🟢 Foundation

Internal AI usage policy — template for companies

Editable AI usage policy template. Covers allowed/restricted/prohibited, governance, incident response, GDPR/LGPD compliance. Ready for adaptation by DPO/HR/legal.

May 16, 2026 · 10 min · ai-governance

Why every company needs an AI policy in 2026

In 2026, “if your company doesn’t have a written AI usage policy, your company has an implicit one: every employee decides for themselves.” That becomes an incident.

Pattern we see:

Employee uses personal ChatGPT to process sensitive customer data.
Confidential information leaks inadvertently.
Customer finds out via a competitor who heard from someone else.
Reputational crisis + data-protection fine + lost contract.

Cost to prevent: 1 template + 4 hours of adaptation. Cost not to prevent: can reach millions.

This post presents the template we apply at ~20 companies in 2026. Editable, based on NIST AI RMF + ISO/IEC 42001 + GDPR/LGPD.

Template — AI usage policy

How to use: copy the template below. Replace [VARIABLES] with your values. Submit to legal + DPO review. Formal approval by leadership. Communicate to 100% of staff via official channel.

Document: AI Usage Policy — [COMPANY NAME] Version: 1.0 Effective date: [DATE] Owner: [DPO NAME or equivalent] Approval: [CEO/Director NAME] Next review: [DATE + 12 months]

Section 1 — Principles

[COMPANY] recognizes the transformative potential of AI and adopts its responsible use. The 5 guiding principles:

Transparency: AI use is disclosed to all stakeholders (customers, partners, employees).
Privacy: personal data is only processed by AI under valid legal bases (GDPR/LGPD/applicable).
Human oversight: no high-impact decision is fully automated without human review.
Auditability: every AI use in official workflow generates auditable log.
Continuous education: all employees receive training on responsible use.

Section 2 — Scope

This policy applies to:

All employees (W-2, contractors, interns).
All third parties processing data on behalf of the company.
All AI systems used at the company (proprietary, contracted via API, or SaaS).

Section 3 — Permitted use cases

The following AI uses are permitted without additional approval:

Drafting of internal communication (email, minutes, brief).
Summary of PUBLIC documents or company documents.
Research in public sources.
Code generation with human review before commit.
Analysis of aggregated/anonymized data.
Templating of standard documents.

Tools approved for these uses:

[Anthropic Claude — paid corporate tier]
[Microsoft Copilot — corporate license]
[Google Gemini for Workspace]
[Add as applicable]

Section 4 — Restricted use cases (require approval)

The following uses require prior approval from DPO + area supervisor:

Processing of personal data of customer, supplier, or employee.
Documents under confidentiality clause.
Non-public internal financial analysis.
External communication on behalf of the company.
Decision affecting selection, evaluation, or termination of an employee.
Automated customer service.

Approval process: internal form + DPO analysis within 5 business days + documented decision.

Section 5 — Prohibited use cases

The following uses are prohibited under any circumstances:

Sharing credentials (passwords, API tokens, keys) with an AI tool.
Submitting sensitive personal data to a tool without approval AND without legal basis.
Processing documents under professional secrecy (legal, medical) on consumer-tier tools.
Generating content presented as human without disclaimer (fraud/manipulation).
Using AI for individual employee surveillance without prior notice.
Training proprietary models with personal data without legal + DPO review.
Automated decision for granting/denying a fundamental right (credit, employment, benefit) without accessible human review.
Using a non-approved AI tool for professional task (including personal ChatGPT on free account for work).

Section 6 — Governance

6.1 Responsibilities

DPO ([NAME]): approve restricted cases, maintain AI inventory, conduct periodic audits.
Area director: approve AI use in their area, ensure team training.
IT: maintain approved-tools list + block non-approved as applicable.
Employee: respect policy, report incidents.

6.2 AI inventory

The company maintains an up-to-date inventory of:

All approved AI tools, with documented purpose.
All proprietary AI systems in production, with risk categorization.
All vendors processing personal data via AI (mandatory Data Processing Agreement).

Update: quarterly minimum.

6.3 Training

Onboarding: every new employee receives 1h training on this policy within 30 days of hire.
Refresh: annual mandatory for all.
Critical areas (legal, HR, finance): in-depth training every 6 months.

6.4 Audits

Internal audit: quarterly. Sampling of real use, comparison with policy, gap identification.
External audit: annual for companies in regulated sectors.

Section 7 — Incident Response

If an AI-related incident occurs (leak, wrong decision with impact, offensive output, etc.):

Step 1 — Containment (first 4 hours)

Reporter notifies immediate supervisor + DPO via #incidents channel.
Suspend use of involved tool until analysis.

Step 2 — Analysis (first 24 hours)

DPO + impacted area analyze root cause, scope (how many data, how many affected), severity.

Step 3 — Response (first 72 hours)

If personal data leak: notify supervisory authority (GDPR Art. 33, LGPD Art. 48) + affected data subjects.
If public offensive output: public communication + retraction.
If harm to third party: communication with insurer + legal.

Step 4 — Post-mortem (next 14 days)

Formal documentation: what happened, why, what we change so it doesn’t repeat.
Update policy if needed.

Section 8 — Employee rights

Right to know when AI is used to evaluate performance/career decision.
Right to challenge automated decision (GDPR Art. 22, LGPD Art. 20).
Right to not be monitored by AI without written prior notice.
Right to not be required to use AI when reasonable human alternative exists.

Section 9 — Sanctions

Violation of this policy subjects the employee to:

First violation: formal documented guidance.
Subsequent violation: written warning.
Serious violation (data leak, fraud): possible termination for cause subject to legal review.

Section 10 — Effective date and review

This policy takes effect on [DATE].
Mandatory review every 12 months or in significant regulatory change.
Next review scheduled: [DATE + 12 months].

How to adapt this template

Replace variables: company name, DPO, date, approved tools.
Adjust Section 3 (permitted) to your company’s actual scope. May be more conservative for regulated sector.
Adjust Section 4 (restricted) if you have specific use cases.
Validate Section 5 (prohibited) with legal — may add sector restrictions.
Customize Section 6.1 with real names and communication channels.

Signs your policy needs update

New AI category emerges (in 2026, autonomous agents was one).
New regulation kicks in (in 2026, EU AI Act began).
New incident reveals an unforeseen gap.
More than 12 months without review.

Anti-patterns in AI policy

Policy so restrictive nobody follows. Realistic > theoretical.
Policy without training. Document in folder ≠ policy applied.
Not involving IT in rollout. Tools blocked via firewall + approved list is the most effective part in practice.
Copy-paste template without adaptation. Every company has specific context to reflect.

Next steps

Adapt this template with your legal + DPO next month.
SkilLab Workshop — Consulting & Training. AI policy implementation + staff training. Details.
SkilLab AI Newsletter. Sign up below.