What should an AI usage policy for employees include?

A complete AI policy covers which tools are approved, what company and customer data may and may not be entered into AI tools, when AI-assisted work must be disclosed, who reviews AI output before it ships, and how new tools get approved. Specificity matters: a vague policy changes nothing about behavior.

Why do companies need an AI policy now?

Because employees are already using AI, with or without rules. Unmanaged use means company data pasted into consumer tools, unreviewed AI output shipping to customers, and inconsistent practices across teams. A policy converts shadow AI use into governed, productive use, and regulators in several jurisdictions are beginning to expect one.

Should a company ban AI tools instead?

Bans mostly fail: usage goes underground where it is invisible and ungoverned. A policy that names approved tools and clear data rules gives employees a safe path, which is more protective than a ban nobody follows.

Who should own the AI policy?

Usually a joint effort: HR or People Ops owns the policy lifecycle, IT or security owns the tool approvals and data rules, and leadership signs off. The policy should be reviewed at least every six months, because the tool landscape changes faster than most policies.

How do you get employees to actually follow an AI policy?

Make it findable and answerable. A policy buried in a PDF changes nothing; a policy employees can query in the flow of work (which tools can I use, can I paste this) actually shapes behavior. Publish it where questions get asked.

Employee onboarding

How to Write an AI Usage Policy for Employees (With Template)

Sakha TeamJune 5, 202610 min read

An AI usage policy for employees sets the rules for how your team uses AI tools at work: which tools are approved, what data can and cannot go into them, when AI-assisted work needs review or disclosure, and how new tools get adopted. Most companies need one urgently for a simple reason: employees are already using AI, with or without rules, and unmanaged use is where the real risk lives. This guide covers what the policy must include, with a template structure and example language. For the rollout side that pairs with this, see how to train employees on AI tools.

Why this policy, why now

Three forces converged. First, adoption is no longer optional or fringe: SHRM's State of AI in HR research shows AI use is now routine across organizations, with a large share of professionals using it weekly or daily. Second, the risk is concrete: an employee pasting customer data or unreleased financials into a consumer chatbot is a data incident, whether or not anyone notices. Third, regulators in several jurisdictions are beginning to ask whether policies governing workplace AI use exist at all.

The companies without a policy do not have less AI use. They have invisible AI use, which is strictly worse.

What should an AI usage policy include?

Section	What it covers
Purpose and scope	Why the policy exists, who and what tools it covers
Approved tools	Named tools, approval tiers, how to request new ones
Data rules	What may never be entered, what is fine, examples of each
Disclosure	When AI-assisted work must be flagged
Review	Who checks AI output before it ships to customers or production
Accountability	The human stays responsible for the output, always
Security basics	Accounts, access, no personal accounts for company work
Policy review	Every six months, named owner

The section that matters most: data rules

Almost every real AI incident is a data incident. The data section must be specific enough that an employee facing a paste decision knows the answer instantly. Vague version: "Use good judgment with sensitive data." Specific version: "Never enter customer names or data, credentials or keys, unreleased financials, employee personal data, or source code from private repositories into any AI tool not on the approved list. Aggregated, anonymized, or public information is fine." The specific version changes behavior; the vague one decorates a PDF. The same vagueness test applies here as in any policy, covered in how to write a remote work policy.

How do you write the policy, step by step?

Inventory actual use first. Survey what tools people already use and for what. The policy must govern reality, and the survey itself surfaces the risks you are writing against.
Define the approved tool list. Name tools, not categories. Include the request path for new ones, because a policy with no approval route just recreates shadow use.
Set the data rules in plain language, with examples of forbidden and fine.
Define disclosure and review. When must AI-assisted work be flagged, and who reviews AI output before it reaches a customer, a contract, or production code.
Publish it where it can be queried, and review every six months. AI tooling changes monthly; annual review cycles cannot keep up.

The enforcement problem nobody solves with a PDF

Here is where most AI policies die: they get written, circulated once, and buried. Then an employee, mid-task, wonders whether pasting a customer email into a chatbot is allowed, cannot find the answer in thirty seconds, and decides on vibes. The policy existed; it just was not present at the moment of decision.

The fix is making the policy answerable, not just readable. When an employee can ask "can I use ChatGPT for this customer summary" and get the policy's actual answer instantly, the policy governs behavior. This is the same findability problem every policy has, covered in how to build an internal knowledge base in Slack, but AI policy is where it bites hardest, because the questions are constant and the stakes are real.

How Sakha helps you write and enforce it

Sakha's policy generator drafts a complete AI usage policy from a few details about your company (your tools, your data sensitivities, your jurisdiction), structured with all the sections above, and its policy review flags vague language of exactly the kind that makes AI policies useless. When you publish, the policy goes into your knowledge base automatically, so any employee can ask "am I allowed to use this tool" or "can I paste this" in Slack and get the policy's answer in seconds, at the moment of decision. New hires get it surfaced during onboarding in context, not as page 40 of a handbook. A policy that answers questions is a policy that actually works.

Curious how Sakha runs onboarding inside Slack? See how it works.