Why does my company need a written AI use policy?

Because employees are already using generative AI whether or not you have approved it, and every prompt is a potential disclosure. Most public AI tools reserve the right to use submitted content to improve their models. When an employee pastes a customer list, unreleased source code, or a confidential contract into a public chatbot, that information can leave the company's control. Under the Defend Trade Secrets Act, 18 U.S.C. section 1836 and following, a trade secret is only protected if the owner took reasonable measures to keep it secret. A written AI policy that prohibits entering confidential data into unapproved tools is exactly the kind of reasonable measure courts look for. Without it, an inadvertent disclosure can destroy trade-secret status entirely.

Who owns work an employee creates with AI assistance?

The employer generally owns work an employee creates within the scope of employment, but AI raises a wrinkle on copyright. The United States Copyright Office has taken the position, upheld in Thaler v. Perlmutter, that material generated purely by a machine without meaningful human authorship cannot be registered for copyright. That means heavily AI-generated content may fall into the public domain and be copyable by competitors. A good policy requires employees to contribute meaningful human authorship, keep records of their creative input, and disclose AI assistance so the company can assess what it can and cannot protect. The policy works alongside your employment and work-for-hire agreements to settle ownership.

What data should employees never put into a public AI tool?

At minimum: trade secrets and confidential business information, unreleased source code, customer and employee personal information, protected health information under HIPAA, nonpublic financial data, anything covered by a confidentiality agreement with a third party, and privileged legal material. The policy lists these categories explicitly and ties them to the company's obligations under the California Consumer Privacy Act as amended by the CPRA (Cal. Civ. Code section 1798.100 and following) and, for companies handling EU data, the GDPR. For regulated employers, the restricted list is broader: healthcare, financial services, and legal organizations each have sector rules that the policy's industry version addresses.

How is this different from our acceptable use or IT policy?

A general acceptable use policy governs how employees use company devices and networks. An AI use policy addresses problems those documents were never written for: confidential data leaking into model training, hallucinated or biased AI output being relied on, copyright and ownership uncertainty in AI-generated work, and disclosure duties to clients and regulators. The two policies complement each other. The AI policy is the specialized layer that names approved tools, prohibited data, output-verification duties, and the approval path for new tools, while the acceptable use policy continues to cover everything else.

How often should the policy be updated?

At least annually, and sooner when the law or your tool set changes, because this is one of the fastest-moving areas of law and technology. New state AI statutes are being enacted every legislative session, major AI vendors change their data-use terms regularly, and your approved-tools list will evolve. The policy includes a review-and-update clause and a version line so employees always know which version governs. Legal and information-security leadership should own that review so the policy stays current after the initial rollout.

Can employees use ChatGPT or Copilot at work?

Yes, if your policy approves the specific tool and the employee follows the rules for it. The point of an AI use policy is not to ban these tools, which most companies find impractical and counterproductive, but to govern them: name the approved versions (enterprise tiers often carry stronger data protections than the free consumer ones), prohibit entering confidential or regulated data, require human review of output, and set a path for approving new tools. The policy lets you choose a permissive posture that encourages AI within guardrails or a restrictive one that limits it to specific tasks.

What happens if an employee leaks confidential data into an AI tool?

It can be a serious problem, which is exactly what the policy is designed to prevent. Most public AI tools may use submitted content to train their models, so confidential data entered into one can leave the company's control permanently. Under the Defend Trade Secrets Act, that disclosure can also destroy trade-secret status, because protection depends on reasonable secrecy measures. The policy reduces the risk by prohibiting the conduct in writing, and it gives the company a clear basis for discipline and for demonstrating to a court that it took reasonable steps to protect its information.

Is a workplace AI policy legally required?

No single law requires the policy by name, but several legal duties make it effectively necessary. Trade-secret protection under the Defend Trade Secrets Act depends on reasonable measures, privacy laws like the CCPA obligate you to protect personal data, and AI hiring laws like NYC Local Law 144 and the Colorado AI Act impose specific duties on AI used in employment decisions. A written AI policy is how a company satisfies these obligations in a single, enforceable document, which is why adoption has become standard practice rather than a formality.

Workplace AI Use Policy Template (Free)

Key Takeaways

•Employees are already using generative AI at work, often without approval. A written policy replaces silent, ad-hoc use with rules everyone signs.
•Under the Defend Trade Secrets Act, trade-secret protection depends on reasonable secrecy measures. A policy banning confidential data in unapproved tools is exactly that measure.
•Most public AI tools may use submitted content to train their models, so one careless prompt can leak customer data, source code, or a confidential contract permanently.
•Purely AI-generated work may not qualify for copyright (Thaler v. Perlmutter), so heavily AI-made content can be copied freely by competitors unless a human contributes meaningful authorship.
•AI used in hiring triggers specific duties: NYC Local Law 144 requires a bias audit and notice, and the Colorado AI Act adds deployer obligations phasing in during 2026.
•The policy covers four pillars: approved tools, prohibited data, output review, and disclosure, and adapts to company size, posture, and regulated sector.

Reviewed for accuracy by the document.com legal team. Educational information, not legal advice.

What Is a Workplace AI Use Policy?

A workplace AI use policy is the written rule set that tells employees how they may and may not use generative artificial intelligence tools such as ChatGPT, Claude, Copilot, and Gemini in the course of their work. It names the tools the company has approved, lists the categories of information that must never be entered into a public model, sets the standard for reviewing AI output before anyone relies on it, and explains when an employee has to disclose that AI helped produce their work. It is the document a company adopts to capture the productivity of AI without losing control of its confidential information, its legal compliance, or the quality of its work product.

The need is immediate because adoption has run ahead of governance. Surveys consistently find that a large share of employees already use AI tools at work, and many do so without telling anyone. Every one of those prompts is a decision about company data that no one reviewed. A workplace AI policy replaces that silent, ad-hoc behavior with a clear standard everyone signs and understands, so the company gets the benefit of the technology while closing the legal and security gaps it opens.

Protect Secrets

Keeps trade secrets and customer data out of public models that train on input

Stay Compliant

Tracks privacy, hiring, and sector AI laws so adoption does not create liability

Verify Output

Requires human review for accuracy, bias, and infringement before output is used

Why Every Employer Needs One Now

Generative AI moved into the workplace faster than any technology in memory, and the early mistakes were instructive. In 2023, shortly after employees at a major electronics manufacturer pasted internal source code into a public chatbot to debug it, the company restricted use of the tool, an early warning that a single helpful prompt can expose a trade secret. Surveys since then have consistently found that a large share of employees use AI at work, and that many do so without telling anyone. Every one of those prompts is a decision about company data that no one reviewed.

Regulators and lawmakers responded quickly. New York City's Local Law 144, requiring a bias audit of automated hiring tools, took effect in 2023. Colorado enacted the first comprehensive state AI law, SB 24-205, in 2024, with obligations phasing in during 2026. The European Union's AI Act became law in 2024. At the same time, the U.S. Copyright Office confirmed that purely AI-generated work cannot be registered for copyright, raising the question of what AI-assisted work a company actually owns. A written policy is how an employer captures the productivity of these tools while closing the legal and security gaps they open, rather than discovering the gaps after a leak or a lawsuit.

Why Employers Need One

The exposure here is not hypothetical, and it tends to arrive the same few ways.

Leakage is the obvious one. Most consumer AI tools reserve the right to use submitted content to train their models. When an employee pastes confidential material into a public tool, the company may lose control of it permanently. Under the Defend Trade Secrets Act, 18 U.S.C. section 1836 and following, trade-secret protection depends on the owner taking reasonable measures to keep the information secret. A written policy prohibiting confidential data in unapproved tools is precisely the kind of reasonable measure a court expects to see, and its absence is evidence the company did not protect its own secrets.

Then there is reliance on bad output. Generative models produce confident text that can be wrong, biased, or infringing. An employee who ships a hallucinated statistic, a discriminatory screening result, or a passage copied from a protected work exposes the company to liability the company never saw coming. The policy answers this by requiring human verification before AI output is used, and by prohibiting AI as the sole basis for consequential decisions.

And then ownership gets murky. As covered below, purely AI-generated material may not qualify for copyright at all, which means competitors could copy it freely. A company that does not track how much of its work product is human-authored cannot know what it actually owns. The policy fixes this with disclosure and record-keeping duties that work alongside the company's employment contract and work for hire agreement.

What the Policy Covers

A workable policy has four moving parts, each one turning a vague worry into a rule an employee can actually follow.

Approved Tools

Which generative AI tools employees may use, and the approval path for adding new ones

Prohibited Data

What may never be entered into a public model: trade secrets, source code, customer PII, and regulated health or financial data

Output Review

The duty to verify AI output for accuracy, bias, and infringement before it is used or shipped

Disclosure

When employees must disclose AI assistance, and how AI-assisted work is attributed and owned

The Laws Your AI Policy Has to Track

A serious policy is not generic boilerplate. It maps to the specific statutes that govern data, hiring, and AI systems, which is what makes it a compliance tool rather than a memo.

Trade secrets and confidentiality

The Defend Trade Secrets Act (18 U.S.C. section 1836 and following) and state trade-secret laws condition protection on reasonable secrecy measures. The policy's prohibited-data rules and approved-tools list are those measures in writing. The policy also reinforces the obligations in any non-disclosure agreement the employee or company has signed, since pasting NDA-protected material into a public tool can breach that agreement directly.

Data privacy

The California Consumer Privacy Act, as amended by the California Privacy Rights Act (Cal. Civ. Code section 1798.100 and following), gives consumers rights over their personal information and obligates businesses to protect it. Entering customer personal data into a public AI tool can violate those duties and the company's own privacy commitments. For companies handling European data, the GDPR adds strict limits on processing personal data, including automated processing. The policy ties the prohibited-data list directly to these obligations.

AI in hiring and consequential decisions

New York City's Local Law 144 requires a bias audit and candidate notice before an automated employment decision tool is used. The Colorado Artificial Intelligence Act (SB 24-205) imposes duties on deployers of high-risk AI systems that make consequential decisions, including in employment, lending, and housing, with obligations phasing in during 2026. The policy requires that any AI touching hiring or personnel decisions pass through legal and human-resources review rather than being adopted by an individual manager.

Copyright and the EU AI Act

On ownership, the United States Copyright Office and the decision in Thaler v. Perlmutter hold that works lacking human authorship cannot be registered, so heavily AI-generated output may not be protectable. For multinational employers, the EU Artificial Intelligence Act (Regulation 2024/1689) classifies AI systems by risk and imposes transparency and governance duties that began phasing in from 2025. The multinational version of the policy cross-references these obligations so a single document works across jurisdictions.

AI Laws at a Glance, and What the Policy Does About Each

A serious AI policy is a compliance tool, not a memo. The table maps the laws that govern data, hiring, and AI systems to the specific thing the policy does to satisfy each one.

Law	Citation	What it governs	What the policy does
Defend Trade Secrets Act	18 U.S.C. §1836 et seq.	Trade secrets; protection depends on reasonable secrecy measures	Prohibited-data list and approved-tools list are those measures in writing
CCPA / CPRA	Cal. Civ. Code §1798.100 et seq.	Consumer personal information held by businesses	Bars entering customer or employee personal data into public tools
NYC Local Law 144	NYC Admin. Code §20-870	Automated employment decision tools (hiring)	Routes any hiring AI through legal and HR for bias audit and notice
Colorado AI Act	SB 24-205	High-risk AI making consequential decisions (2026)	Requires review of AI used in employment and other consequential decisions
EU AI Act	Regulation 2024/1689	AI systems by risk level (multinationals)	Multinational version cross-references transparency and governance duties

AI law is changing quickly; confirm current obligations for your jurisdictions. Linked statutes appear in Legal Authorities & Sources below.

State AI-Employment and Privacy Laws to Map Your Policy Against

Beyond federal law, two fast-growing bodies of state law shape a workplace AI policy: laws that govern AI in hiring and employment, and the comprehensive consumer-privacy laws that constrain what employee and customer data may be fed into AI tools. 22 states now have a comprehensive privacy law. If your company operates in any of the jurisdictions below, the policy should be tuned to them.

AI in hiring and employment, by jurisdiction

Jurisdiction	Law	What it requires
New York City	NYC Administrative Code § 20-871 (Local Law 144 of 2021)	Requires employers to conduct bias audits (within 1 year) of automated employment...
Illinois	HB 3773, codified at 775 ILCS 5/2-101(M) and 775 ILCS...	Prohibits employers from using AI in ways that result in discrimination based on...
California	California Code of Regulations Title 11 (DFEH automated...	Requires employers using automated decision systems in hiring (resume screening,...
Colorado	SB 26-189 (repealed and replaced former SB 24-205),...	Applies to automated decision-making technology (ADMT) used to materially influence...
Texas	HB 149 (Texas Responsible Artificial Intelligence...	Requires AI systems to be reviewed for unlawful discrimination and transparency...
Maryland	Maryland Labor and Employment Code § 3-717 (HB 1202)	Prohibits employers from using facial recognition services to create facial templates...
Illinois (statewide)	Artificial Intelligence Video Interview Act (part of...	Requires notification to applicants before video interviews using AI analysis,...
California	California Labor Code § 927 (AB 2602)	Protects employees from unfair contracts allowing creation and use of digital replicas...
Washington	SHB 1672 (Employee Monitoring Law) - STATUS: Pending (not...	Restricts private employer use of electronic monitoring and automated decision systems;...

States with a comprehensive consumer-privacy law

State	Privacy law
California	California Consumer Privacy Act (CCPA), California Civil...
Virginia	Virginia Consumer Data Protection Act (VCDPA), Virginia...
Colorado	Colorado Privacy Act (CPA), C.R.S. § 6-1-1301 et seq.
Connecticut	Connecticut Data Privacy Act (CTDPA), Connecticut General...
Utah	Utah Consumer Privacy Act (UCPA), Utah Code § 13-61-101 et...
Montana	Montana Consumer Data Privacy Act (MCDPA), Montana Code...
Oregon	Oregon Consumer Privacy Act (OCPA), Oregon Revised Statutes...
Texas	Texas Data Privacy and Security Act (TDPSA), Texas Business...
Florida	Florida Digital Bill of Rights (FDBR), Florida Statutes §...
Arkansas	Arkansas Online Privacy Act (AOPA), HB 1717, codified at...
Delaware	Delaware Personal Data Privacy Act (DPDPA), Delaware Code...
Iowa	Iowa Consumer Data Protection Act (ICDPA), Iowa Code §...
New Hampshire	New Hampshire Privacy Act (NHPA), New Hampshire Revised...
New Jersey	New Jersey Data Protection Act (NJDPA), New Jersey Revised...
Nebraska	Nebraska Data Privacy Act (NDPA), Nebraska Revised Statutes...
Tennessee	Tennessee Information Protection Act (TIPA), Tennessee Code...
Minnesota	Minnesota Consumer Data Privacy Act (MCDPA), Minnesota...
Maryland	Maryland Online Data Privacy Act (MODPA), Maryland Code...
Indiana	Indiana Consumer Data Protection Act (ICDPA), Indiana Code...
Kentucky	Kentucky Consumer Data Protection Act (KCDPA), Kentucky...
Rhode Island	Rhode Island Data Transparency and Privacy Protection Act...
Oklahoma	Oklahoma Consumer Data Privacy Act (OCDPA), Oklahoma Senate...

Compiled from primary state statutes and verified against legislative sources in 2026. AI-employment and privacy laws are being enacted and amended rapidly; confirm current obligations for your jurisdictions.

Workplace AI Use Policy Preview

Below is a visual preview of the sections the policy includes. Your completed policy is fully formatted and customized to your company size, posture, and regulated sector.

Artificial Intelligence Use Policy

Effective for All Employees and Contractors

Company: Version:

1. Purpose and Scope

Applies to all employees, contractors, and vendors using AI tools for company work.

2. Approved Tools

Lists permitted tools and the approval path for adding new ones.

3. Prohibited Data

Trade secrets and confidential business information

Customer and employee personal information (PII)

Source code, PHI, and nonpublic financial data

4. Output Review and Disclosure

Human verification required; AI assistance disclosed where applicable.

5. Compliance and Enforcement

Maps to DTSA, CCPA/CPRA, NYC Local Law 144, and the Colorado AI Act.

Employee Signature / Date

Authorized Officer / Date

How to Fill Out the Workplace AI Use Policy

The template asks a short series of questions and assembles the policy from your answers. Here is what each step covers.

1. Company and posture
Enter the company name and choose your overall posture: permissive, where AI is encouraged within guardrails, or restrictive, where AI is allowed only for approved tasks. The posture sets the default tone for the rest of the policy.
2. Regulated sector
Select whether you operate in healthcare, financial services, legal, or another regulated field. This expands the prohibited-data list and adds the sector-specific duties that apply to you, such as HIPAA for health data.
3. Approved tools
List the AI tools employees may use and name the person or team that approves new ones. Leaving this blank invites shadow use, so name at least the enterprise tools you have vetted.
4. Prohibited data categories
Confirm or adjust the categories of information employees may never enter into a public tool. The default list covers trade secrets, PII, PHI, source code, and nonpublic financial data; add anything specific to your business.
5. Output review and disclosure
Set the review standard, for example that a qualified human must verify AI output before it is used externally, and decide when employees must disclose AI assistance to clients or in deliverables.
6. Hiring and consequential decisions
Choose whether to include the hiring-AI controls that require legal and HR review under laws like NYC Local Law 144 and the Colorado AI Act. Include them if AI touches any personnel decision.
7. Acknowledgment and review
Add the employee acknowledgment block and the review-and-update clause. Then download the policy as a PDF or Word file and distribute it for signature, or send it through the built-in e-sign flow so every employee acknowledgment is on record.

Key Terms Defined

A few terms carry specific meaning in a workplace AI policy. Here is what each one means.

Generative AI: Artificial intelligence tools such as ChatGPT, Claude, Copilot, and Gemini that generate new text, code, images, or audio in response to prompts.
Shadow AI: Employee use of AI tools that the company has not approved or does not know about, the main risk a written AI policy is designed to eliminate.
Prompt: The text or data an employee submits to an AI tool. Every prompt is a disclosure decision, because many public tools may use submitted content to train their models.
Prohibited data: Categories of information that must never be entered into a public AI tool, including trade secrets, customer and employee personal information, source code, protected health information, and nonpublic financial data.
Automated employment decision tool (AEDT): An AI system used to screen, rank, or evaluate job candidates or employees. NYC Local Law 144 requires a bias audit and candidate notice before an AEDT is used.
Trade secret: Confidential business information that derives value from being secret and is protected under the Defend Trade Secrets Act only if the owner takes reasonable measures to keep it secret.

Policy vs Related Documents

Non-Disclosure Agreement

An NDA creates the confidentiality duty; the AI policy operationalizes it by telling employees that putting NDA-protected data into a public model breaches that duty.

AI Voice & Likeness Release

If your company builds AI from employee voices or images, the policy governs the tools while an AI voice and likeness release obtains each person's consent to use their identity.

Privacy Policy

Your public privacy policy tells customers how you handle their data; the AI policy makes sure employees do not undermine those promises by feeding customer data into AI tools.

Legal Authorities & Sources

This page is grounded in primary law. The statutes and official resources below are the authorities behind the guidance above. Verify the current text of any statute before relying on it.

Frequently Asked Questions

Ready when you are

Create your Workplace AI Use Policy in under 15 minutes.

Answer a few questions about your company and sector, and download an attorney-drafted policy that protects your trade secrets and tracks current AI law.

Create AI Use Policy

No account · Free to preview

Workplace AI Use Policy Template