How to Set AI Usage Policies for Employees

A year ago, the hotfix was simple: “Block ChatGPT at the firewall.” Today? That illusion is gone. GenAI is in our browsers, our inboxes, our documents, and our pockets. If you're a leader and you think your team isn't using AI, you may have a "shadow AI" problem. And shadow AI is dangerous because it gives management a false sense of control. 🚫 No oversight 🔒 No guardrails 📉 No visibility into data leakage or compliance risks At my company, we decided to govern instead of ignore. We rolled out a lightweight AUP for large language model (LLM) use. It’s practical, not paranoid: ➡️ Our AI Acceptable Use Policy (AUP) ✅ I will use AI systems: - As a productivity tool, like a word processor or spreadsheet program - To enhance my own work, not to replace it 🚫 I will not use AI systems to: - Create, upload, or share abusive, illegal, or confidential content - Violate copyright, trademark, or privacy laws 🛑 I will not input data into any public AI system that: - Identifies a person or organization as a customer - Associates specific cyber risks with a customer - Is classified as “CRO Restricted” (e.g., IP, trade secrets, financials) 🧠 I will not use or share AI output unless I: - Fact-check it - Revise it to ensure it fits the purpose - This includes code, images, and anything public-facing Feel free to copy/paste and adapt this policy for your team. Governing AI use doesn’t have to be complicated. But ignoring it is costly. How is your team setting boundaries on AI use at work?

Your trade secrets just walked out the front door … and you might have held it open. No employee—except the rare bad actor—means to leak sensitive company data. But it happens, especially when people are using generative AI tools like ChatGPT to “polish a proposal,” “summarize a contract,” or “write code faster.” But here’s the problem: unless you’re using ChatGPT Team or Enterprise, it doesn’t treat your data as confidential. According to OpenAI’s own Terms of Use: “We do not use Content that you provide to or receive from our API to develop or improve our Services.” But don‘t forget to read the fine print: that protection does not apply unless you’re on a business plan. For regular users, ChatGPT can use your prompts, including anything you type or upload, to train its large language models. Translation: That “confidential strategy doc” you asked ChatGPT to summarize? That “internal pricing sheet” you wanted to reword for a client? That “source code” you needed help debugging? ☠️ Poof. Trade secret status, gone. ☠️ If you don’t take reasonable measures to maintain the secrecy of your trade secrets, they will lose their protection as such. So how do you protect your business? 1. Write an AI Acceptable Use Policy. Be explicit: what’s allowed, what’s off limits, and what’s confidential. 2. Educate employees. Most folks don’t realize that ChatGPT isn’t a secure sandbox. Make sure they do. 3. Control tool access. Invest in an enterprise solution with confidentiality protections. 4. Audit and enforce. Treat ChatGPT the way you treat Dropbox or Google Drive, as tools that can leak data if unmanaged. 5. Update your confidentiality and trade secret agreements. Include restrictions on AI disclosures. AI isn’t going anywhere. The companies that get ahead of its risk will be the ones still standing when the dust settles. If you don’t have an AI policy and a plan to protect your data, you’re not just behind—you’re exposed.

Your employees uploaded confidential data to their personal ChatGPT instance. 🤖 Oops! 💼Now it's immortalized in the AI's memory forever. 🧠 Generative AI is a time-saver, but it comes with risks. So, how do we harness AI without leaking secrets? Introduce an Acceptable Use of AI Policy. Here’s what the policy should cover:  1️⃣ Approved Tools: List what tools employees are allowed to use. Even if you don’t provide a Teams account for the tools, you can still explicitly list which tools you permit employees to use individually. 2️⃣ Data Rules: Define what data can and cannot be entered into AI tools. For example: you might prohibit customer contact information from being input. 3️⃣ Output Handling: All AI tools are quick to remind you that they can be wrong! Provide direct instruction on how employees are expected to fact-check outputs.  Banning employees from using AI at work is a foolish decision. By creating a solid policy, you’ll enable and empower employees to find ways to use this time-saving tech, without compromising your security. Read my full article for more info about the risks presented by employee AI use and how to best mitigate them. #AI #cybersecurity #fciso https://lnkd.in/gi9c2sqv