How to set an AI policy that levels people up

Your team is already using AI, with or without a policy. The only question your AI policy answers is whether that use happens in the open, where you can guide it, or in the dark, where you can't. Most policies get this wrong in one of two ways. The first is the scary ban: a document that treats AI as a liability to be contained, which doesn't stop people using it, it just stops them telling you. The second is the vague memo: a paragraph about using good judgment that nobody reads and nobody can act on. Both leave you exactly where you started, except now you have a file that says you did something. By one Gallup figure, well over half of US companies still operate without a fully implemented AI policy, even as use climbs.

A policy that works does the opposite of both. It's short enough to read in one sitting, it says yes more than no, and it's specific about the few things that actually matter. The goal isn't to cover yourself; it's to let people do good work with AI without guessing where the lines are.

It's worth being concrete about why the lock-it-down instinct backfires. When IDC looked at workplace AI, a majority of employees were using unauthorized tools, while only a minority used AI their organization actually provided and governed. A ban widens that gap; it doesn't close it. And the cost isn't hypothetical: IBM's 2025 breach research found incidents involving shadow AI carried materially higher average costs than those without. So the ban produces the worst of both worlds, no visibility and more risk, because the use moves to personal accounts and unsanctioned apps where you have no controls at all. If AI use is already happening in the dark at your company, the first move is to surface it, which our piece on a shadow AI policy walks through. The point of a policy is to bring the existing appetite into the light, not to pretend it away.

Here's the fair objection: in a regulated or high-stakes shop, doesn't enablement just mean letting people do risky things? Don't you need hard restrictions, legal-first language, and enforced technical controls? Yes to the controls, and that's the point most people miss. Enabling and enforced are not opposites. The data redlines should be hard and, where possible, technically enforced, so the genuinely sensitive categories are blocked by default. Everything around those redlines should default to yes, in plain language, so people aren't paralyzed by a thirty-page document they never open. A short policy people actually read, plus enforcement on the few things that matter, plus training, beats a long legal artifact that produces paper compliance and nothing else. Most organizations have a policy on paper; far fewer have one that changes behavior, and the difference is whether it enables or just forbids.

The part nearly every policy skips is the part that makes it real. A rule that says 'review AI output before relying on it' assumes people know how to judge AI output, which is a skill, not a default. So the policy and the training behind it are one investment, not two. This is now true in a legal sense as well: the EU AI Act made a baseline of AI literacy an obligation for organizations using AI, which reaches non-EU companies with EU staff or users, so for many firms the policy and the training are entangled by law. But you'd want them entangled regardless, because a policy people can't operate inside is just a document. Pair the rules with hands-on AI literacy scaled to each role, and the policy stops being a wall and becomes a floor people can stand on. When you're ready to write it, our AI policy generator gives you a draft to start from.