Download free DLP for AI whitepaper


  • Generative AI undoubtedly poses security challenges, but banning it isn’t the smart solution for long-term competitiveness.
  • Instead, an acceptable use policy (AUP) is crucial for ethical, compliant, and bias-free AI usage.
  • Drafting the policy involves assessing current AI usage, establishing clear guidelines, and designing a training initiative.
  • Regularly update the policy to stay ahead of AI advancements.
  • Polymer DLP complements your AUP, offering autonomous data classification and protection to prevent data leakage in apps like ChatGPT.

“To ban or not to ban?” that is the question most executives are mulling over when it comes to generative AI. It’s no wonder, really. Already, we’ve witnessed a highly publicized ChatGPT leak at Samsung, after employees unwittingly shared sensitive information with the large language model.  

However, while banning may be a quick-fix solution, it’s not a smart one. Generative AI, after all, is the future of work. If companies don’t use it, they’ll lose competitiveness. 

More than that, organizations must wise up to the reality of shadow AI. Even if banned, employees will still seek to boost their productivity, creativity and efficiency by using these tools, whether you’ve warranted it or not. 

So, a much better approach to take is to draft an acceptable use policy for generative AI. 

The benefits of an acceptable use policy for generative AI 

Your acceptable use policy for generative AI is an internal company document that outlines the guidelines and principles for the responsible use of generative AI among your employees. 

Here’s a look at why drafting an acceptable use policy is a must in the age of generative AI.

  • Establishing ethical boundaries: Navigating the terrain of Generative AI introduces a spectrum of ethical challenges. From drafting sales collateral to recruitment comms, AI-generated content demands awareness and vigilance. Your policy will define the ethical guardrails within which people in your organization can use AI tools. 
  • Meeting compliance mandates: Operating without a policy is akin to inviting a compliance fine to your doorstep. Indeed, generative AI’s ability to ingest, regurgitate, and produce content introduces the risk of hallucinations, copyright infringement, and data breaches. By defining what can and can’t be shared and created with generative AI, your policy directly combats these risks. 
  • Rectifying bias: The potential for introducing bias into AI systems is a noteworthy legal challenge. By taking into account ethical concerns as part of the policy, organizations can combat algorithmic bias and boost data integrity. 
  • Boosting trust: An acceptable use policy demonstrates to your employees, customers and partners that you are serious about harnessing the power of generative AI safely and securely. 

How to draft a robust AI usage policy 

Below are five steps to help you draft a robust AI usage policy. 

Assess your organization’s current AI usage

To begin, conduct a thorough audit of existing AI applications:

  • Usage analysis: Understand where and how AI tools are applied across business units. Take into account employee use of AI tools without explicit consent, including tools like ChatGPT or Bard.
  • Data sources: Evaluate the quality and appropriateness of data feeding into AI systems.
  • Security measures: Review implemented security protocols to ensure compliance with standards.

Draft your policy

While the intricacies of your generative AI policy will depend on your company’s size, sector and goals, there are some common threads to include: 

  • List out permitted and prohibited uses: Outline a comprehensive list of permitted and prohibited uses, leaving no room for ambiguity. Explicitly state which systems employees are authorized to interact with, and identify applications that require explicit authorization from designated authorities.
  • Data management: Establish crystal-clear guidelines for data collection, storage, and utilization by AI systems. Explain the types of data permissible for input and those strictly off-limits. 
  • Ethical concerns: Incorporate robust ethical considerations into the policy, specifically addressing issues such as bias and discrimination. Provide actionable guidelines on identifying and mitigating these ethical concerns to ensure responsible and fair AI use within the organization.
  • Regulatory compliance: Delve into the legal landscape that governs AI systems, emphasizing adherence to data protection and intellectual property laws. Clearly delineate the legal ramifications of non-compliance to foster a culture of accountability. 
  • Roles and responsibilities: Define the organizational structure responsible for the oversight of AI system deployment, management, and audits, so employees know points of contact. 
  • Education and training: Communicate the training programs and awareness campaigns that will be rolled out to support the policy. 
  • Incident response plan: Provide a detailed incident response plan so employees know what to do in the event of a leak, breach or any other concern. Clearly articulate step-by-step procedures, communication protocols, corrective actions, and the necessary reporting mechanisms to regulatory agencies.

Implement the policy & offer training

With your policy finalized and ready for deployment, it’s time for rollout. Begin by establishing a clear launch date, so your employees know what’s coming. 

On launch day, disseminate the policy far and wide, making use of email, the company intranet, Slack, and so on. 

In tandem, roll-out your training program. For maximum impact, avoid boring eLearning sessions or one-off ‘”lunch and learns.” A much more effective approach is to invest in real-time, psychology-based training modules that appear in the employee workflow. Read our article on the next-generation of employee training to learn more. 

Keep ahead of pending change 

If we’ve learned anything from the last year, it’s that AI is evolving rapidly. With that in mind, treat your policy as a living document, rather than a tick-box exercise. Review it regularly based on changing regulations, news, and guidance. We recommend reviewing it at least every six months, or every time your organizations embraces a new AI application. 

Protect against the inevitable 

Your AI usage policy sets the foundation for secure and compliant generative AI usage. However, we must remember that employees are human. Even with a policy in place, they’re bound to make mistakes at some point.

To that end, you need to invest in a solution that combats the risk of the insider threat in generative AI solutions

How Polymer DLP for AI can help 

Polymer data loss prevention (DLP) for AI perfectly complements and fortifies your AI usage policy, bringing unparalleled visibility, control, and security to generative AI applications. 

Here’s how we support organizations in using apps like ChatGPT and Bard securely: 

  • Reduce breaches in compliance: Fueled by advanced natural language processing (NLP), Polymer DLP for AI seamlessly and precisely identifies, categorizes, and shields sensitive information within applications such as Slack, Microsoft Teams, and ChatGPT. This ensures that sensitive data adheres strictly to your compliance requirements, consistently safeguarded against misuse and leakage.
  • Eliminate data leaks: Polymer DLP seamlessly and accurately identifies, classifies, and safeguards sensitive information in both directions within ChatGPT and other generative AI apps. This ensures that sensitive data remains consistently protected against exposure and theft.
  • Obtain ready-made policy templates: Recognizing the challenges of configuring security tools in accordance with compliance mandates, Polymer DLP includes pre-built policy templates for regulations such as HIPAA, SOC 2, and more.
  • Access NLP-empowered reporting: Polymer DLP compiles detailed insights into user behavior, data movement, and policy violations. This means that when an audit is due, you can effortlessly and swiftly generate and share a comprehensive report.
  • Cultivate a culture of compliance: Polymer’s platform facilitates point-of-violation training, delivering real-time prompts to users when they contravene your compliance policies. This approach has demonstrated a remarkable reduction of repeat violations by over 40% within a matter of days.

Ready to take control of generative AI usage in your organization? Read our whitepaper to find out more.

Polymer is a human-centric data loss prevention (DLP) platform that holistically reduces the risk of data exposure in your SaaS apps and AI tools. In addition to automatically detecting and remediating violations, Polymer coaches your employees to become better data stewards. Try Polymer for free.


Get Polymer blog posts delivered to your inbox.