| An AI acceptable use policy is a short written document that tells staff which AI tools they may use at work, what company or client data they may enter into them, and who to ask before adopting a new one. It turns unmanaged, ad-hoc AI use into a clear, safe standard the whole business follows. |
Someone in your business is already using AI at work. They are drafting emails in ChatGPT, summarising meeting notes with a free tool they found last week, or pasting a client contract into a chatbot to get a plain-English version.
None of them are trying to cause harm. They are trying to get through the day faster. The problem is that nobody has told them where the line sits, so each person is left to invent their own.
Picture a Christchurch accounting firm at the end of a busy month. A staff member drops a client’s full financial summary into a free AI tool to get a quick draft of a report. It saves twenty minutes. It also sends confidential client data to a company nobody in the firm has ever assessed, under terms nobody has read, before anyone stops to think about it.
This guide explains what such a policy is, why South Island businesses need one now, and what to put in it. By the end you will know how to set clear boundaries before an accidental data leak or a compliance question forces the issue.
What Is an AI Acceptable Use Policy?
An AI acceptable use policy is a written rulebook that sets out how your staff are allowed to use AI tools at work. It names the tools that are approved, defines what information can and cannot be entered into them, and explains how to get a new tool cleared before anyone starts using it.
Think of it as the AI equivalent of the internet or email use policy your business probably already has. It does not try to ban the technology. It gives people permission to use it well, with guard rails that protect your data, your clients, and your legal position.
A good policy is short and readable. Staff should be able to open it, understand what is expected of them in a few minutes, and know who to ask when they hit a grey area. A twenty-page legal document that nobody reads protects no one.
It is worth being clear about what the document is not. A technical manual or a one-off warning email will not do the job. What you want is a standing reference that staff return to, that new starters read as part of onboarding, and that a manager can point to when someone asks whether a tool is allowed. That permanence gives it its value.
How Is It Different From a General IT Policy?
A general IT policy covers devices, passwords, software, and acceptable internet use. It rarely says anything specific about generative AI, because most were written before these tools became everyday.
AI raises questions that older policies never anticipated. Where does the data go when a staff member pastes it into a chatbot? Can that information be used to train someone else’s model? Is the output accurate enough to send to a client? An AI usage policy answers those questions directly.
The safest approach is to treat this as a focused addition, not a rewrite of everything you already have. Your existing rules on passwords and devices still stand. You are simply adding the layer that covers a technology those rules never contemplated.
Who Needs One?
Any business where staff have access to AI tools needs one, and today that means almost every business. The tools are free, they run in a browser, and they need no approval to start using.
Smaller firms sometimes assume policies are only for large organisations. In practice a ten-person accounting or law firm faces the same client-confidentiality risk as a large one, with far less room to absorb a mistake.
The industries with the most at stake are the ones handling sensitive information every day: professional services, healthcare, finance, and any business bound by client contracts. If your work involves other people’s private data, the case for clear rules is strongest of all.
Why Does Your Business Need an AI Acceptable Use Policy Now?
Your business needs an AI acceptable use policy now because staff are already using these tools, whether or not anyone has approved them. Every day without clear rules is a day where sensitive information could be entered into a tool you have never assessed.
The risk is not theoretical. Client records, financial figures, staff details, and draft contracts are being typed into public AI tools across New Zealand right now, often by people who genuinely believe they are being efficient and helpful.
Once data leaves your systems and enters a third-party tool, you lose control of it. You cannot always be sure where it is stored, who can see it, or whether it will be retained and reused. For a business bound by client confidentiality, that is a serious exposure.
There is a second reason to act early. Setting expectations while AI use is still forming is far easier than trying to claw back habits after they have set. Staff who learn the rules up front rarely push back. Staff who have been left to their own devices for a year understandably feel policed when rules arrive late.
The pace of adoption makes this urgent. A year ago, a handful of people in a typical business were experimenting with AI. Today it is woven into daily tasks across most teams, often through free tools chosen individually. Every month you wait, the habits you will eventually need to reshape grow deeper.
What Happens Without a Policy?
Without a policy, every staff member decides for themselves what is acceptable. One person treats a chatbot like a private notebook and pastes in anything. Another avoids AI entirely and misses genuine gains. Neither outcome serves the business.
You also lose visibility. When there are no agreed tools and no approval route, you have no idea which AI services your business data is flowing into. That blind spot is impossible to manage and hard to explain to a client or auditor who asks.
This is closely related to the wider problem of ungoverned software creeping into a business. If unapproved tools are already a concern for you, our guide to shadow IT explains how that hidden layer forms and why it matters.
How Does It Connect to Privacy Law?
Entering personal information into an AI tool is a form of disclosure, and the Privacy Act 2020 still applies. If that data ends up somewhere it should not, your business is accountable, not the tool provider.
The Act does not name AI specifically, but its principles cover how you collect, store, and share personal information regardless of the technology involved. Feeding a customer’s details into an unassessed tool can breach those principles just as clearly as emailing them to the wrong person.
A clear policy is one of the simplest ways to show you take those obligations seriously. Our overview of NZ Privacy Act compliance sets out what your wider setup needs in place, and an AI policy slots neatly into that picture.
What Should an AI Acceptable Use Policy Include?
A strong policy should include five core parts: the approved tools, the data rules, the approval process for new tools, staff responsibilities, and the consequences of breaking the rules. Together these turn a vague sense of caution into a standard for responsible AI use that people can actually follow.
You do not need to cover every possible scenario. You need to make the common decisions easy and give people a clear route for the ones that are not.

Which Tools Are Approved?
List the AI tools your business has assessed and cleared for use, and name the tasks each one is suited to. Staff should never have to guess whether a tool is allowed.
Where possible, steer people towards business-grade versions of these tools rather than free consumer ones. A paid business account often keeps your data inside your own tenant and out of model training, which removes much of the risk in a single step.
Keep the list current. New tools appear constantly, and a policy that names only last year’s options quickly loses authority. Assign someone to review and update the approved list on a set schedule.
What Data Can and Cannot Be Entered?
This is the heart of the document. Spell out clearly what information is safe to put into an AI tool and what must never be. General, non-sensitive content is usually fine. Client data, personal details, financial records, passwords, and anything covered by confidentiality is usually not.
Use plain examples rather than abstract categories. Staff understand “do not paste a client’s contract” far better than “do not disclose confidential third-party information”. Concrete lines are the ones people remember and apply under pressure.
A simple traffic-light approach works well. Green for content that is fine to use freely, amber for content that needs a business-grade tool or a manager’s sign-off, and red for information that never goes into any AI tool. A staff member can remember three colours in a busy moment; they will not remember a page of prose.
How Do Staff Request a New Tool?
Give people a simple route to ask for a new tool to be approved. If the only options are use it in secret or go without, many will choose secrecy, and you lose the visibility the policy is meant to create.
A short request form or a named person to email is enough. The message you want to send is that curiosity is welcome, provided it goes through the front door and not around it.
Aim to respond to requests quickly. If approval takes weeks, people give up and work around the process. A same-week answer, even a provisional one, keeps staff engaged with the system instead of working around it.
What Are Staff Responsible For?
Make clear that the person using the tool is responsible for checking the output before it is used. AI can be confidently wrong, and a made-up figure or a misquoted rule is your problem the moment it goes to a client.
Staff should also understand they are accountable for following the data rules. Framing it as shared responsibility, not a list of things they are not allowed to do, keeps people on side.
It helps to name the reasonable default: if you are unsure whether something is allowed, ask first. A culture where people feel comfortable checking is far safer than one where they guess and hope.
How Do You Write and Roll Out the Policy?
You write the policy by starting with a simple template, adapting it to how your business actually works, and keeping it short enough that people will read it. You roll it out by explaining the reasoning, not just the rules, so staff understand why the boundaries exist.
The document is only half the job. A policy that lands in an inbox and is never mentioned again changes nothing. The rollout is what turns words on a page into everyday behaviour.
Begin with a plain acceptable use policy template and cut anything that does not fit your business. It is far better to have one clear page that people follow than a comprehensive document they ignore. You can always add detail once the basics are in place.
Write in the language your staff actually use. Skip the legal register where you can. The goal is understanding, and a policy people grasp on first reading protects you far more than one that sounds impressive but leaves everyone guessing.

How Do You Get Staff to Follow It?
Explain the why before the what. When people understand that a leaked client record can end a relationship or trigger a privacy complaint, the rules stop feeling arbitrary and start feeling sensible.
Back the policy with a short session where people can ask questions and raise the grey areas they have already run into. Real examples from your own business make the rules stick far better than a generic briefing.
Lead by example at the top. When managers visibly follow the rules and route their own tool requests through the process, staff take it seriously. When leadership treats the policy as something for everyone else, it soon falls away.
How Often Should You Review It?
Review the policy at least twice a year, and sooner if a major new tool appears or your obligations change. AI moves quickly, and a policy that is never revisited drifts out of step with how staff are actually working.
Treat the review as routine housekeeping, not a crisis response. A quick check against the current tool list and any changes in the law is usually enough to keep the document trustworthy.
Use each review to gather feedback too. The people using the tools daily will know where the rules are unclear or where an approved option is missing, and that insight keeps the policy grounded in reality.
Where Does a Managed IT Provider Fit In?
A managed IT provider can help you assess which tools are safe, configure business-grade AI so data stays inside your control, and keep the approved list current as new options appear. That takes the technical judgement off your plate.
It also connects the policy to the rest of your setup. Sound AI adoption depends on getting the foundations right, and our guide to AI adoption covers where these tools add real value and where they do not.
Just as importantly, a provider can keep the policy alive over time. Rather than a document you write once and forget, it becomes part of an ongoing service that adapts as both the technology and your business change.
What Are the Risks of Skipping an AI Acceptable Use Policy?
The risks of skipping an AI acceptable use policy fall into three areas: data leaks, compliance breaches, and poor-quality work reaching clients. Each is avoidable, and each becomes far more likely when nobody has set the rules.
None of these risks announce themselves in advance. A business often only discovers the problem after a client raises a concern or a piece of confidential information turns up where it should not be.
The most immediate risk is data exposure. Staff paste sensitive material into public tools with no idea where it goes, and by the time anyone notices, the information has already left the building. This overlaps closely with the technical side of the problem, which our guide to AI data security examines in detail.
The reputational cost can outlast the incident itself. Clients trust you to look after their information, and news that it was fed into an unassessed AI tool is hard to recover from, even when nothing was ultimately misused.
Then there is the quality problem. AI output can look polished while being wrong, and without a rule that someone must check it, mistakes travel straight to clients. A confidently invented statistic or a misstated legal point carries your business’s name, not the tool’s.
Could It Affect Your Insurance or Contracts?
It can. Some cyber insurance policies and client contracts now expect reasonable controls over how data is handled, and an absence of any AI governance can weaken your position if something goes wrong.
Having a documented policy in place is evidence that you took sensible precautions. That evidence matters both to an insurer assessing a claim and to a client deciding whether to keep working with you.
Increasingly, larger clients and government tenders ask directly how you manage AI and data. Imagine reaching the final stage of a contract you have chased for months, then hitting a question in the RFP: describe your AI usage policy. If you can attach one clear page, you keep moving. If you have nothing, you are scrambling while a better-prepared competitor sails through.
Is It Ever Too Late to Start?
No. Even if staff have been using AI freely for months, introducing clear rules now is far better than leaving the gap open. The sooner you set the standard, the sooner your exposure starts to shrink.
Frame it as catching up with a fast-moving technology, not cracking down on your team. Most staff welcome clarity, because guessing where the line sits is uncomfortable for them too.
Set Your AI Ground Rules With Exodesk
Exodesk helps Christchurch, Dunedin, and wider South Island businesses put a clear, practical AI acceptable use policy in place, assess which tools are safe, and keep staff on the right side of the line.
Contact us today to discuss how we can help your business or connect with us on LinkedIn to stay updated with more insights.
Frequently Asked Questions
What is an AI acceptable use policy?
An acceptable use policy for AI is a set of written rules covering how staff use these tools at work. It names which tools are approved, defines what data can and cannot be entered, and explains how to get a new one cleared. The aim is to make safe AI use the easy default across the whole business.
Why does my business need an AI usage policy?
Your staff are almost certainly using AI tools already, often without any rules to guide them. Without clear boundaries, sensitive client or company data can be entered into tools you have never assessed. A policy protects that information and shows you are managing the technology responsibly.
What should an AI acceptable use policy include?
It should cover five things: the approved tools, the rules on what data can and cannot be entered, the process for requesting a new tool, staff responsibilities for checking output, and the consequences of breaking the rules. Keep each part short and use plain examples so people actually follow it.
Does the Privacy Act apply when staff use AI tools?
Yes. Entering personal information into an AI tool counts as handling that data, so the Privacy Act 2020 still applies to your business. If the information ends up somewhere it should not, your business is accountable, not the tool provider. A clear policy helps you meet those obligations.
Can I just ban AI instead of writing a policy?
A ban rarely works, because free AI tools run in any browser and are easy to use without approval. Staff who see clear productivity gains tend to use them anyway, which pushes the activity out of sight. Guiding safe use is more effective than trying to prohibit it outright.
How long does an AI acceptable use policy need to be?
Short enough that staff will read it, which usually means one to three pages. A long, legalistic document that nobody opens protects no one. Focus on making the common decisions easy and giving people a clear route for the situations the policy does not cover.
What data should never be entered into an AI tool?
As a rule, keep out client information, personal details, financial records, passwords, and anything covered by a confidentiality obligation. General, non-sensitive content is usually fine. Using concrete examples in your policy, such as never pasting a client contract, helps staff apply the rule in practice.
Who should own the AI policy inside a business?
One named person or small team should own it, so there is a clear point of contact for approvals and questions. This is often a manager working alongside your IT provider. Assigning ownership stops the policy from becoming outdated and gives staff someone to ask when they hit a grey area.
How often should the policy be reviewed?
Review it at least twice a year, and sooner if a significant new tool emerges or your legal obligations change. AI develops quickly, so a policy that is never revisited soon falls out of step with how staff are working. Treat the review as routine housekeeping and not a one-off task.
Can a managed IT provider help create the policy?
Yes. A managed IT provider can assess which tools are safe, configure business-grade AI so your data stays under your control, and keep the approved list current. Exodesk helps South Island businesses put a practical policy in place and connect it to their wider security and privacy setup.

