Free Resource · No Email Gate
AI Acceptable Use Policy — a free, plain-language template.
The same AUP structure ETTE uses inside Foundations engagements, published in full. Copy it, replace the bracketed placeholders, delete what doesn't apply, and roll it out in an afternoon.
By the ETTE AI practice team · Published July 6, 2026 · Reviewed against ETTE's internal AI usage policy
How to use this: everything in the bordered section below is the template. Text in [brackets] is yours to fill in. The design goal is the hallway test — a staff member should be able to answer "can I use this tool for this task?" in under a minute. Keep it to two pages; if a section grows past that, the content probably belongs in your operating model, not your AUP.
What this isn't: legal advice. Have counsel review the adapted version, especially if you handle regulated data (HIPAA, FERPA, CJIS, or grant-mandated confidentiality).
[Organization Name] — AI Acceptable Use Policy
Version 1.0 · Effective [date] · Owner: [name, title] · Next review: [date + 3 months]
1. Purpose and scope
This policy explains how staff, contractors, and volunteers at [Organization Name] may use artificial intelligence tools in their work. It applies to any AI tool — chat assistants, writing aids, meeting notetakers, translation tools, and AI features built into software we already use — whether accessed on an organization device or a personal one, whenever the content involved is work-related.
We encourage thoughtful use of AI. This policy exists to make the boundaries clear so you can use these tools confidently, not to discourage their use.
2. Approved tools
The following tools are approved for work use, on organization-managed accounts only:
- [Tool 1 — e.g., "Claude for Work under our organization account"] — approved for [drafting, summarizing, research, analysis]
- [Tool 2 — e.g., "Microsoft 365 Copilot"] — approved for [use within our tenant]
- [Tool 3] — approved for [scope]
Personal accounts on free or consumer AI tools may not be used for work content. If a tool you want isn't listed, ask [owner name] — you'll get an answer within one business day. This list is reviewed quarterly.
3. Data rules — the three buckets
🟢 Green — use freely in approved tools: content that is public or intended to be public: published web copy, press releases, blog drafts, event descriptions, general research questions.
🟡 Yellow — approved tools only, apply judgment: internal working content: meeting notes, internal drafts, project plans, unpublished reports. Fine in approved organization-account tools; never in personal-account tools.
🔴 Red — never enters any AI tool without written approval from [owner]: donor, member, or client personally identifiable information; financial account data; health information; personnel records; anything covered by an NDA, grant confidentiality clause, or regulatory requirement [list yours: HIPAA / FERPA / etc.]; passwords and credentials.
Not sure which bucket something is in? Treat it as red and ask. Asking is never the wrong move.
4. Human review
AI output is a draft, not a deliverable. Nothing AI-assisted goes to a donor, member, client, board member, or the public until a person has reviewed it, verified any factual claims, and taken ownership of it as their own work. You are responsible for what you send, regardless of what drafted it.
5. Questions and ownership
[Name, title] owns this policy. Questions about tools, data, or specific use cases go to [contact channel] and will be answered within one business day. Unusual or first-of-a-kind requests get a quick yes / no / needs-review — not a committee.
6. If something goes wrong
If work data ends up in the wrong tool — including by accident — report it to [owner] the same day. Our response will focus on containing the issue, not on blame. Honest, fast reporting is the behavior this policy is designed to protect.
7. Review
This policy is reviewed every [3/6] months by [owner], including the approved-tools list and data buckets. Suggestions are welcome at any time.
Template by ettebiz.ai, the AI practice of ETTE (Washington, DC). Free to adapt for your organization's internal use; attribution appreciated but not required.
Adapting it: three tips from real rollouts
- Name real tools, resist "and similar." The vagueness feels safer but reintroduces the ambiguity that created shadow AI in the first place. A short concrete list plus a fast question lane beats a broad standard.
- Localize the red bucket. The single highest-value edit is replacing our generic red list with your actual sensitive data: your donor database, your case-management records, your grant's specific confidentiality clause. Staff recognize their own systems by name.
- Launch it with capability, not as a memo. When ETTE introduced its own AI usage policy internally, it arrived at the AI Champions kickoff bundled with tool access and live demonstrations. Rules that arrive alongside a genuinely useful capability get followed; rules that arrive alone get filed.
Beyond The Policy