Tom Cedoz

Checklist · AI & emerging risk

A Workplace Generative-AI Use Policy: A Build Checklist

Most generative-AI policies fail one of two ways: they say nothing useful, or they say “don’t,” which employees route around on personal accounts. A workable policy does the opposite — it hands people a safe tool and a single rule they can actually remember. This checklist walks the sections a usable policy needs.

Updated June 2026· 9 sections· Prints to 2 pages

Before you draft: what this policy is for

A generative-AI acceptable-use policy is not a ban and not a permission slip. It is the document that lets employees capture the productivity benefit without creating confidentiality, IP, accuracy, or discrimination exposure that lands on the company. The organizing idea throughout: AI changes the workflow, not the legal duties. Competence, verification, candor, confidentiality, and non-discrimination remain the company’s obligations, and “the model produced it” is not a defense. The notes below are general information, not legal advice; AI law is moving quickly and varies sharply by jurisdiction, so scope every regulatory reference to your jurisdictions and confirm its current status, scope, and applicability before relying on it.

1. Approved tools — give people a safe option

The single most effective anti-shadow-AI measure is a sanctioned tool that is actually good enough to use. A policy that only prohibits drives usage onto personal accounts where the company has no visibility and no contractual protection.

2. Data rules — the one bright line

If employees remember nothing else, they should remember this section. Most real-world AI incidents are data incidents: someone pasted something sensitive into a tool that retains or trains on inputs.

3. IP and ownership — manage two risks at once

Generative AI raises a question on both ends of the work: whether you own what comes out, and whether what comes out infringes someone else.

4. Accuracy and verification — AI drafts, humans decide

The non-negotiable rule of the whole series: a human must verify every AI output before it is used, sent, or relied on. The tool produces a draft, never an authority. Fabricated citations, invented facts, and confident-sounding errors are features of the technology, not anomalies.

5. Prohibited and high-risk uses

Some tasks carry enough legal or safety exposure that AI may only assist under human control — or not at all. Many in-house teams find it useful to list these explicitly rather than leave them to judgment.

UsePosture
Legal advice or legal conclusionsHuman counsel decides; AI output is never the answer of record
HR and employment decisions (hiring, discipline, pay, termination)High-risk; automated decision tools may implicate frameworks such as NYC Local Law 144, Illinois’ AI Video Interview Act and BIPA, or the Colorado AI Act — confirm current status, scope, and applicability before relying on any of them
Regulated, safety-critical, or medical outputsHuman review required; sector rules govern regardless of the tool
Security-relevant or production codeNo deployment without human review and testing

6. Disclosure — when to say AI was used

7. Confidentiality and privilege

8. Security

9. Training, enforcement, and fit

The pattern that works

A policy that just says “don’t use AI” gets ignored and breeds shadow AI on personal accounts. The ones that hold up give employees a sanctioned, enterprise-grade tool plus one bright-line rule everyone can recite: never paste confidential or client data into a tool that is not approved. Give people the safe option first; the prohibition only works once the alternative exists.