AI Policies for Organizations: What to Consider Before You Draft

As AI tools become embedded in daily business operations, organizations across all industries are beginning to ask a common question: Do we have an AI policy, and if not, where do we start?

A practical approach to AI policy development begins with a clear understanding of current AI use and then turns to defining the organization’s desired approach to AI going forward.

Start with Discovery, Not a Form

A common mistake organizations make is reaching for a form AI policy before they have a clear picture of what AI tools are in use, by whom, and for what purposes. A policy built on incomplete information may not address the organization’s actual risks, and may fail to govern the AI uses that matter most. Before drafting, organizations should work through some foundational questions:

• What AI tools are currently in use? Many employees are already using AI tools, sometimes without organizational approval. This includes general-purpose tools such as ChatGPT, Gemini, or Claude. It also includes AI features embedded in software the organization already licenses (such as Microsoft Copilot, Google Workspace, Grammarly, or Adobe AI features), as well as AI recording and meeting transcription tools (such as Microsoft Teams, Zoom, and similar platforms), which are increasingly common in virtual meetings.
• Are any tools formally approved or vetted? Organizations should determine whether any AI tools have already been formally approved, conditionally approved, or prohibited for particular uses. They should also consider whether employees have practical, organization-supported options if higher-risk tools are restricted. Understanding which tools have been vetted, and what employees are using instead, is an important part of assessing current risk and governance gaps.

Employees may also be using personal, free, or consumer-tier AI tools, sometimes for legitimate low-risk purposes and sometimes with organizational or client/customer information. The key at this stage is to understand where that is happening, what kinds of data are involved, and whether the organization has reviewed the terms, data practices, and limitations of those tools.

Key Areas for AI Governance

Once an organization has a clearer picture of its current AI use, the next step is to identify the key areas its governance framework should address based on how it intends to use AI moving forward. This exercise is not only about reducing risk; it can also help the organization decide where to support responsible experimentation, workflow improvements, and other forms of employee-level innovation. The following categories are common starting points:

• Data and Confidentiality. Organizations should consider what kinds of information they want employees to be able to use with AI tools, under what circumstances, and with which safeguards. That includes evaluating whether particular tools are appropriate for proprietary business information, confidential client/customer data, trade secrets, regulated personal data, or research-related information; whether the terms of use and data practices of those tools have been reviewed; and whether different categories of data call for different levels of restriction, approval, or oversight.
• Privacy and Regulatory Compliance. Depending on the organization’s industry and geography, AI use may implicate obligations under privacy laws (such as CCPA, HIPAA, or GDPR), sector-specific regulations, or contractual data handling commitments. This is particularly relevant where AI tools interact with personal data of employees, customers, or business partners.
• AI Recording and Meeting Transcription. The use of AI recording tools in meetings, whether internal or with clients and customers, raises distinct issues, including notice, consent, data retention, and confidentiality. Organizations should consider whether and under what circumstances AI recording tools may be used, and who must be informed when they are.
• Customer-Facing and Website AI. If the organization uses or is considering client/customer-facing AI features (such as AI chat tools on its website or AI-driven customer interactions), the policy should consider disclosure obligations, data collection practices, and applicable privacy compliance requirements.

Fit the Policy to Your Governance Framework

A standalone AI policy is rarely the most effective approach. To be useful in practice, an AI policy should align with, and where appropriate cross-reference, the organization’s existing policies on acceptable use, data security, confidentiality, privacy, intellectual property, records management, research integrity, and employee conduct.

Before drafting, organizations should inventory the relevant policies already in place and identify where AI use is already addressed, whether expressly or indirectly. That review can help surface both gaps and potential conflicts. In some cases, the better approach is not to create an entirely separate set of rules, but to integrate AI-related expectations into existing governance documents and use a standalone AI policy only where it adds clarity or structure.

Calibrate to Your Organization’s Needs

There is no one-size-fits-all AI policy. A policy appropriate for a small professional services firm will look very different from one designed for a large manufacturer or a healthcare organization. The appropriate level of specificity, the tools and use cases addressed, and the governance mechanisms (approval workflows, training requirements, and monitoring) should be calibrated to the organization’s size, risk profile, and current governance maturity.

Organizations that are earlier in this process may benefit most from starting with a clear statement of principles and a process for evaluating and approving AI tools, and then building from there as their AI landscape evolves.

Balance Governance with Innovation

For organizations that want to actively leverage AI internally, the policy itself should not become a barrier to safe, productive use. A policy that is too restrictive, or that tries to address every possible scenario in granular detail, can stifle adoption and innovation, push employees toward unsanctioned tools, and quickly become outdated as AI capabilities evolve.

A more effective approach is to keep the AI policy itself focused on essential elements, while maintaining more detailed and changeable guidance, including approved-tool information, data handling expectations, IP considerations, and oversight requirements, in separate internal resources and training materials. Training and guidance materials are easier to update as tools and use cases evolve, and they can speak more directly to specific workflows, role-based use cases, and practical examples, without locking the formal policy into details that may need to change quickly.

This layered approach, a focused policy supported by ongoing training and guidance, also tends to produce better outcomes than policy alone. Employees who understand both the “why” and the “how” of responsible AI use are more likely to make sound judgments in the situations the policy does not explicitly address.

Practical Starting Points

For organizations beginning this process, the following are a few practical starting points:

• Conduct a brief internal audit to identify what AI tools are currently in use, by whom, for what purposes, and where the organization may want to support or better structure AI use moving forward.
• Review the terms of use and data practices for AI tools currently in use, particularly those being used or under consideration for use, with proprietary, regulated, research-related, or other sensitive information.
• Assess which existing governance policies already apply to AI use, explicitly or indirectly, where gaps exist, and how any proposed AI policy should be coordinated with those documents.
• Consider whether a formal process is needed to approve or vet AI tools, and how employees will identify which tools are approved and the permitted use cases as tools and guidance evolve.
• Engage with legal counsel early to help identify the legal, regulatory, and governance issues most relevant to your organization and to ensure that any policy framework aligns with applicable requirements and existing policies.
• Identify which teams or functions should be involved in shaping the policy, including legal, privacy, information security, IT, compliance, and business or operational stakeholders.

An effective AI policy should be grounded in the organization’s current and intended use of AI, not in abstract ideas about how AI might be used. Organizations that begin with discovery and shape governance based on their own culture, risk tolerance, and appetite for innovation will be better positioned to manage risk while supporting responsible and productive AI use.