- Human review for anything outbound or binding. Nothing that goes to a client, to an authority, or that creates an obligation leaves without a person who checked it and takes responsibility. The model drafts, a human approves.
- The incident path. Write down plainly what an employee reports and to whom if they paste something they should not have, get a wrong result used in a decision, or notice a leak. Without a clear, blame-free path people hide mistakes, and a hidden incident is the most expensive one.
- The link to training and documentation. The policy points to training, because AI Act Article 4 (AI literacy) has applied since 2 February 2025 and requires that people using AI systems understand what they are doing. A line saying "we trained the team" with no documentation is empty.
- An owner and a review date. Name the person responsible for the document and the date of the next review, because tools and models change every quarter. A policy with no owner is dead on the day it is signed.
Which data may enter a model and which never can
This is the table an employee reads most often. The classification is illustrative: you set your own data classes for your company, because they, not the name of the tool, decide the risk.
| Data class | Allowed / Not allowed | Why |
|---|---|---|
| Public data (marketing material, content from your own site) | Allowed | Already public, no added risk. |
| Internal data without secrets (drafts, general notes, working text) | Allowed, only on an approved company account | Low risk, but a private account means no control and no contract. |
| Personal data of customers and staff | Not allowed without a legal basis and a processing agreement | GDPR requires a basis and a DPA with the provider; an accidental paste is a breach. |
| Trade secrets, code, non-public financial data | Not allowed on private accounts; approved environments only | Loss of secrecy and leakage beyond the company's control. |
| Client-entrusted or NDA-covered data | Not allowed without the data owner's consent | Contractual obligations bind regardless of the tool. |
Where you are unsure, the default rule is simple: if you would not type it into a public form, do not type it into a model on an unapproved account. More on the GDPR side and the processing agreement when deploying AI is in GDPR and DPA when deploying AI.
Can employees use ChatGPT at work?
Yes, on the right plan and with the right data rules. The risk is not the tool, it is the account and the data. That distinction is the whole policy in one sentence.
A private account means no contract with the provider, no control over whether content trains the model, and no trail of what was entered. A company account on a business plan closes most of those gaps. So a good policy does not say "no ChatGPT," it says "use the approved tool on a company account and do not enter data from the red list." A ban with no alternative just moves the use onto private accounts, which is exactly how you produce shadow AI.
The same holds for Claude, Copilot, and meeting-transcription tools: approved tool, company account, a clear list of data that must never be entered.
When not to write a heavy policy
Honestly: not every company needs a separate, elaborate document, and over-formalizing can be worse than doing nothing.
- A very small team with no sensitive data. If there are a handful of you and you touch no customer personal data or trade secrets, a one-page list of approved tools and a red list of data is enough. Nobody reads a ten-page regulation.
- You have not approved any tools yet. A policy that regulates tools you have not adopted is a fiction. First decide what the team uses, then describe it.
- You want a document for show before an audit. A policy nobody enforces or knows is worse than none: it creates false confidence and, at the first incident, shows you knew and did nothing. Better a short, living document than a long, dead one.
If any of these fits you, we will say so plainly: sometimes the right answer is one page and an hour of training, not a quarter-long project.
FAQ
Can employees use ChatGPT at work? Yes, on the right plan and with the right data rules. The risk is not the tool, it is the account and the data. Working on a private account means no control over where the content goes, so the company should name an approved business plan and state which data must never be entered. A ban with no alternative usually just moves AI use onto private accounts, out of the company's reach.
What is shadow AI? It is the use of AI tools at work outside the company's knowledge and control, most often on employees' private accounts. The problem is not that people use AI, it is that they do it invisibly: company data flows into tools nobody approved, with no contracts and no trail. An AI policy exists to surface that and route it into safe, approved channels.
Do I need a ready-made AI policy template? A ready-made template gives false confidence. The value of a policy is mapping it to your real tools, data, and processes, and a template cannot do that. A copied policy usually bans things nobody does and stays silent about what people actually do. A short document written for your specific company beats a long one that fits nothing.
What must an employee AI policy contain? Seven things: which tools are approved and on which accounts, which data classes may and may not enter a model, when it must be disclosed that a model wrote the content, human-review rules for anything outbound or binding, an incident path, a link to training and documentation (AI Act Article 4), and an owner with a review date. Without an owner, the policy is dead.
Does the EU AI Act require a company AI policy? The AI Act does not explicitly require a single document called an AI policy, but it imposes obligations that such a policy organizes. Article 4 (AI literacy) has applied since 2 February 2025 and requires that people using AI systems have adequate competence. Transparency obligations, including marking AI-generated content and interactions, apply from 2 August 2026. This is not legal advice; this text is input to your company's own documentation.
How to start
The cheapest sensible first step is to write down what the team already uses, not to buy a template.
- Book a free process scan and show where the team already reaches for AI.
- Prepare: which tools people use today, on which accounts, what data passes through them, and where the risk appears.
- After the call you get a recommendation: a short policy mapped to your tools and data, team training with documentation under Article 4, or an honest "a single page is enough for now."
A policy without skills is dead paper, which is why we pair it with team training that ends with documentation under AI Act Article 4.
Book a free process scan | Team training