The reality for American businesses is not whether organizations and their employees use artificial intelligence, but how. As reliance on AI increases, organizations need to review their Acceptable Use Policy (or “AUP”) as many have not addressed or considered AI-related risks.
An effective AUP sets out the rules by which employees, contractors, or other authorized users may utilize artificial intelligence, generative artificial intelligence, machine learning, large-scale language models, or similar technologies (collectively, “AI”) in connection with the organization’s business. The need for AI-enabled AUPs is increasing because tools that use or leverage AI create legal, business, and security risks that traditional confidentiality, data privacy, and security policies cannot address.
When it comes to AI, updating your AUP to accommodate AI is about clarity, not limitations. Employees are already using AI to draft emails, summarize documents, and streamline tasks. Although these uses may seem harmless, they can create legal, business, and security issues.
The most important issues to address are confidentiality and data protection. Not all AI tools process data in the same way. Some store or learn from user input in a global model. Other models (usually called enterprise or closed models) use inputs solely for the benefit of the organization that licenses the model. When employees enter nonpublic information into publicly available AI tools, that information can be made public and used to train AI models that others can use. To address this risk, AUPs must clearly identify which AI tools employees may use and how.
Another important issue is the output. AI technology is still in its infancy, and AI tools can and will provide false, misleading, inaccurate, and even outright fabricated information. These “illusions” require employees to scrutinize the accuracy of the output provided by AI tools. Federal and state regulators are also increasingly scrutinizing the use of AI in certain legally significant decisions, such as hiring, credit and lending decisions, and are requiring organizations to explain the basis for outcomes that implicitly or explicitly require human intervention. AUPs may require such “human involvement” steps to ensure that people actively review and approve the output produced by the AI used.
Organizations should also establish governance and approval processes for AI tools. Not all AI tools are suitable for all business functions. Certain uses may increase legal, operational, or reputational risks. The AUP should identify those responsible for evaluating and approving AI tools, establish procedures for monitoring their use, and require periodic reviews of AI-related risks. A defined governance framework helps ensure that AI adoption aligns with an organization’s legal obligations, risk tolerance, and strategic objectives. Training is equally important, as employees need practical guidance on how to properly use AI in their daily work. This guidance often cannot be adequately conveyed through written policies alone.
As AI continues to become part of standard business processes, organizations that proactively update their tolerance policies will be able to leverage the benefits of these tools while managing risk. The goal is not to limit innovation, but to ensure that AI is used in a way that is consistent with organizational obligations, protects sensitive information, and supports business objectives.
