AI Policy Starter Kit

03 — Resources

A practical primer for teams building AI guardrails. The structure here is the same one Elizabeth uses with executive teams and Chamber of Commerce audiences — built so a small group can draft a workable v1 policy in an afternoon, not a quarter.

"You don't need a perfect policy on day one. You need a policy."

A — The reality check

Your team is already using AI.

According to Microsoft's 2024 Work Trend Index, 75% of knowledge workers are using AI at work — and over half brought their own AI tools without IT approval. The question isn't whether AI is coming to your organization. It's whether you're guiding it or ignoring it.

Three high-profile incidents make the point:

Samsung. Engineers pasted proprietary source code into ChatGPT — leaked trade secrets through a public AI tool. There was no policy governing what could be entered.
Amazon. An AI recruiting tool was found to systematically downgrade resumes from women. The model was trained on biased historical data with no auditing process.
A U.S. law firm. Submitted a court brief with AI-fabricated case citations that didn't exist. There was no human review step before filing.

Each one was preventable with basic AI policy guardrails.

B — Eight components

A complete policy covers eight areas.

Most companies start with the top three and build out. The goal is structured, defensible decision-making — not a comprehensive document.

1. Purpose & scope

Define the role of AI in your organization and who this policy applies to — employees, contractors, vendors.

2. Approved tools & usage

Which tools are approved, who approves them, what they can be used for, and what's strictly off-limits. Prevents unsanctioned experimentation.

3. Data privacy & security

What data can go into AI tools, what cannot, and what safeguards apply. Aligns with your existing cybersecurity practices and any regulatory requirements (GDPR, HIPAA, CCPA).

4. Intellectual property & copyright

Who owns AI-generated work, whether proprietary information can be entered into AI tools, and how to avoid infringing on third-party copyrights.

5. Human oversight & accountability

When and where human review is required. No AI tool should make sensitive decisions or publish content without a human double-checking the output.

6. Transparency & communication

How stakeholders — clients, partners, employees — know AI is in use. Whether AI-generated content needs to be labeled. Transparency builds trust.

7. Bias & ethical safeguards

How AI outputs are checked against company values. How bias is monitored in hiring, marketing, customer service. How often AI decisions are audited for fairness.

8. Ongoing training & violations

Who gets trained and how often. What happens when the policy is broken. Who has the authority to revoke AI access. AI adoption is not "set it and forget it."

C — Quick start

Five questions to answer first.

If you only tackle five questions today, these cover your highest-risk areas:

01What AI tools are employees already using today? You can't govern what you can't see. Survey before you draft.
02What data is absolutely off-limits for AI input? Customer data, financials, source code, HR records, anything regulated.
03Who has final sign-off on AI-generated content? No content goes out the door without a named human reviewer.
04How will you disclose AI use to clients and partners? Pick a default position now, before a client asks.
05What does a violation look like, and what are the consequences? Additional training, access loss, escalation — name it before you need it.

D — Next steps

A 30-day plan to draft your v1.

This week

Find out what AI tools employees are already using.
Identify your AI policy owner — one named person.

This month

Draft a v1 policy covering the five quick-start questions.
Communicate it to your team. A policy nobody knows about doesn't protect anyone.

Ongoing

Review and update every 6 months. AI moves fast — your policy should keep pace.
Build AI training into onboarding.