top of page

AI Acceptable Use Policy - Yes, employers need it

  • Jul 7
  • 5 min read

Employees everywhere already use Artificial Intelligence (chatbots, coding assistants, drafting tools, open-source platforms and the like) for work tasks every day. If this is untracked and/or unauthorised by the employer, this ‘shadow AI’ poses risk to the organisation on many levels, especially if the employees are blissfully unaware of those risks. There are some basic steps an employer can take to mitigate this.


Introduction

Employers cannot hope to keep up with technological advances when governing the use of technology in their workplaces. AI is already in all the rooms in the workplace – it’s inside your virtual meetings, your customer support, sales platforms, emails. It is no longer a separate issue. And far from it being an AI-engineering or ‘tech’ topic, it cuts across data handling, legal compliance, privacy, and impacts on the quality of outputs, reputation, business trust and people management.


Even if you, as an employer, have not (yet) moved into conscious AI-deployment for your organisation, you need to acknowledge the risks. Your general IT policies and regulations are a good start, but with the ease of AI availability, what happens if your employees find ways to side-step this - for example using their own devices to do a task with the help of an open-source AI tool? Or what if they are exceedingly afraid to use and explore AI tools because they do not feel safe about what they are allowed to do or not?


Ignoring this reality just pushes the risk underground (hence the term ‘shadow’ AI) - it does not expose and mitigate it. Proper governance is required that makes sense for your organisation, and acknowledging that aspects such as the protection of personal information, confidentiality, trade secrets, security breaches, ethics, and accuracy can be (inadvertently) impacted by how employees utilise AI tools, all on their own.


An Acceptable Use Policy for AI in the workplace

It is important for employers to govern based on what your people are actually doing. Find that out first, then put in guardrails and establish an ‘acceptable use’ framework to guide them toward safe use, and educate them on this. Real risk mitigation goes beyond ticking a box that employees have been trained, but should rather ensure that they really do understand the risks and the reasons for implementing various safety measures.


Investigating how your staff actually use AI (also behind closed doors) and determining the most likely risks from there, will require asking some direct questions. In each department, ask what tools people are using, and discuss what data goes into them.


Examples:

  • Personal information or company confidential information may leak through prompts.

  • The use of personal devices for work tasks are not secure and may need to be restricted.

  • All AI tools / models are not created equally: using random AI tools may carry various inherent risks and cause errors.

  • Using AI tools for tasks such as recruitment may lead to unfair discrimination claims due to hidden algorithmic biases.

  • The AI ‘black box’ (the back-end process between a prompt and an output) means that defensibility of decisions based on that output, becomes a governance- and possibly legal issue.  

  • Hallucinations – prioritising speed over accuracy may give a skewed picture if outputs are not properly reviewed.

  • Outputs generated by AI may not ‘belong’ to the user but to the developer – the fine print of some AI tools specifies copyright restrictions on certain outputs.

  • Trust in your brand may deteriorate if your customers feel that they are passed off to an AI when they seek personal interaction, and they may decide to move on.

 

Policy controls – what should be covered?

Once the uses and risks in your organisation have been broadly determined, establish a flexible user-framework that address this through guidance and direction.  


Think about how we navigate public roads. We need traffic signals to avoid serious congestion and accidents, and to encourage caution and safe driving. Navigating technology – specifically the use of AI – in the workplace is a similar process. The format of the AUP document could be a stand-alone policy, or it could be incorporated into your existing policy framework, or be added as an addendum. Just make it workable and practical, because you may need updates in this area at a much faster pace than you would normally do for a general policy review.


The following elements could be addressed in an AI Acceptable Use Policy (depending on the size of your organisation):


  • Scope – who is covered, cross-referencing with other relevant policies, stipulate what counts as an AI tool.

  • Clarify ownership and accountability for ongoing training and awareness, monitoring and auditing, escalation, approvals, compliance and discipline.

  • List any approved / authorised AI systems - possibly also with a risk assessment for each.

    [At the back end of generating this list, there should have been reviews of the relevant AI vendors and service providers: determination of who owns the outputs generated by the AI tool (e.g. the developer / operator / user/ licensee / prompt engineer); review of the provider’s data handling, retention, and disclosure policies, and the  presence or absence of confidentiality protections.]

  • Transparency – The prudence of disclosing AI use to clients / management / team members; and the ability to produce explainable outputs. For example, algorithmic outputs may be influenced by dataset biases, proprietary coding, or outdated training material.

  • Data governance – Responsible AI-use presupposes compliance with all aspects of POPIA/GDPR and other legal aspects to prevent automation bias, unfair employee profiling, disclosing confidential information, unlawful data processing and the like. [It is useful to implement a data classification system (which data is permitted, restricted, or prohibited) and to specify which may be entered into which AI tools or would need approval first; the use of anonymised data, etc.]

  • Prohibited uses: Impersonation, offensive or harmful content, discrimination, data misuse or entering confidential information into a prompt or AI interface, unauthorised integrations into company systems, the use of private devices to utilise AI tools for work tasks, etc.

  • Human oversight / review / sign-off – Ensuring explainability, defensibility and accountability even when using automated processes. Substituting human judgement with algorithmic reasoning carries risks, especially where rights are affected.

  • Procedures for obtaining permissions / approvals, for escalation and queries, for reporting issues or security breaches.

 

Some leadership considerations

Any AI policy is part of a broader framework. It does not exist in a vacuum. It must make sense for your particular workflows and your staff, align with data quality principles and your general compliance infrastructure.


Apart from educating your staff and staying updated on these fast-moving technological developments, always remember to save a thought (and reward) for the ‘behind-the-scenes’ employees involved in the deployment and use of responsible AI in your organisation. The ones who break down and build the workflows so that it makes algorithmic sense; the ones who are responsible for data integrity; the experts who train the AI models long before the prompt engineer or clever user use the AI to seamlessly generate an output.


And especially don’t forget to recognise the effort of the reviewers – those managers or subject experts who may be presented with a polished AI-generated output to ‘take a look’ and then spend significantly more time than the AI or the user did, on double-checking and cross-referencing information, assessing thought processes and checking for compliance in order to ensure accuracy and quality. You do not want to lose these people to the AI-hype.

 


© Judith Griessel   

  


bottom of page