Skip to main content
Govern Intermediate 45 minutes

AI Use Policy (Living)

A working AI use policy for a comms team: what is permitted, what needs review, what is off-limits, how AI use is disclosed and how data is handled. Built to be kept current, not written once and forgotten.

Version 1.0 Updated 24 June 2026

What it is

The AI Use Policy is the operating layer of your AI governance. Where your AI Use Principles set the stance, this document sets the rules: what the team can use AI for without asking, what needs a second pair of eyes, what is off-limits, how AI involvement is disclosed, and what can and cannot be put into a tool.

The word “living” matters. The most common failure is a policy written once, signed off, and left to rot while the tools and the team move on. A policy that does not reflect the tools people actually use is a policy people quietly ignore. This template is built to be maintained: it carries a version, an owner and a review date, and it is designed to be revised on a cadence rather than treated as a one-off.

This is the document Legal, IT and leadership want to see, and the one that protects the team when a judgement call goes wrong. It is most powerful when it is short, specific and actually usable, not a twenty-page document nobody opens.

When to use it

Use this template when:

  • You have agreed your AI principles and need to turn them into operating rules
  • Your team keeps asking “is it OK to use AI for this?” and getting inconsistent answers
  • Legal, IT or leadership has asked for a defensible position on AI use
  • An existing policy is out of date and no longer matches the tools in use

Don’t use this template when:

  • You have not agreed your underlying stance (write your AI Use Principles first)
  • You only need to record which tools are in use (use the AI Tool Register)

Inputs needed

  • Your AI Use Principles, so the policy is consistent with the stance you have set
  • An honest list of the AI tools your team uses, sanctioned or not
  • Your data, client and regulatory obligations, so the rules are defensible
  • A decision on who owns approvals and who owns the policy itself

The template

AI Use Policy

Organisation: [Name] Applies to: [Team or function] Policy owner: [Name and role] Version: [e.g. 1.0] Approved: [Date] Next review: [Date]


1. Purpose and scope

[One short paragraph: what this policy covers, who it applies to, and that it operationalises the team’s AI Use Principles. Note any tools or activities explicitly out of scope.]

2. Permitted uses (no approval needed)

Tasks the team can use approved AI tools for as a matter of course, within the rules below.

  • [e.g. First drafts of internal documents and briefings]
  • [e.g. Research synthesis and summarising public material]
  • [e.g. Reworking and shortening existing approved copy]
  • [Add your own]

3. Uses that need review first

Tasks where AI may be used, but a named person must review before the work is used or published.

Use caseWho reviewsWhat they check
[e.g. Client-facing copy][Role][Accuracy, voice, disclosure]
[e.g. External announcements][Role][Accuracy, risk, sign-off]
[e.g. Anything quoting data or statistics][Role][Verified against source]

4. Prohibited uses

Hard lines. AI is not used for these, full stop.

  • [e.g. Final sign-off or approval of any external communication]
  • [e.g. Entering confidential client or personal data into non-approved tools]
  • [e.g. Generating quotes attributed to real people as if genuine]
  • [Add your own]

5. Approved tools

[Reference your AI Tool Register as the live list of approved tools, rather than naming tools here where they will go out of date. State that only tools on the register may be used for work, and how someone requests a new tool be assessed.]

6. Data and confidentiality

[The rules on what information may and may not be entered into AI tools, by sensitivity level. Be specific about client material, personal data and anything under NDA. Note which approved tools are cleared for which data levels.]

7. Disclosure

[When and how AI involvement is disclosed, internally and externally, in line with your principles. Give the standard wording or approach the team should use.]

8. Accountability

[State plainly that a named human is accountable for any output AI helps produce, and that “the AI did it” is never a defence. Note where responsibility sits for review, approval and the policy itself.]

9. When something goes wrong

[A short, blame-aware route for raising an AI-related mistake or near-miss, and where it gets logged. Reference the AI Use Review and Risk Log.]

10. Review

[State the review cadence (e.g. quarterly), who owns it, and that the version and date at the top are updated on each review.]


AI prompt

Base prompt

I'm drafting a living AI use policy for a communications team. It should turn our principles into clear operating rules and stay short enough to actually be used.

Inputs:
- Our AI Use Principles: [PASTE OR SUMMARISE]
- AI tools the team uses: [LIST]
- Team type and sector: [DESCRIBE, in-house / agency]
- Data and client obligations: [DESCRIBE any confidentiality, NDA, regulatory constraints]
- Who owns approvals: [ROLE]

Please draft a policy with these sections: purpose and scope; permitted uses; uses needing review; prohibited uses; approved tools; data and confidentiality; disclosure; accountability; when something goes wrong; review.

Make the permitted / review / prohibited lists specific to a comms team. Keep it plain and concise: a policy people will read, not a legal document they will ignore. Flag anything where I should get input from Legal or IT.

Prompt variations

Variation 1: Stress-test an existing policy

Here is our current AI use policy:

[PASTE POLICY]

Review it as (a) a comms team member trying to find a loophole and (b) an in-house lawyer. Identify: rules that are ambiguous, gaps where a common task is not covered, anything that is now out of date given current tools, and anything unenforceable. Suggest fixes for the five most important issues.

Variation 2: Tailor the data rules

Help me write the data and confidentiality section of our AI use policy for a [SECTOR] comms team that handles [TYPE OF SENSITIVE INFORMATION]. Define clear sensitivity levels and which can or cannot go into AI tools, with a one-line rationale for each. Be conservative where the law or client obligations are unclear.

Tips for better AI output:

  • Feed it your real principles and tools; a generic policy is worse than none, because people trust it
  • Ask explicitly for “permitted / review / prohibited” to be comms-specific
  • Have Legal or IT check the data and disclosure sections before sign-off; treat the AI draft as a starting point

Human review checklist

  • Consistent with principles: every rule ladders up to your AI Use Principles
  • Specific to comms: the permitted, review and prohibited lists reflect real comms tasks, not generic examples
  • Tools are referenced, not hardcoded: the policy points to a live tool register rather than naming tools that will date
  • Data rules are defensible: confidentiality rules would survive scrutiny from Legal or a client
  • Accountability is unambiguous: it is clear a named human owns every output
  • Short enough to use: a team member could read it in a few minutes and apply it
  • Owned and dated: version, owner and next-review date are filled in
  • Checked by Legal or IT: the data and disclosure sections have had appropriate review

Example output

AI Use Policy, Harbour Communications (illustrative extract)

Permitted (no approval): first drafts of internal documents; summarising public reports; reformatting approved copy; brainstorming angles.

Needs review: any client-facing copy (reviewed by account lead for accuracy, voice and disclosure); anything citing data (verified against source before use).

Prohibited: entering client confidential or personal data into any tool not on the approved register; using AI to produce final sign-off; presenting AI-generated text as bespoke human work in pitches.

Disclosure: for client deliverables, we note where AI materially assisted production, in line with our principles.

Accountability: the named owner of each piece is accountable for it. “The AI produced it” is never a defence.

Note: illustrative extract. Your policy will reflect your own tools, sector and obligations.


Want this built and kept current for your team? Deploy Comms With AI writes a tailored AI use policy, and Manage Comms With AI keeps it living.

Related templates

Need this implemented in your organisation?

Faur helps communications teams build frameworks, train teams, and embed consistent practices across channels.

Get in touch