It’s no secret that the use of both generative and agent AI will proliferate in the coming years as the technology becomes more reliable and pervasive.
According to a recent study from the U.S. Chamber of Commerce, more than 58% of small and medium-sized businesses are already using AI within their companies, and that usage is expected to increase this year. At the moment, most of this can be attributed to chatbots such as ChatGPT, Gemini, and Copilot.
For this reason, companies must create and maintain strict AI policies. why?
“AI policies put guardrails on employees’ use of AI,” said Philadelphia attorney David Walton, head of Fisher & Phillips’ artificial intelligence team. “This will enable employees to use AI faster and better.”
Without an AI policy, companies will be exposed to reputational damage caused by AI “illusions” and errors, Walton said. Additionally, sensitive company data (pricing, contracts, customer information, processes) may be exposed to the public. This is especially true when employees are using free AI tools with fewer protections.
Attorney Star Kashman, founding partner at Cyber Law Firm, warns clients that without an AI policy, employers could be exposed to bias claims and other lawsuits.
“For example, resumes from people of a certain race or a certain gender may not be accepted by AI systems, automatically rejecting good candidates,” she said. “If you can’t abide by that, even if it’s an employee’s actions, you’re going to be exposed to a huge lawsuit.”
A good AI policy should include:
Include an AI purpose statement
Policies must make clear that AI is only allowed when used responsibly and with guardrails.
It should also be clearly stated that AI tools will only be used where they can improve productivity, provided they are secure and confidential.
Provide a list of approved applications
A company’s AI policy should specify which tools and software are approved by management, the lawyers said.
Use the tools for business purposes only. Free tools should not be allowed due to privacy concerns, and if a tool is not listed in your policy, you will need administrator permission to use it.
When employees use AI in their personal accounts, “it’s difficult for companies to control privacy settings and sensitive data can be leaked to free or public AI models,” Walton said.
Consider banning sensitive information
It is still unclear how secure data is when AI applications are used. To this end, we recommend that you avoid or prohibit entering personal information on these platforms.
This includes customer data, financial statements, contracts, pricing information, personal identifiers, trade secrets, or anything related to medical, legal, or human resources.
Claim ownership of AI works
When an employee sends a “prompt” to an AI chatbot, that query and any resulting workflows or custom instructions are company property and should be written as such.
A company’s AI policy should state that employees must return all AI-generated work upon separation, cannot export data to personal accounts, and cannot use their own agents or tools for company operations.
Avoiding AI in HR
Cushman and Walton said AI applications should not be used for recruiting or performance evaluation. Many platforms leverage AI to perform these functions, but these tools can cause more problems than benefits.
“Human resources is at the forefront of legal issues related to AI,” Walton said. “Relying on AI to make hiring, firing, and performance review decisions can be highly problematic.”
Prevent specific output
AI policies should prohibit the use of images, video, or audio without administrator approval. NSFW (Not Safe for Work), pornographic, or defamatory content should be off-limits. This helps protect against reputational damage, deepfakes, and offensive content.
Constant human monitoring
We know that today’s AI tools are far from perfect. Policies should state that anything generated by AI must be verified, checked, sourced, and edited by humans.
Explain why AI policy exists
AI is new, and employees already have concerns about this new technology. Kashman says it’s important to explain the “why” behind each rule in a policy.
“Rather than just ‘no,’ explain the risks to your employees and company, including hallucinations, data breaches, and bias,” she said. “When employees understand the rules, they are better able to follow them.”
An uncertain regulatory environment is also a major reason for developing AI policies. Walton said he doesn’t expect regulation of AI use anytime soon.
“The federal government is unlikely to pass comprehensive legislation anytime soon, so companies need to prepare for state-level AI regulation, especially around risk assessment and bias,” he said.
However, some states, such as New Jersey, have proposed legislation that would require companies to conduct formal risk assessments and implement acceptable use policies. Meanwhile, President Donald Trump is considering an executive order that would limit state regulation of AI.
Kashman said the lack of regulation would leave executives vulnerable “because tech companies are less responsible for damages.” Therefore, small businesses “need to protect themselves with strong internal policies,” she says.
“AI assistants and chatbots can help companies draft policies and templates, especially for non-lawyers who need structure or a first draft,” Kashman said. He added that it is important to update this policy frequently, as technology, models, privacy terms, and data breaches change rapidly.
“But be careful,” she said. “AI cannot understand the nuances of specific business or legal risks, so human review by lawyers and experts is required.”
