ONE-PAGE AI USAGE POLICY (TEMPLATE)

Purpose
Define how AI tools may be used in this company so teams move fast without losing control of security, privacy, quality, and customer trust.

Scope
Applies to: employees, contractors, and vendors using AI tools (web, IDE, API) for company work.

Sanctioned tools (fill in)
- Allowed: ______________________________
- Allowed with approval: ________________
- Not allowed: __________________________
Account rule: Company-managed accounts only for sanctioned tools. No personal accounts for company work.

Four lanes (pick defaults and examples)
Lane 1 — Public / Low risk (Default: Allow)
Examples: formatting, grammar, brainstorming, non-sensitive docs.
Rules: No confidential data. Human owner must sanity-check.

Lane 2 — Internal / Moderate risk (Default: Allow with review)
Examples: draft runbooks, internal analysis, code suggestions in non-critical modules.
Rules: Reviewer must verify outputs against source code/docs.

Lane 3 — Customer-impacting (Default: Allow only with explicit gates)
Examples: production code, permissions/auth, customer-facing messaging, pricing/contract language.
Rules: Human is accountable; line-by-line review required; second reviewer for sensitive areas.

Lane 4 — Sensitive / Regulated (Default: Restrict)
Examples: secrets, keys, customer PII, PHI, incident forensics, legal claims.
Rules: Do not paste into external tools. Use approved redaction or approved local model only.

Never-paste list (edit to fit)
- API keys, tokens, private keys, credentials
- Customer PII (emails, phone numbers, addresses, identifiers)
- Payment data, payroll, HR records
- Non-public security findings or vulnerability details

PR / Change-control requirements
- PR template must include an AI attestation checkbox.
- For Lane 3 modules: require 2 reviewers; one must validate without relying on AI output.
- For auth/crypto/permissions changes: require security review (name team).

Documentation requirements
If AI drafted content: include links to sources (code references, internal docs, tickets). Do not cite the model as authority.

Escalation
If you’re unsure which lane applies: default to the higher-risk lane and ask in: _________ (Slack channel) or file: _________ (ticket type).
If a data boundary violation occurs: notify Security immediately via: ________.

Review cadence
Owner: ________ (role). Review this policy every ________ (month/quarter) and after any AI-related incident.

Signature (optional)
Leaders responsible for enforcement: __________________________