AI workplace policy: working safely with AI

An AI workplace policy does not have to be a thick document. A few clear guidelines cover the biggest risks. Here is how to work safely with AI.

Flat vector illustration of a man at a desk reviewing an AI policy checklist on a laptop, next to three cards representing security, privacy, and user access.

Mees Ruijgrok

Guidance

Reading time:

3 minutes

Your employees already use AI at work. Maybe you know it, maybe you suspect it. Someone has an email rewritten. Someone pastes a quote into a free tool to get a quick reply. That is happening now, even without any agreements about it. And that absence of agreements is exactly what an AI workplace policy is about.

Many business owners think such a policy has to be a thick document. Pages of rules and a separate chapter for every scenario. That is not necessary. In fact, it backfires. A document no one reads protects you against nothing.

What does work is a few clear guidelines. Enough to cover the biggest risks, short enough that people remember them.

A good AI workplace policy starts with the premise

Do not start with bans. It works better to state up front that AI is allowed and that you want to encourage your employees to experiment with it. After that, you limit yourself to the places where things can really go wrong.

Three guidelines that cover the biggest risks

There are fewer of them than you think. Most risks sit in three places: which tools people use, what they put into them, and how they handle what comes out.

Guideline one: sort out the accounts

The difference between a free account and a business account is bigger than it looks. With a free tool you do not know what happens to your data. Often it is used to train the model. With a business account you contractually establish that this does not happen. You also get the guarantee that everything you put into it stays on European servers. Use a tool outside Europe and different rules apply, so you do not have that certainty.

The guideline is simple. Anyone working with company information does so through a business account that the organisation sets up. No shared logins. A business account also gives you, as the employer, more control over what happens with your people’s accounts. If someone wants to get started with AI and does not have an account yet, they ask for one. That way you keep a grip on where your company data ends up.

Guideline two: what does not go in

This is the most important guideline, and also the easiest to explain. Certain information does not belong in an AI tool. Anything that can be traced back to a person falls outside it, whether it concerns a customer or a colleague. Passwords and login details have no place in there at all. And you do not share confidential documents in it. A contract or an internal file that is not meant to leave the company is something you do not paste or upload, not even to have something summarised from it.

The rule of thumb you give your people: one isolated detail is usually not a problem, but as soon as two things together identify someone, you leave it out. In a free account you do not upload files anyway. Sparring and typing in loose text is fine. But the moment you paste something that comes from a company document, you switch to a business account.

Guideline three: check what comes out

AI makes things up with conviction. A figure or a source reference can look plausible and simply be wrong. It reads smoothly, so you easily skim past it.

The guideline is that the employee stays responsible for what they put out. Anything that has to be factually correct, you check at the source. Anything that goes to a customer, you reread for tone. Pay attention to how it sounds as well. AI text has its own signature: smooth sentences of equal length, fixed transition words you would never use yourself. If something reads like AI, it does not read like your company. If you forward something to a colleague that came from AI, say so. Then the other person knows it still deserves a check. The AI provides a first attempt. You decide whether it is right.

Above all, make clear what is allowed

A policy that contains only bans scares people off. Then they use AI in secret, or not at all. Neither is what you want. So put in just as clearly what is perfectly fine.

Brainstorming and sparring is allowed. Having a text rewritten or translated is allowed. Having a long note or a public report summarised too. Most of the daily work where AI saves you time falls well within the lines. The clearer you make that, the less people keep hesitating about the rest.

Keep it alive

A five-page document that gets sent around once disappears into a folder. A few guidelines people know stick. Write down what is not allowed and leave room for the rest. When in doubt, people ask.

You do not have to write it from scratch either. An AI policy template gives you a starting point you can shape to fit your business. Treat it as a snapshot, not as a final text. AI changes fast. What is not possible today may be possible in six months. So you adjust it when practice calls for it, instead of writing it once and putting it away.

The hardest step is usually not drawing up the rules. It is knowing which risks really matter for your business and which ones you can safely leave alone.

Want to know how we approach this for other organisations? Check out our AI policy page.

Stay in the loop

Get the latest on AI and software, straight to your inbox

By submitting your details you hereby agree to our Terms & Conditions and Privacy Policy. You may always opt-out from our mailing lists in accordance with the Privacy Policy.

Stay in the loop

Get the latest on AI and software, straight to your inbox

By submitting your details you hereby agree to our Terms & Conditions and Privacy Policy. You may always opt-out from our mailing lists in accordance with the Privacy Policy.

Stay in the loop

Get the latest on AI and software, straight to your inbox

By submitting your details you hereby agree to our Terms & Conditions and Privacy Policy. You may always opt-out from our mailing lists in accordance with the Privacy Policy.