Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NL·EN
Guide

An AI use policy for employees: generative AI at work

Adopted 2026-06-21 · ≈ 2 min read · Dirk Baaijen

Employees already use generative AI — often without rules. A use policy bounds the risks: leakage of confidential or personal data, unreliable output, IP questions and transparency. The AI literacy duty (Art. 4) also makes such a policy part of compliance.

Short answer: Your employees probably already use generative AI — for emails, summaries, code, drafts. Without a policy "shadow AI" arises: unseen use with real risks. A use policy bounds those risks, and the AI literacy duty (Art. 4) also makes it a compliance component, not a luxury.

The four risks you cover

  1. Confidentiality and personal data. Text you paste into a public AI service can leave the organisation. Trade secrets and personal data do not belong uncontrolled in external tools — that touches both secrecy and the GDPR.
  2. Reliability. Generative AI invents plausible-looking nonsense. Output without human checking leads to errors in decisions, advice or publications.
  3. Intellectual property. Who owns the output, and may you use training or source material? Uncertainty can produce claims.
  4. Transparency. AI content toward customers or the public can fall under Article 50 (recognisability, labelling).

What a workable policy contains

  • Approved tools: which AI services are allowed, which are not — preferably a secure corporate variant.
  • Data rules: no confidential or personal data in public tools; what is allowed, and how.
  • Human checking: always verify output before using it in decisions or externally.
  • Transparency: when to disclose AI use or label content.
  • Responsibility: who is the contact point, and how to report incidents.

Keep it short and concrete. A twenty-page policy goes unread; half a page with clear do's and don'ts gets read.

The literacy duty makes it mandatory

Article 4 of the AI Act requires those who work with AI to have an adequate level of knowledge. A use policy plus short training is exactly how you meet it — and how you make it demonstrable in a supervisory request. See AI literacy.

Part of your governance

A use policy does not stand alone; it is a building block of your broader AI governance framework, alongside inventory, classification and oversight.

What to do

  • Draft one short, readable guideline with approved tools and data rules.
  • Attach short training — that immediately covers the literacy duty.
  • Offer a safe alternative so employees don't divert to public tools.
  • Review periodically; the tools and risks change fast.

Banning doesn't work — employees use AI anyway. Bounding and facilitating does: a clear policy takes the risk out of the unseen use and keeps the productivity gain in.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act): Art. 4 (AI literacy, already applicable) and Art. 50 (transparency for AI output to the public).
  2. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR): limit on entering personal data into external AI services.

Share on LinkedIn

Read next

W

AI use policy: a ready-to-use template to adopt

A directly usable template for an internal AI use policy — what is and isn't allowed, which data may go into AI tools, approval of new tools, and the link to AI literacy (art. 4). Adopt it and adapt it to your organisation.

U

Copyright in AI output: who owns AI-generated content?

Under EU law, copyright arises only in a person's own intellectual creation. Output generated purely by AI is therefore in principle not protected by copyright; only sufficient human creative choices can attract protection. Settle ownership and use by contract instead.

U

AI, trade secrets and confidentiality

Feeding confidential information into an external AI model can undermine trade-secret status and breach confidentiality or GDPR obligations. Protection depends on secrecy measures; uncontrolled sharing erodes them. Manage it with policy, contract and access rules.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject — programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method →

A project or programme? Work with YRproject →

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.