What to Include in Your AI Policy
AI policies are all about establishing a company’s boundaries, and when dealing with generative AI, those boundaries tend to be the same. Your policy will likely need to cover these core concepts, with a section dedicated to each.
Definitions
Anyone who has taken a debate class can tell you the importance of a definition: Every single party involved in a policy must be operating under the same definitions, or else they’ll disagree on the application of those concepts. Opening with defining terms like “GenAI,” “Prompt engineering,” or “Foundational models” will help guide the rest of the policy.
Ethics statements
This section allows for broad statements that establish your company’s stance on typical ethical questions, which may include:
- Transparency: Explain AI decision-making where possible.
- Nondiscrimination: Prevent biases in AI models.
- Privacy: Ensure compliance with GDPR, CCPA, and other data laws.
- Accountability: Clearly define responsibility for AI outcomes.
- Human oversight: Specify when human intervention is required in AI decisions.
The rest of the policy should follow the spirit of these principles by explaining them in further detail.
Practical AI use
You’ll want to cover the practical uses of AI that are permitted for your employees. This might differ by department or by employee, but it establishes the boundaries of how generative AI should be used. This includes details like what data sets are allowed, what projects can include AI, and how employees should incorporate AI.
Legal AI use
Incorporate your legal concerns. To what extent is personal data allowed to be given to AI chatbots, if at all? How does such a practice conflict with the company’s pre-existing guidelines that protect their intellectual property and copyrighted material? Can AI be used to track employee output ethically, in an attempt to boost productivity? Establish what applications of AI are not allowed within your company.
Security concerns
Establish an AI system security protocol that addresses all internal AI use. If your company will be training its own AI model, you’ll want to establish a risk assessment process first. In most cases, however, you’ll just need to create a regular audit process to ensure that the policy is being followed.
Prohibited practices or tools
You may want to entirely ban the casual use of generative AI during company time. This isn’t an unpopular stance: Research from early 2024 found that one in four companies had banned the use of generative AI by their employees.
If you’re not outright banning the practice, you may want to outline which specific tools may be used. Should Deepseek be banned at your organization? If you’re the New York State government, it already is.
