AI Acceptable Use Policy Template
A two-page acceptable use policy you can print, fill in for your own business, and adopt this week. Replace the bracketed prompts with your details, name your approved tools, and circulate it to your team. Plain language, no legal jargon required.
ClayGen Consulting
AI Acceptable Use Policy Template
How to use this template
- Print this page or save it as a PDF, then replace every bracketed prompt (for example [your business name]) with your own details.
- Decide your approved-tools list deliberately. Favour business-tier accounts your business administers, where the vendor contract keeps your data out of model training, over personal free accounts.
- Edit the prohibited-data list so it matches the information your business actually holds, including any sector rules that apply to you.
- Name the person or role who approves new AI tools and uses, and the person to contact when something goes wrong.
- Circulate the finished policy, walk your team through the data rule once, and set a review date on the cover.
Policy cover details
Fill these in so everyone knows the policy applies to them, who owns it, and when it is next reviewed.
| Field | Your entry |
|---|---|
| Organization | [your business name] |
| Policy title | AI Acceptable Use Policy |
| Applies to | [all employees, contractors, and anyone acting on the business’s behalf] |
| Policy owner | [name / role responsible for the policy] |
| Approval authority for new AI tools and uses | [name / role] |
| Effective date | [date] |
| Next review date | [date, typically 6 to 12 months out] |
1. Purpose and scope
This section says why the policy exists and who it covers. Adapt the bracketed text.
Purpose. This policy sets out how artificial intelligence (AI) tools may be used at [your business name]. It exists so that our team can use AI to work better while protecting our clients, our people, our information, and our legal and professional obligations.
Scope.This policy applies to everyone who uses AI tools for [your business name] work, including employees, contractors, and anyone acting on the business's behalf. It covers AI tools we provide and any AI tool used for work, including free, personal, and trial accounts.
What we mean by AI tools. Any software that generates or analyzes text, code, images, audio, or decisions using AI, including general assistants (for example ChatGPT, Copilot, Gemini), AI features built into other software, and AI browser extensions.
2. Acceptable use
Spell out what AI may be used for and where it stops. The table is a starting point; edit the rows to fit how your business works.
| Encouraged uses (with the rules below) | Uses that require approval or are not permitted |
|---|---|
| Drafting internal documents, emails, and first drafts a person then reviews | Making a final decision about hiring, firing, pay, credit, or anything that materially affects a person, without human review |
| Summarizing or reformatting information the business is allowed to share with the tool | Entering prohibited data (see section 4) into any tool not approved for it |
| Brainstorming, research starting points, and drafting code that a person checks | Presenting AI output to a client or the public as final without a human review |
| Using approved AI features inside software the business already controls | Adopting a new AI tool for work before it is approved under section 3 |
3. Approved tools
List the AI tools your team is permitted to use. Prefer business-tier accounts the business administers, where your data is contractually protected and kept out of model training. Anything not on this list needs sign-off from the approval authority named on the cover before it is used for work.
| Approved tool | Approved for | Account type | Notes / data protection |
|---|---|---|---|
| [tool name] | [what it may be used for] | [business-tier / admin-controlled] | [data not used for training; confirm in the vendor terms] |
| [tool name] | [what it may be used for] | [business-tier / admin-controlled] | [notes] |
| [tool name] | [what it may be used for] | [business-tier / admin-controlled] | [notes] |
Requesting a new tool. To request a tool that is not on this list, contact [name / role] with the tool name, what you want to use it for, and what data it would touch. Do not use it for work until it is approved and added above.
4. Prohibited data
This is the most important section. The following must never be entered into an AI tool unless it is an approved tool that is explicitly permitted for that data and contractually protected. Edit the list so it reflects the information your business actually holds and the rules of your sector.
| Do not enter into AI tools (unless approved for it) | Examples |
|---|---|
| Personal information about clients, customers, patients, or staff | Names tied to other details, contact lists, addresses, identifiers |
| Health information | Patient records, diagnoses, treatment notes (PHIPA-regulated) |
| Financial and payment information | Account numbers, card details, banking information |
| Credentials and security information | Passwords, API keys, access tokens, security configurations |
| Confidential or contractually protected information | Anything under an NDA, privileged legal information, trade secrets, unreleased plans |
| [your sector-specific category] | [examples specific to your business] |
The simple rule. If you would not post it publicly, do not paste it into an AI tool that is not approved for that information. When in doubt, ask before you paste.
5. Human oversight and accountability
AI assists; it does not approve. A person is always responsible for what AI produces on the business's behalf.
- A person reviews AI output before it goes to a client, a regulator, the public, or into a real decision. The reviewer is responsible for its accuracy, not the tool.
- AI is not used to make a final decision that materially affects a person (such as hiring, pay, or credit) without meaningful human review of that decision.
- Staff check AI output for accuracy, bias, and anything that does not fit our standards before relying on it. AI can be confidently wrong.
- Where it matters to clients or compliance, we are honest about where AI was used, in line with our obligations and any client agreements.
6. Incident handling
Mistakes happen. Reporting one early is expected and will not be punished; hiding one makes the harm worse. This section tells your team exactly what to do.
| If this happens | Do this |
|---|---|
| Prohibited data was entered into an AI tool it should not have been | Tell [name / role] right away with what was entered and where. Do not delete evidence. We assess whether it is a privacy or security incident and respond. |
| AI output containing an error reached a client or the public | Tell [name / role] promptly so we can correct it and notify anyone affected. |
| You are unsure whether something is allowed | Ask [name / role] before acting. A quick question is always acceptable. |
| You suspect an AI tool or account has been compromised | Report it to [name / role] immediately and stop using the tool until told otherwise. |
A reported mistake made in good faith is treated as a chance to improve the policy and our controls, not as grounds for discipline.
7. Acknowledgement
Have each person confirm they have read and will follow the policy. Keep the signed record.
| Name | Role | Date | Signature |
|---|---|---|---|
Putting it into practice
A policy on paper only protects you if the controls behind it hold: the approved-tools list stays accurate, the data boundaries survive tool updates, and someone actually watches how AI is used. That ongoing governance is the heart of Managed AI. For the full explanation of why a policy matters and how to write one, read Does Your Business Need an AI Policy? For the privacy obligations that sit underneath it, see our PIPEDA compliance checklist.
Sources and further reading
- Littler, "Employers Brace for AI-Driven Workplace Shifts and Rising Risk" (14th Annual Employer Survey, May 2026), littler.com, on the share of employers with a formal AI-use policy.
- Office of the Privacy Commissioner of Canada, guidance on PIPEDA and personal information handling (priv.gc.ca).
Prepared by ClayGen Consulting, claygen.ca. This resource is general information, not legal, tax, or accounting advice. Confirm the requirements that apply to your business with your advisors and the relevant regulator before relying on it.
Want a hand putting this into practice?
ClayGen helps Ontario businesses turn templates like this into a working plan. No pressure, no obligation, just a real conversation about your environment.
Book a Free Consultation