Governance Guide · Workplace AI Policy

How to write a workplace AI policy.
That people actually follow.

Most workplace AI policies fail the same way: written once, announced once, and never seen again. This guide covers what an AI acceptable use policy for employees actually needs to include, who should own it, how it differs from guardrails, and how to write one your team will follow — without a legal team drafting it.

Workplace AI policy framework for managers — structured acceptable use policy for employees
Steve Buckner
Steve Buckner

Cloud Systems Engineer · MCT · PMP · Azure Solutions Architect Expert. 40+ years in IT and operations. Builder of the Blair AI Rollout Framework.

Published July 2026 · About Steve →

What is a workplace AI policy?

A workplace AI policy is a written document that defines how employees may use AI tools on the job — which tools are approved, what data can and cannot be entered into them, how AI outputs must be reviewed before use, and who is accountable when something goes wrong. Unlike informal guardrails, a policy is documented, versioned, and owned: it has a named owner, a written record, and a review date.


A policy without an owner is just a document.

Ask most organizations whether they have an AI policy and you'll get one of two answers: "no, we should probably write one" or "yes, it's in the employee handbook somewhere." Both answers describe the same situation — nobody owns how AI is actually being used.

Here's the honest truth: the document is the least important part of an AI policy. What matters is the set of decisions the document records — what's allowed, what isn't, who decides, and what happens when reality doesn't match the plan. An unwritten policy with a clear owner beats a beautifully formatted PDF that nobody has opened since the day it was announced.

That's why this guide starts with ownership and coverage, not formatting. Get those decisions right and the writing takes an afternoon.


What a workplace AI policy needs to cover at minimum.

You don't need forty pages. You need clear written answers to six things:

1. Approved tools and acceptable use

Which AI tools are approved for work use, which are explicitly not, and what happens when someone wants to add one to the list. This is the section most policies skip — and it's where shadow AI comes from.

If there's no sanctioned path to request a tool, employees don't stop using AI. They stop telling you about it.

2. Data handling boundaries

What data classifications can and cannot go into AI tools — especially cloud-based ones. Customer records, employee data, confidential contracts, strategic plans: each needs a clear answer before someone pastes it into a prompt. A simple three-category framework (freely usable, use with caution, never use with AI) covers most organizations.

3. Output review expectations

AI makes mistakes — sometimes subtle ones. Your policy should define what "review before acting" means for the use cases your team actually has. A customer-facing email drafted by AI needs a different review standard than a summary of internal meeting notes.

4. Ownership and escalation

Who owns the policy, who answers questions about gray areas, and who gets told when an AI output causes a real problem. A named person, not a committee.

5. Error reporting without blame

If reporting an AI mistake gets someone in trouble, mistakes stop getting reported — they don't stop happening. The policy should make clear that documented errors are organizational learning, not individual failure.

6. A review date

AI tools change faster than most policies do. A policy without a scheduled review date is a snapshot, not a system. Quarterly works for most small and mid-sized organizations.


Who should own the AI policy — IT, legal, or operations?

The honest answer: whoever is closest to the workflows where AI is actually being used. In most organizations of 200 to 5,000 employees, that's operations — not IT, and not legal.

IT can tell you which tools are secure. Legal can tell you where the liability sits. But neither one sees the daily reality of how AI is changing the work — which workflows people are quietly accelerating, where outputs are going unreviewed, and which teams are furthest ahead. The policy owner needs that visibility, because a policy written without it describes an organization that doesn't exist.

That doesn't mean operations writes the policy alone. It means operations owns it — with IT consulted on tool security, legal consulted where regulation or liability demands it, and leadership signing off on the boundaries. Ownership means one named person is accountable for the policy being current, known, and followed. If you can't name that person today, that's your starting point.

This is the same ownership-and-accountability principle that runs through the guardrails guide — a policy is where that ownership gets written down.


AI policy vs. AI guardrails: what's the difference?

The two terms get used interchangeably. They shouldn't be.

Guardrails are the working norms — the practical rules a team applies day to day: what data is off-limits, how outputs get reviewed, who to ask when something's unclear. Guardrails can exist without a formal document, and in the first 30 days of a rollout, they usually should. (How to set them: How to Set AI Guardrails in the Workplace →)

A policy is what happens when those norms mature: written down, versioned, owned, and applied consistently across teams. A policy makes guardrails durable — they survive personnel changes, apply to new hires automatically, and hold up when someone asks "where does it say that?"

The sequence matters. Organizations that write the policy first, before running anything real, produce documents full of guesses. Organizations that run a structured pilot first — with working guardrails — write policies grounded in evidence. Set guardrails now; formalize the policy once you've seen how they hold up in practice.


What a good AI policy structure looks like.

Principle-level — no template needed to start:

The Blair AI Rollout Framework includes a governance policy starter template.

The framework's governance module includes a policy starter template built for managers who don't have a legal team drafting their AI policies — along with the gate documents that turn a written policy into practiced governance. Principle to practice, in sequence.

See What's Inside the Framework →

Related resources.

AI Guardrails Guide →

The working norms your policy will eventually formalize.

AI Rollout Framework Guide →

Where policy fits in the full 90-day rollout.

AI Readiness Assessment →

Measure your governance pillar before you write anything.


Common questions.

If employees have access to AI tools — and they do, whether sanctioned or not — you need at least documented guardrails, and a policy soon after. The trigger isn't company size; it's exposure: sensitive data, client-facing output, or regulated work all make a written policy necessary. What you don't need is a forty-page document before your first pilot. Start with one owned, dated page.
Six things at minimum: approved tools and acceptable use, data handling boundaries, output review expectations, named ownership and escalation, blame-free error reporting, and a scheduled review date. Everything else — tone, formatting, length — is secondary to those six decisions being made and written down.
One page to start. A policy's value is inversely related to how much of it goes unread. Expand it as your rollout matures and real cases accumulate — a mature organization might justify several pages, but no first policy does.
Operations, in most organizations — whoever is closest to the workflows where AI is actually used. IT advises on tool security, legal advises on liability and regulation, leadership signs off on boundaries. But one named person, usually in operations, should be accountable for the policy being current, known, and followed.
Start with visibility, not a blank page: find out how AI is already being used in your organization. Then make the six coverage decisions (tools, data, review, ownership, error reporting, review date), write them in plain language on a single page, name the owner, date it, and communicate it in a real meeting — not just an email. Formalize and expand only after a structured pilot shows you how the rules hold up.
Guardrails are the day-to-day working norms — practical rules a team applies immediately, no formal document required. A policy is those norms written down, versioned, and owned so they apply consistently and survive personnel changes. Guardrails come first; the policy formalizes what practice has proven.
Quarterly for most small and mid-sized organizations, plus a check whenever a new AI tool is approved or a team reports a genuinely new use case. AI usage changes faster than most policies do — a recurring review catches drift before it becomes risk.
That's the normal case, not the exception. Don't respond with a ban — bans drive AI use underground where you can't see it. Get visibility into what's being used, triage each use case by risk, and treat what you find as the requirements document for your policy. Unauthorized use is evidence of demand.

Write the policy after you know where you stand.

The free AI Readiness Score measures your governance pillar — including policy and ownership gaps — in about 5 minutes. The Blair AI Rollout Framework then gives you the policy starter template and the structure to make it real.

Start with the Free Assessment → See the Full Framework