What Guardrails and Policies Do You Need to Use AI at Your Company?

Here’s something you may not want to hear: employees at your company are already using AI.

They’re pasting code into ChatGPT. They’re summarizing documents with Claude. They’re using AI writing assistants embedded in their tools. Some of them are doing this carefully. Many are not thinking about security implications at all.

You have a choice: build governance that shapes how AI is used, or pretend it’s not happening and hope nothing goes wrong. The second option isn’t actually a strategy.

The Governance Gap

Most organizations are in one of three states:

State 1: No policy exists. AI use is ungoverned. Some employees use AI tools extensively; others don’t use them at all. Nobody knows what data is being shared with external services.

State 2: Blanket prohibition. Leadership has banned AI tools, usually citing vague security concerns. Employees ignore the ban because the tools are useful and enforcement is impractical. The company gets the risks of AI use without any visibility into it.

State 3: Thoughtful governance. Policies exist that enable beneficial AI use while managing specific risks. Employees know what’s permitted, what’s prohibited, and why.

Most organizations should aim for State 3, but getting there requires understanding what you’re actually governing.

Risk Categories That Matter

AI risks for business use cluster into a few categories. Your policies should address each explicitly.

Data Exposure

When employees input data into AI systems, that data may be:

• Stored by the AI provider
• Used to train future models
• Accessible to the provider’s employees
• Subject to the provider’s security practices (or lack thereof)

The risk level depends on what data is being shared:

Low risk: Publicly available information, generic questions, non-sensitive internal contentMedium risk: Internal business information, general company knowledge, non-confidential project detailsHigh risk: Customer data, personal information, financial data, intellectual property, credentials, code with security implications

Your policy should classify data types and specify which can be used with which AI services. This isn’t different from any other third-party data sharing—the same rules that govern what goes to external vendors apply.

Accuracy and Reliability

AI systems generate plausible-sounding content that may be factually wrong. They “hallucinate” citations, fabricate technical details, and confidently present incorrect information.

For internal productivity (drafting emails, summarizing documents), minor inaccuracies are manageable—humans review and correct before acting.

For external-facing content, customer communications, legal documents, technical specifications, or anything with safety implications, unreviewed AI output is dangerous.

Your policy should require human review proportional to the output’s impact. What level of review is needed before AI-generated content can be published, sent to customers, or used in decision-making?

Intellectual Property and Ownership

AI-generated content creates murky ownership questions:

• Who owns the output—your company, the AI provider, or nobody?
• If the AI was trained on copyrighted material, what rights issues exist with its output?
• Can AI-generated content be patented or copyrighted?

These questions don’t have settled legal answers in most jurisdictions. Your policy should acknowledge the uncertainty and establish reasonable positions:

• Use AI-generated content as a starting point, not final product
• Apply normal IP protections to modified/reviewed content
• Avoid AI-generated content in situations with high IP sensitivity
• Document what was AI-generated for future reference

Compliance and Regulatory

Depending on your industry, AI use may trigger regulatory considerations:

• HIPAA implications for healthcare data processed by AI
• GDPR requirements for personal data sent to AI services
• Financial regulations about automated decision-making
• Industry-specific rules about AI in regulated processes

Your legal and compliance teams need to review AI use in their domains. Generic company policy isn’t sufficient for regulated activities.

Bias and Discrimination

AI systems can perpetuate or amplify biases present in their training data. Using AI for hiring decisions, customer-facing recommendations, credit determinations, or similar high-impact decisions requires careful evaluation.

This is less relevant for productivity uses (writing emails, generating code snippets) and more critical for systems that affect people’s lives.

Your policy should identify use cases where bias is a concern and require appropriate oversight—human review, bias testing, or prohibition of AI use for those decisions.

Building the Policy

Scope and Applicability

Define what the policy covers:

• Which AI tools (public services like ChatGPT/Claude, embedded features in SaaS tools, company-deployed AI systems)
• Which users (all employees, specific departments, contractors)
• Which activities (using AI for work tasks, developing AI features, deploying AI in products)

Most organizations need policies for both “using AI tools” and “building AI into products”—these are different activities with different risks.

Permitted Use Categories

Rather than listing every allowed and prohibited use, define categories:

Generally Permitted: Uses with low risk that don’t require specific approval

• Drafting and editing internal communications
• Brainstorming and ideation
• Learning and research on public topics
• Code assistance for non-sensitive development

Permitted with Conditions: Uses that are allowed with specific safeguards

• Customer-facing content (requires human review)
• Analysis of internal business data (only with enterprise tools that have appropriate data agreements)
• Use in regulated areas (requires compliance team approval)

Prohibited: Uses that are not allowed

• Input of customer PII, PHI, or confidential customer data
• Input of credentials, API keys, or security-sensitive material
• Use for high-stakes decisions without human oversight
• Use that violates the AI provider’s terms of service

Approved Tools and Platforms

Specify which AI services are approved for business use:

Enterprise tier preferred: Tools with enterprise data agreements (no training on your data, appropriate security controls, audit logs) are preferred over consumer versions.

Consumer tools with restrictions: If employees use consumer AI tools, specify what data cannot be input.

Embedded AI features: Address AI features embedded in tools you already use (Microsoft Copilot, Google Duet, GitHub Copilot, etc.)—these often have different data handling than standalone AI services.

Review and Oversight Requirements

Define when AI use requires review:

• AI-generated content for public release requires [level] review
• AI assistance in customer communications requires [level] review
• AI-generated code in production systems requires normal code review plus [additional requirements]
• AI use in [specific function] requires [specific approval]

The principle: higher-impact uses require more oversight.

Incident Reporting

Establish what needs to be reported:

• Inadvertent input of sensitive data to AI tools
• AI-generated content that caused problems (inaccuracies, customer complaints)
• Suspected misuse of AI tools
• Security incidents involving AI systems

Create clear reporting channels and response procedures.

Governance Structure

Policy without enforcement is suggestion. You need governance mechanisms.

Ownership

Someone needs to own AI governance. Options:

• CISO/Security team: Natural fit for data protection aspects, may lack business context
• CTO/Engineering: Natural fit for technical use, may not cover all employee usage
• Legal/Compliance: Critical for regulated industries, may be too risk-averse
• Cross-functional committee: Better coverage, slower decision-making

Many organizations form an AI governance committee with representatives from security, legal, engineering, and business operations. This works if the committee actually meets and makes decisions.

Exception Process

Your policy won’t cover every situation. Define how exceptions are requested and approved:

• Who can request exceptions?
• What information is required?
• Who approves?
• How are exceptions documented and reviewed?

Overly bureaucratic processes drive shadow AI use. Make exceptions possible but documented.

Regular Review

AI capabilities and risks change rapidly. What seemed safe last year may not be safe today; what seemed risky may now have mitigations.

Schedule policy reviews quarterly or semi-annually. Monitor for:

• New AI capabilities that create new risks
• New AI tools that should be evaluated
• Changes in regulatory landscape
• Changes in provider terms of service
• Incidents (internal or industry-wide) that inform policy updates

Implementation Checklist

For organizations starting from scratch:

Week 1-2: Assess current state

• Survey employees on current AI use
• Inventory AI tools already in use (check expense reports, IT asset lists)
• Identify sensitive data types and where they might intersect with AI

Week 3-4: Draft policy

• Define risk categories and data classifications
• Establish permitted, conditional, and prohibited use categories
• Identify approved tools
• Define review requirements

Week 5-6: Legal and compliance review

• Review policy with legal for liability and IP implications
• Review with compliance for regulatory alignment
• Review with HR for employment policy consistency

Week 7-8: Stakeholder review

• Share draft with department heads
• Gather feedback on practicality and gaps
• Refine based on input

Week 9-10: Communication and training

• Publish policy through normal channels
• Brief employees on key provisions
• Provide guidance on common use cases

Week 11-12: Implementation

• Enable approved tools
• Establish exception process
• Begin monitoring and enforcement

Ongoing:

• Track policy exceptions and incidents
• Update based on learnings
• Regular review cycle

The Pragmatic Stance

Attempting to ban AI use entirely is a losing battle. The tools are too useful, too accessible, and too integrated into other software.

Attempting to allow AI use without guardrails is equally foolish. The risks are real, and you’re accepting liability you may not want.

The middle ground: enable AI use where benefits outweigh risks, prohibit it where risks are unacceptable, and maintain visibility into what’s actually happening.

Your employees want to use AI because it makes them more productive. Channel that energy into safe use rather than driving it underground.