Let employees use AI without your organization losing control.
An AI policy only works when employees can actually use it. We turn ChatGPT, Copilot, SaaS AI features, data use and AI Act/GDPR signals into clear rules, tool agreements, review moments and evidence that leadership, IT, legal and HR can support.
Recognizable signals
An AI policy usually fails not because the text is bad, but because it does not match how people actually work.
Employees use ChatGPT, Copilot or AI in SaaS tools, but do not know which data they may enter.
IT has approved tools, while teams also use separate AI apps or vendor features outside the process.
Legal or compliance has a policy document, but managers lack practical do’s, don’ts and review rules.
HR or L&D trains employees, but policy, role mapping and evidence logging do not connect.
Procurement buys AI features without fixed vendor questions, contract points or acceptance criteria.
Leadership wants AI productivity, but asks the right questions: who owns this, where is the boundary and how do we show it?
What must your AI policy decide?
We do not create a paper policy that disappears into a folder. The sprint turns risks into rules teams can follow and managers can enforce.
Approved tools
Which AI tools and SaaS AI features employees may use, under which conditions and with which data.
Prohibited data types
Clear boundaries for customer data, employee data, trade secrets, source code, medical data and confidential documents.
Use-case levels
What is free to use, what requires review, what must go through intake and what is prohibited or temporarily blocked.
Human review
When output must be checked, traced, documented or reviewed by a second person.
Sources and hallucinations
Rules for source verification, legal or policy output, customer communication and external publication.
New AI tools
A practical intake process for new tools, vendor claims, contract questions, DPIA/FRIA signals and register action.
Roles and training
Who needs additional AI literacy, role-based instruction or periodic refresh.
Evidence and ownership
Who maintains the policy, where decisions are logged and which evidence is available for customer, audit or leadership questions.
Approach
1. Reality check
We start with actual AI use: tools, teams, data, workflows, vendor features and existing agreements.
2. Risk levels
We separate low-risk experiments from sensitive data, people decisions, legal output and regulated workflows.
3. Policy and playbook
You get core policy plus practical work rules: what is allowed, what is not, what needs review and where teams can go.
4. Rollout and evidence
We connect policy to training, inventory, vendor questions, decision log and a management or quarterly review rhythm.
Logical next steps
Shadow AI in your organization
Make visible which AI tools and SaaS AI features teams already use before policy rests on assumptions.
View routeAI inventory setup
Record known AI systems, owners, purposes, risks and evidence status.
View routeAI literacy evidence 2026
Make sure employees not only receive rules, but can show they understand responsible AI use.
View routeFrequently asked questions
Is an AI policy template enough?
Usually not. A template helps as a starting point, but without tool choices, data boundaries, ownership, training and an intake process, policy remains too abstract for daily use.
Should we block ChatGPT or Copilot?
Not automatically. Blocking may be needed temporarily for sensitive workflows, but it is often more effective to define approved tools, prohibited data types, review rules and escalation.
How does AI policy relate to the AI Act and GDPR?
AI policy does not replace classification, DPIA/FRIA or vendor review. It does make employees, managers and IT follow the same practical rules and helps evidence connect to inventory, training and governance.
How long does this take?
That depends on scope, teams and current maturity. Often we start with a compact policy sprint or gap intake and then decide whether shadow AI, inventory or training should run in parallel.
Is this legal advice?
No. Embed AI helps with practical governance, implementation, evidence and workable rules. For formal legal advice or representation, involve legal counsel.
Does your organization already have AI rules people actually use?
Start with the Gap Intake. We define which tools, teams, data and risks should land in your AI policy first.
Make my AI policy workable