Govarna EmblemGovarna
Sign InStart Free Trial
Back to blog
Templates

AI Acceptable Use Policy: What to Include (With Template)

By Ryan V. (Founder) May 8, 2026 6 min read
Disclaimer: The template text below is provided as an open-source baseline under the MIT License. It does not constitute formal legal advice. You must customize all placeholders and review the completed policy with qualified legal counsel before adoption.

Before you build a complex AI risk registry, you need basic alignment on employee behavior. If your engineers are pasting customer code or sensitive API payloads into unvetted public LLM helpers, your company faces immediate compliance and data leakage risks.

An AI Acceptable Use Policy (AUP) defines what AI tools are approved, how data must be sanitized, and what requires formal review. Below is an inline template designed for B2B SaaS teams.

Corporate AI Acceptable Use Policy Template

Copy and adapt the template below. Replace all bracketed items [like this] with your company details.

### [COMPANY] — Employee AI Acceptable Use Policy Version: 1.0 Last Updated: [Date] Approved By: [Security/Legal Officer] 1. Purpose The purpose of this policy is to define the guidelines and restrictions governing [COMPANY]'s employees and contractors using artificial intelligence (AI) tools, Large Language Models (LLMs), and automated assistants in their professional workflows. 2. Scope This policy applies to all employees, contractors, and third-party personnel who access [COMPANY]'s systems, source code, or process customer payloads. 3. Approved AI Tooling Categories Personnel may only use AI tools that have been explicitly cataloged in [COMPANY]'s internal software directory: a) Tier 1 (Fully Approved): Tools with enterprise-level, zero-data-retention API contracts (e.g., [COMPANY]'s internal chat bot, or enterprise-tier Microsoft Copilot). b) Tier 2 (Restricted): Public consumer tools (e.g., standard ChatGPT, Claude, Gemini). Data uploaded here MUST NOT contain customer production data, proprietary source code, or personally identifiable information (PII). c) Tier 3 (Prohibited): Unapproved browser extensions, shadow coding assistants, and any system using uploaded payloads for foundation training. 4. Data Isolation & Security Safeguards Under no circumstances shall personnel input the following into Tier 2 (Restricted) tools: - Customer database payloads or backups. - Private encryption keys, passwords, or system configurations. - Personally Identifiable Information (PII) of clients, staff, or users. - [COMPANY] proprietary source code or product blueprints. 5. Code Generation & Human Review If engineers use approved coding assistants (e.g., GitHub Copilot Enterprise), they must manually verify all generated code before merge. Personnel are fully responsible for the integrity, security, and performance of any AI-derived deliverables. 6. Violations & Enforcement Violation of this policy may lead to disciplinary action, up to and including termination of employment.

How to Roll Out this Policy

  • Customize placeholders: List the exact tools your team relies on (e.g. ChatGPT, GitHub Copilot).
  • Formal Approval: Have your security lead or external legal counsel review and sign off.
  • Share with staff: Upload the PDF to your evidence vault so it can be sent to prospective buyers as proof of governance.

Generate and Map Policies Instantly

Govarna provides editable policy wizards for AI Acceptable Use, Incident Response, and Vendor Risk, mapping them directly to security controls.

Learn More