Your team is using AI tools. You need a policy. Hereβs a template you can copy, customize in 30 minutes, and share with your team today.
The template
1. Approved AI tools
| Tool | Approved use | Data allowed | Plan required |
|---|---|---|---|
| Claude Code | Coding, code review, docs | Internal code only | Pro ($20/mo) |
| Cursor | IDE coding assistant | Internal code only | Pro ($20/mo) |
| ChatGPT | Research, writing, brainstorming | No customer data | Team plan |
| GitHub Copilot | Code autocomplete | Internal code only | Business plan |
| Notion AI | Document drafting | No customer PII | Team plan |
Not approved: Consumer/free tiers of any AI tool for work purposes. Free tiers typically use your data for training. Use API or business plans only.
2. Data classification
| Data type | Can send to AI? | Examples |
|---|---|---|
| Public | β Yes | Open-source code, public docs, marketing copy |
| Internal | β With approved tools | Internal code, specs, architecture docs |
| Confidential | β οΈ With DPA only | Customer data (anonymized), financial data |
| Restricted | β Never | Customer PII, credentials, API keys, health data |
Rule: When in doubt, donβt send it. Ask your manager or security team.
3. Code review requirements
All AI-generated code must be:
- Reviewed by a human before merging (same as human-written code)
- Tested β AI-generated code needs tests, just like human code
- Security scanned β run your standard security checks
- Attributed β add a comment noting AI assistance for significant contributions
# AI-assisted: Generated by Claude Code, reviewed and modified by [developer]
def process_payment(amount, currency):
...4. Prompt hygiene
- Never include credentials in prompts (API keys, passwords, tokens). See our API key security guide.
- Never include customer PII (names, emails, addresses) in prompts
- Redact before sending β replace real data with placeholders
- Donβt paste entire databases β send only the relevant schema/sample
5. Compliance
- All AI tools must have a Data Processing Agreement (DPA) if processing personal data. See our GDPR guide.
- AI-generated content must be reviewed for accuracy before publishing
- AI-generated code must pass the same quality bar as human code
- Keep logs of AI usage for audit purposes
6. Incident response
If AI produces harmful, biased, or incorrect output that reaches users:
- Disable the AI feature immediately (feature flag)
- Document what happened and the impact
- Notify your manager and security team
- Fix the root cause (prompt, guardrails, or model choice)
- Post-mortem within 48 hours
See our AI security checklist for the full incident response plan.
7. Quarterly review
Every quarter, review:
- Are approved tools still appropriate?
- Have any tools changed their data policies?
- Are there new tools the team should evaluate?
- Have there been any AI-related incidents?
- Does the policy need updates?
How to roll this out
- Customize the template above for your company (30 minutes)
- Share with your team via Notion or your wiki
- Discuss in a team meeting (15 minutes)
- Get sign-off from leadership
- Review quarterly and update as tools evolve
What this policy doesnβt cover
This is a usage policy, not a full governance framework. For companies building AI products (not just using AI tools), you also need:
- Risk assessment for each AI system
- EU AI Act compliance (if applicable)
- Red team testing procedures
- Observability and monitoring
- Evaluation pipelines
See our AI governance guide for the complete framework.
Related: AI Governance for Startups Β· AI Security Checklist Β· AI and GDPR Β· AI Risk Assessment Template Β· How to Secure AI API Keys