AI Use Policy

This document serves two purposes: a practical internal policy your team can adopt (or adapt), and a frank discussion for business owners about the realities of AI usage in your organisation.

The policy section isn't designed to win compliance awards. It's designed to be read, understood, and actually followed. The business owner section confronts uncomfortable truths about what's already happening with AI in your company - and what to do about it.

AI tools can make your work faster and better. They can also leak sensitive data, produce confidently wrong answers, and create legal exposure. This policy exists to get the benefits while avoiding the disasters.

Read it once. Apply common sense. Ask if you're unsure.

These five rules aren't bureaucratic box-ticking. They're the difference between "useful tool" and "front-page news."

1. No secrets in public tools

Don't paste API keys, passwords, client data, personal information, financial records, or anything marked confidential into ChatGPT, Claude.ai, Gemini, or any other consumer AI tool.

Why: Consumer-tier tools may use your inputs for training. Even if they don't, you've now sent sensitive data to a third party's servers with no data processing agreement. This is how breaches happen.

Instead: Use approved enterprise tools with zero-retention agreements. Or strip/redact sensitive information before prompting.

2. Human eyes on external outputs

Any AI-generated content that leaves the company - client deliverables, published content, external emails, contracts - must be reviewed by a human before sending.

Why: LLMs hallucinate. They invent citations, misstate facts, and occasionally produce content that's legally problematic. The AI doesn't know what it doesn't know. You do.

Instead: Treat AI outputs as first drafts. Check facts. Verify quotes and citations exist. Read it like a sceptical client would.

3. Mark uncertainty honestly

If you're not sure whether AI-generated content is accurate, say so. Don't present AI-assisted research as verified fact unless you've actually verified it.

Why: AI tools are confident even when wrong. That confidence is contagious. Passing off unverified AI output as your own verified work is how trust gets destroyed.

Instead: Use phrases like "AI-assisted research suggests..." or "This needs verification, but initial analysis indicates..." Be honest about your sources.

4. Keep receipts for regulated work

For workflows involving compliance, legal, financial, or HR decisions, save your prompts and the AI's responses.

Why: If something goes wrong, you need an audit trail. "The AI told me to" isn't a defence, but "here's the prompt, here's the response, here's my review and decision" might be.

Instead: Screenshot or export conversations. Store them where you'd store other work product for that project.

5. Report incidents quickly

If you accidentally paste sensitive data into a public tool, or discover AI output caused a problem, report it within 24 hours to [your designated contact].

Why: Small problems become big problems when they're hidden. Early reporting lets us contain damage, learn, and adjust.

Instead: Just tell someone. No blame, no drama. We'd rather know.