AI use policy: a ready-to-use template to adopt
Adopted 2026-06-28 · ≈ 2 min read · 
edited by Dirk Baaijen
A directly usable template for an internal AI use policy — what is and isn't allowed, which data may go into AI tools, approval of new tools, and the link to AI literacy (art. 4). Adopt it and adapt it to your organisation.
Short answer: Almost every organisation now has employees using AI tools — often without any agreements. A short, clear AI use policy addresses that risk and is at the same time a building block for your AI literacy file (art. 4). Below is a ready-to-use template: adopt it, fill in the brackets and adapt it.
Template — AI use policy [organisation]
1. Purpose. This policy describes how employees of [organisation] use AI tools responsibly, so we capture the benefits without undue risk to data, privacy and quality.
2. Scope. Applies to all employees, contractors and interns using AI tools for work, on all devices.
3. Approved tools. Only tools approved by [IT/security] may be used with work data. The current list is at [location]. Notify a new tool in advance via [process] for approval.
4. What is allowed. Using AI for drafts, summaries, code, analysis and ideas — provided you check the output yourself and remain responsible for the result.
5. What is not allowed. Do not enter confidential, personal or business-sensitive data into unapproved or public AI tools. Do not use AI output externally unchecked. Do not use AI for decisions about people (recruitment, assessment) outside [designated, tested processes].
6. Data and privacy. Treat input as if it leaves the organisation. For personal data the GDPR principles apply; use only tools with a data processing agreement and without reuse for model training.
7. Transparency. Make clear when a text, image or decision was created with AI where it affects the recipient (in line with art. 50).
8. Responsibility. You remain responsible for what you create and share with AI. When in doubt: ask [owner/AI contact].
9. Incidents. Report a suspected data leak or misuse immediately via [reporting process].
10. Literacy. Everyone using AI completes the [AI literacy training]; this policy + the training together form your art. 4 evidence.
Adopted by [responsible person], [date]. Reviewed: annually or on significant changes.
How to use it
Fill in the brackets, run it briefly past [IT/security/HR/works council] and adopt it. Keep it one page — a policy no one reads does not work. Link it to your broader AI governance framework once that exists.
Lees ook: AI use policy for employees and AI agent governance checklist.
Sources
- https://eur-lex.europa.eu/eli/reg/2024/1689/oj
Regulation (EU) 2024/1689 (AI Act), Article 4 — AI literacy; transparency (art. 50). - https://eur-lex.europa.eu/eli/reg/2016/679/oj
Regulation (EU) 2016/679 (GDPR) — principles for processing personal data.
Read next
An AI use policy for employees: generative AI at work
Employees already use generative AI — often without rules. A use policy bounds the risks: leakage of confidential or personal data, unreliable output, IP questions and transparency. The AI literacy duty (Art. 4) also makes such a policy part of compliance.
NIS2 duty of care: the security measures
Article 21 of the NIS2 Directive requires essential and important entities to implement ten concrete, risk-based security measures for which management bears ultimate responsibility.
AI Act board briefing: a template for the board and management team
A concise template to get the AI Act and AI use onto the board table: what is happening, which risks and deadlines, which decisions are needed, and which oversight questions the board should ask. Adopt it for your next board/management meeting.