Setting an Acceptable Use Policy for Generative AI in Your Business

BS - Ben Saunders

I’ve been fielding requests to outline some acceptable usage policies from peers, colleagues and customers about the guidance they should provide to their engineering teams/employees when using generative AI. As with all these things, it's a bit of a moving target but I wanted to put some thoughts down to see how others are dealing with the acceleration of the “prompt engineering” adoption curve.

I’ve tried to outline the usage policy in a third person tone, so please don’t think I’ve gone crazy! It just feels like it would be easier for others to lift and shift for their personal use. I’ll cover things like; the purpose of the policy, general guidelines to follow, prohibited activities and reporting incidents of misuse. This is by no-means a complete list. Though, I’d highly recommend you ask your organisation's AI Ethics committee (assuming you have one) to establish a similar acceptable usage policy for generative AI tooling in your business.

Step 1: Explain the Rationale For Your Generative AI Policy

Make sure you explain the rationale for your organisation's acceptable use policy for generative AI. Feel free to pinch this and tweak for your own use:

“Company ABCD is committed to providing a safe and secure environment for all its employees, partners and customers including our responsible use of generative AI tooling. This Acceptable Usage Policy (AUP) outlines the guidelines and principles that employees must follow when using generative AI capabilities. The purpose of this policy is to ensure that Company ABCD's employees use generative AI systems in a manner that is consistent with the organisation's values and ethical standards. This policy applies to all employees at Company ABCD who use generative AI systems for their roles and responsibilities. By following this policy, we will aim to ensure that generative AI tooling remains a valuable capability for designing, manufacturing and building solutions for our employees, customers and partners. Whilst ensuring the ways in which we service our customers with generative AI are secure and in-line with organisation ABCD’s data privacy controls.

Step 2: Be Clear on Acceptable Terms of Use

Outline the general acceptable use terms for your employees to follow. You could use these suggestions as initial building blocks for your business:

1. "Use of the generative AI tooling should be limited to business-related purposes and in-line with ethics standards of the organisation.

2. All assets created through the use of generative AI systems must be professional and respectful. Employees should avoid using offensive or abusive language and should refrain from engaging in any behaviour that could be considered discriminatory, harassing, or biassed when applying generative techniques.

3. Generative AI use cases should be reviewed by our AI ethics committee and employees should not share any confidential or sensitive information with generative tooling. Including but not limited to passwords, certificates, personally identifiable information (PII), asset names, secrets and tokens.

4. Employees should protect their login credentials and ensure that their generative tooling accounts are not accessible to unauthorised individuals. Multi-factor authentication should be in-place across all 3rd party tools and technologies used for generative AI services.

5. Generative AI systems must be used in compliance with all applicable laws and regulations, including data protection and privacy laws.

6. Company ABCD reserves the right to review to monitor all communications shared with generative systems. Including but not limited messages, prompts, attachments, and files."

Step 3: Set Expectations With Your Employees About Their Generative AI Responsibilities

Outline the responsibilities of your employees when it comes to generative AI. You’ll probably want to cover considerations that consist of the following items.

1. "Employees are responsible for ensuring that they use the generative AI in compliance with this Acceptable Usage Policy and any other relevant policies or procedures.

2. All employees must be aware of their responsibilities for protecting confidential and sensitive information and must take all necessary steps to safeguard the privacy and security of this information when using generative AI tooling.

3. Managers and supervisors are responsible for ensuring that their teams are aware of and comply with this policy. They must also report any violations of this policy to Company ABCD's IT department or other designated authorities.

4. Company ABCD's IT department is responsible for agreeing and documenting an approved list of generative AI systems to ensure that only authorised applications of these technology capabilities are applied by the business.

5. Company ABCD's HR and Legal department is responsible for handling any complaints related to violations of this policy, including incidents of harassment, discrimination, or bias that are raised by employees, partners or customers.

6. Company ABCD's legal department is responsible for ensuring that generative AI tooling is being used in compliance with all applicable laws and regulations, including data protection and privacy laws."

Step 4: Outline What Generative AI Won’t Be Used For In Your Business

It sounds draconian but these capabilities are like super powers and they need to be governed as so. As such, be super clear about what you won’t allow your employees to do with generative AI. This might aim to cover the following items:

1. "We will never reenact someone without their explicit consent using generative AI.

2. We will also state when generative AI has been used in our content creation.

3. We will never use generative AI to create any content that is illegal, discriminatory, defamatory, or otherwise offensive or inappropriate to our employees, partners and customers.

4. We will never use generative AI to harass, bully, intimidate, or discriminate against other employees or external parties.

5. Sharing confidential or sensitive information with unauthorised individuals, including external parties that provide generative AI services is forbidden.

6. Engaging in any activity that could compromise the security or integrity of the business using generative AI systems, including attempting to open up access to unauthorised data sets and systems.

7. Violating any applicable laws or regulations, including data protection and privacy laws using generative AI is forbidden."

Step 4: Reinforcement of Data Privacy Obligations

Use the confirmation of your approved generative AI use cases to reinforce your organisation's data privacy and protection commitments. If your organisation stores or processes data of any kind you then should already have this in place. I won’t break that down in detail as there are multiple guidance points that already exist for establishing data privacy standards.

Step 5: Generative AI Escalation Pathways

Be sure to outline an incident escalation and/or whistleblowing process for employees, customers and partners to surface concerns about the potential misuse of generative AI in-line with your ethics standards and acceptable use policy.

1. "Employees must report any suspected violations of this policy or any incidents related to the misuse of generative AI tooling to Company ABCD's IT department, AI ethics committee or other designated authorities.

2. All reports of suspected violations or incidents will be investigated promptly and thoroughly.

3. Employees who report suspected violations or incidents will be protected from any retaliation or reprisals.

4. Company ABCD reserves the right to review any communications sent through generative AI tooling for the purpose of investigating suspected violations or incidents.

5. Employees must cooperate fully with any investigations related to suspected violations or incidents where generative AI has been applied."

Step 6, 7, 8: Educate, Inform & Reinforce

Be clear with employees about what the implications are of not adhering to these policies. Support them with education, guidance and coaching and ensure you have in place knowledgeable subject matter experts across your business who can be a port of guidance for colleagues at a time when the application and impact of generative AI use cases is unclear.

Ensure your employees buy into the policy and if you deem it is needed, have them validate their understanding through formal education and training sign-off.

Step 9: Be Prepared to Change Your Policy!

The generative AI sphere is moving at an unprecedented rate and each day brings new complexities and considerations for those who want to apply it in their business. As such, it's important to outline and explain to your employees that the acceptable usage policy will be reviewed at defined timeframes to ensure its relevance in-line with your organisation's risk appetite. In that sense, you might want to include the following:

1. "Company ABCD will review this Acceptable Usage Policy on an annual basis or as needed to ensure that it remains relevant and effective, in line with our risk appetite for generative AI use cases.

2. Any changes or updates to this policy will be communicated to all employees via email or other means of communication.

3. Company ABCD reserves the right to make changes to this policy at any time, without notice.

4. Employees are encouraged to provide feedback on this policy and suggest any changes or improvements that could be made."

Closing Thoughts

We are just getting started with generative AI but things are moving so quickly it’s hard to stay on the treadmill, without fear of falling off and being left behind. I’ll continue to share what I think is useful as the tectonic plates of generative AI keep shifting beneath our feet. Indeed, generative AI undoubtedly provides massive potential for us to unlock unknown value across industries but we need to ensure that a fine line is trodden to control the super powers of perhaps one of the greatest technological advancements of our time. 🤖