What’s your plan?
Your organization may not have formally adopted AI, but your employees are probably already using it. It may be a personal AI account, a writing assistant inside office software, or an AI feature built into a vendor platform. That creates risk even when the organization has no official AI program. Without clear rules, employees may enter sensitive information into unapproved tools or rely on outputs that contain fabricated sources, outdated information, or unsupported assumptions.
These are real risks. Amazon[1] reportedly warned employees in 2023 not to share confidential information with ChatGPT after reports that some outputs appeared to resemble internal material. In 2026, the Ninth Circuit[2] sanctioned two attorneys over briefs that contained nonexistent cases, misattributed quotations, and misrepresentations produced by generative AI hallucinations. In the order, the court emphasized that the attorneys were not being sanctioned because they used generative AI, but for signing and filing inaccurate work.
What an AI policy does
An AI policy is not the same thing as an AI strategy. A policy is a set of guardrails for an organization. It tells employees which AI tools they can use, what data they can enter into those tools, and how AI output must be reviewed. Even if companies are not officially adopting AI tools, employees will still find tools to use, such as personal AI accounts or AI tools integrated into third-party software.
Classify the data before using AI
Your employees should understand that data can be categorized into different buckets when thinking about inputs into AI tools. The following shows that breakdown, with examples specific to the non-profit world, along with conditions for acceptable use with AI tools. Examples of data types and conditions for acceptable use may change with your organization depending on the type of data you deal with and the level of AI adoption your organization is pursuing.
Public data can still create risk
Public data may still become sensitive when combined with internal company details. Notice that even for “Public” information, personal licenses or free versions of AI tools are not listed as acceptable use. This is because, although only public information is being uploaded to the tools, company proprietary information can be “leaked” through the interaction with the tool. For example, an employee may upload only public vendor pricing or public grant data, but then type internal strategy into the prompt, such as the vendor name, budget details, negotiation strategy, staffing constraints, or timing of an expansion. Any company-related uses should only be done on company approved tools.
Even if your organization has approved AI tools, that doesn’t mean that you can put any type of company information into those tools. Confidential and restricted information require prior written approval from the department that administers the AI policy.
How should companies start?
Adopting an AI policy does not need to be overly complicated. The first version of the policy should answer the basic questions employees are already asking, or the questions they should be asking before using these tools.
Start by identifying where employees may already be using AI. This could include personal AI accounts, free versions of AI tools, AI features built into office software, or AI tools included in third party vendor products. Even if the company has not officially adopted AI, employees may already be interacting with it.
Next, define which tools are approved for company related work. Employees should know which tools they can and cannot use and whether different tools are approved for different types of information. A company approved AI tool does not automatically mean that all company information can be entered into it.
Companies should also define who owns the policy. This could be IT, legal, compliance, HR, or another department depending on the size and structure of the organization. Employees need to know where to go with questions, who can approve exceptions, and who is responsible for updating the policy as the tools change.
The policy should also include a data classification framework. Employees should understand the difference between public, internal, confidential, and restricted information. They should also understand that public information can still create risk when it is combined with company strategy, vendor details, contract information, employee information, or other non-public context.
Companies should then define approval requirements for higher risk use cases. For example, using AI to summarize public information may be acceptable with an approved tool. Using AI with confidential contract information, customer data, employee information, legal issues, or financial information may require prior written approval or may not be allowed at all.
Finally, companies need to train employees. A policy that sits in a folder and is never explained doesn’t do much good. Employees should understand the risks, the approved tools, the data rules, and their responsibility to review AI output before using it. The goal is not to stop employees from using useful tools. The goal is to make sure they use them in a way that protects the company, its employees, its clients, and the people it serves.
Human review is still required
Once a company has approved tools, data rules, and an approval process, employees still need to understand that AI output is not final work. When using AI tools employees must understand that they are ultimately responsible and accountable for the outputs. Employees must review AI output for bias, unsupported assumptions, and fabricated or outdated information. AI output should not be treated as the final authority. It should be used as a draft, comparison, starting point, or support tool. The following is a useful, but not exhaustive, list of things that a human should review.
Companies need a plan
As more and more workers use AI tools inside and outside of their jobs, companies need to have a plan. A good AI policy does not need to be perfect on day one, but it does need to give employees clear direction. As AI continues to show up in more software and more business processes, having a policy and training employees on how to use these tools is becoming a basic business requirement.
[1] https://www.businessinsider.com/amazon-chatgpt-openai-warns-employees-not-share-confidential-information-microsoft-2023-1
[2] https://cdn.ca9.uscourts.gov/datastore/opinions/2026/06/03/24-4790.pdf