AI Governance Foundations: Acceptable use policies for AI

Acceptable Use Policies (AUPs) for AI – Study Guide

What This Is

An Acceptable Use Policy (AUP) for AI is a formal set of rules that defines how employees, contractors, and systems may (or may not) use AI tools in an organization. It matters because AI introduces risks—data leaks, bias, compliance violations, or reputational harm—that can derail projects or expose the company to legal liability. Example: A healthcare provider’s AUP might ban using public LLMs to process patient records but allow vetted, HIPAA-compliant AI tools for administrative tasks.

Key Facts & Principles

• Scope of Use Defines who can use AI (e.g., only trained employees), what tools are permitted (e.g., approved vendors only), and where (e.g., no AI in high-risk environments like trading floors). Example: A bank’s AUP might restrict AI use to internal tools for fraud detection but prohibit it for customer loan approvals.

• Data Handling Rules Specifies what data can (or cannot) be input into AI systems. Example: "Never upload PII, trade secrets, or customer payment details to third-party AI tools." Some AUPs require anonymization or synthetic data for testing.

• Prohibited Activities Lists actions that violate policy, such as bypassing security controls, using AI to generate deepfakes of employees, or automating decisions without human oversight. Example: "Do not use AI to impersonate executives in internal communications."

• Compliance & Legal Alignment Ensures AI use adheres to laws (e.g., GDPR, CCPA) and industry standards (e.g., SOC 2, ISO 27001). Example: A European company’s AUP might require AI tools to support data subject access requests (DSARs).

• Transparency & Attribution Mandates disclosing AI use to stakeholders (e.g., "This report was generated with AI assistance") and documenting AI-generated outputs. Example: A marketing team must label AI-generated ad copy as "AI-assisted."

• Human-in-the-Loop (HITL) Requires human review for high-stakes decisions (e.g., hiring, medical diagnoses) or outputs (e.g., legal contracts). Example: "All AI-drafted customer emails must be reviewed by a manager before sending."

• Vendor & Tool Approval Establishes a process to evaluate and approve AI tools before use (e.g., security audits, bias testing). Example: "Only AI tools listed in the IT-approved vendor portal may be used."

• Incident Reporting Defines how to report AI-related issues (e.g., data leaks, biased outputs) and escalation paths. Example: "Report AI hallucinations or unauthorized data exposure to [email protected] within 1 hour."

• Training & Awareness Requires employees to complete AI ethics training before using AI tools. Example: "All staff must complete the annual ‘Responsible AI Use’ module."

• Consequences for Violations Outlines disciplinary actions for policy breaches (e.g., revoked access, retraining, termination). Example: "Unauthorized use of AI for sensitive data may result in immediate termination."

Step-by-Step Application

1. Audit Current AI Use
2. Inventory all AI tools in use (e.g., ChatGPT, GitHub Copilot, custom models).
3. Identify gaps: Are employees using unapproved tools? Is sensitive data being exposed?

4. Tool: Use a spreadsheet or governance platform (e.g., Collibra, OneTrust) to track tools and risks.

5. Align with Existing Policies

6. Map AI risks to existing policies (e.g., data privacy, code of conduct, IT security).

7. Example: If your data policy bans sharing PII with third parties, extend it to prohibit uploading PII to public LLMs.

8. Draft the AUP

9. Use a template (e.g., from NIST, IAPP, or your legal team) and tailor it to your industry.
10. Include:
    • Permitted/prohibited use cases.
    • Data handling rules.
    • Approval workflows for new tools.
    • Reporting procedures.

11. Example: "AI may not be used to process HR data without prior approval from the People Ops and Legal teams."

12. Socialize & Train

13. Present the AUP to leadership and teams (e.g., via town halls, Slack announcements).
14. Conduct role-based training (e.g., engineers vs. marketers have different AI risks).

15. Tool: Use LMS platforms (e.g., Cornerstone, Docebo) to track completion.

16. Implement Controls

17. Technical: Block unapproved AI tools via firewall rules or endpoint protection.
18. Process: Require approval for new AI tools (e.g., via a ticketing system).

19. Example: Use a CASB (Cloud Access Security Broker) to block access to unapproved AI websites.

20. Monitor & Enforce

21. Audit AI use quarterly (e.g., check logs for unauthorized tools).
22. Set up alerts for policy violations (e.g., DLP tools flagging PII in AI prompts).
23. Example: "If an employee uploads source code to a public LLM, their access is automatically revoked."

Common Mistakes

• Mistake: Assuming "AI is just another tool" and not updating policies. Correction: AI introduces unique risks (e.g., hallucinations, bias, data leakage). Update AUPs to address these explicitly. Why: A generic IT policy won’t cover AI-specific threats like prompt injection or model drift.

• Mistake: Writing the AUP in legalese without practical guidance. Correction: Include clear examples (e.g., "Do not use AI to write performance reviews"). Why: Employees ignore policies they don’t understand.

• Mistake: Focusing only on prohibitions, not enablement. Correction: Balance restrictions with approved use cases (e.g., "AI is allowed for drafting internal memos"). Why: Overly restrictive policies lead to shadow AI use.

• Mistake: Not updating the AUP as AI evolves. Correction: Review the AUP every 6 months (or after major incidents). Why: New risks emerge (e.g., deepfake scams, multimodal AI).

• Mistake: Ignoring third-party risks. Correction: Extend the AUP to vendors (e.g., "Contractors must comply with our AI policy"). Why: A vendor’s AI tool could expose your data.

Practical Tips

• Start with high-risk areas first. Prioritize AUPs for teams handling sensitive data (e.g., HR, finance, R&D). Example: A biotech firm might focus on AI use in clinical trials before marketing.

• Use a "sandbox" approach for testing. Allow limited AI use in controlled environments (e.g., a dev sandbox) before full rollout. Example: "Engineers can test AI code assistants in a walled-off repo."

• Leverage existing frameworks. Adapt templates from NIST’s AI Risk Management Framework, ISO/IEC 42001, or the EU AI Act. Tool: NIST AI RMF Playbook.

• Make reporting easy. Provide a simple way to report AI issues (e.g., a Slack channel or anonymous form). Example: "Report AI bias concerns to #ai-ethics on Slack."

Quick Practice Scenario

Scenario: A sales team at a fintech company wants to use an AI tool to generate personalized email pitches for clients. The tool requires uploading a CSV of client names, emails, and past purchase history. The company’s AUP states: "No PII may be uploaded to third-party AI tools without anonymization."

Question: What steps should the sales team take before using the tool?

Answer: Anonymize the data (e.g., replace names with IDs) and submit the tool for approval via the IT vendor review process. Explanation: The AUP prohibits uploading PII, but anonymization and approval can mitigate the risk.

Last-Minute Cram Sheet

1. AUP = Rules for AI use (who, what, how, where).
2. Scope of use defines permitted tools and users. Don’t assume all employees can use AI.
3. Data handling rules are critical—never upload PII, trade secrets, or regulated data.
4. Prohibited activities include deepfakes, bypassing security, or automating high-stakes decisions.
5. Compliance alignment ensures AI use meets legal/industry standards (e.g., GDPR, HIPAA).
6. Transparency requires disclosing AI use (e.g., "AI-assisted" labels).
7. Human-in-the-loop is mandatory for high-risk decisions. Don’t fully automate hiring or medical diagnoses.
8. Vendor approval is required before using new AI tools. Shadow AI is a top risk.
9. Incident reporting must be fast (e.g., 1-hour window for data leaks).
10. Training is non-negotiable—employees must complete AI ethics modules. Ignorance isn’t an excuse.