The Samsung lesson: what an AI policy is actually for.

In 2023, Samsung engineers pasted proprietary source code into ChatGPT to debug it.

The code went into a public AI tool. The trade secrets went with it. Samsung's response was swift and decisive: a company-wide ban on generative AI. The story made headlines for a few news cycles and then disappeared into the general fog of tech anxiety.

Most coverage missed the actual lesson.

The problem at Samsung wasn't that engineers used AI. The problem was that nobody had told them what was and wasn't OK to put into it. They were technical people working under time pressure, given access to a powerful new tool, with no rules. They did what every professional does in that situation: they used their best judgment. Their best judgment was wrong, but not because they were careless. Because nobody had told them where the line was.

That's what an AI policy is actually for. Not to ban AI. To tell your team how to use it without accidentally giving away the business.

The framework most leaders haven't heard of

There's a federal standard for thinking about AI risk. It's free, voluntary, and increasingly the framework regulators reference when something goes wrong.

The National Institute of Standards and Technology (NIST) released the AI Risk Management Framework in January 2023. It organizes the problem into four functions: Govern, Map, Measure, and Manage. If you've heard of any of them, you've probably heard about the technical ones in the middle. The one most leaders skip is the first one.

Govern is who's accountable, and what's allowed.
Map is where AI is actually being used inside your business.
Measure is how you know it's working, or causing harm.
Manage is what you do when something breaks.

Most companies skip straight to Manage. They have an incident, they write a memo, they call it a policy. Six months later they have another incident. Then they ban the tool. That's the Samsung pattern.

The companies that don't end up there start with Govern.

The three questions inside Govern

Govern sounds abstract. In practice, it's three questions, and they're the same three questions every functional AI policy answers.

What tools are approved? Not "AI in general." Specific tools, named, with versions where it matters. ChatGPT free retains your data for training by default. ChatGPT Team doesn't. That distinction has compliance implications for industries with confidentiality requirements. The list of approved tools is also a signal to your team. It tells them which tools you've vetted and which they shouldn't use without checking in.

What data is absolutely off-limits? Write the categories. Customer information, financial data, contracts under NDA, anything proprietary. If you don't write the categories, your team will infer them. The Samsung engineers inferred wrong.

Who has final sign-off on AI-generated output that leaves the business? Client emails. Board memos. Press statements. Contract language. Anything that represents the company to the outside world needs a human signature, not an AI signature. Name who provides that signature.

Three questions. Answered in plain English. You can write the first draft in an afternoon and refine it over the following weeks as edge cases come up.

Why this is the actual starting point

The Samsung pattern (incident, ban, regret) is preventable. It doesn't require sophisticated technical knowledge to prevent. It requires being explicit about three things your team is currently guessing at.

The NIST framework gives those three questions a structure. Govern isn't the boring administrative function. It's the function that decides whether the rest of the framework gets to do its job. Without it, your team is operating on guesses. With it, they're operating on a defined set of rails, which is exactly what they need to do their best work with AI without taking the company down with them.

If you've banned generative AI in your business, that's a Manage decision being made in a Govern vacuum. Reverse it. Start with the three questions. Write the policy this week.