Skip to content
PROMPT LIBRARY · POLICY & DOCUMENTS

Draft a first version of an AI acceptable-use policy

Produce a workable first draft of an AI usage policy for your organisation, sized to your sector and risk appetite.

Yours to copy, change, and make your own.

— THE PROMPT —

Replace every [BRACKETED PLACEHOLDER] with your own material before you send it.

You are helping a [ORGANISATION TYPE] in the UK draft its first AI acceptable-use policy. We have roughly [NUMBER OF STAFF] staff. Our main uses of AI today are: [CURRENT USES]. Our biggest worries are: [MAIN CONCERNS].

Draft a policy with these sections:
1. Purpose and who it applies to
2. What staff may use AI tools for
3. What staff must never put into AI tools (with concrete examples relevant to us)
4. Checking and accountability: who is responsible for AI-assisted output
5. Approved tools and how to request a new one
6. What happens if the policy is breached
7. Review date and owner

Rules:
- Plain English throughout. A new starter should understand it without a glossary.
- Be specific rather than legalistic. "Do not paste client names into public AI tools" beats "exercise appropriate caution".
- Mark any point where UK GDPR or sector regulation needs a specialist's review with [LEGAL REVIEW].
- Use British English.
What to fill in
[ORGANISATION TYPE]
What you are, for example "housing charity", "accountancy firm", or "multi-academy trust".
[NUMBER OF STAFF]
Approximate headcount, so the policy is sized sensibly.
[CURRENT USES]
How staff already use AI, honestly, including unofficial use.
[MAIN CONCERNS]
Your top two or three worries, for example client confidentiality or exam integrity.
— THE HONEST BIT —

Where it shines, and where it falls over.

Works best for
  • Organisations writing their first AI policy from scratch
  • Updating a generic template to fit how your teams actually use AI
  • Producing a discussion draft for a leadership or board meeting
Get more out of it
  • Paste in your existing IT or data-protection policy and ask the model to keep the new policy consistent with it.
  • Ask for a one-page staff summary alongside the full policy; most people will only read the summary.
When it fails

This gives you a first draft, not a finished policy. The model does not know your regulator, your insurance terms, your union agreements, or your existing IT policies, and it will happily write rules that contradict them. Anything marked for legal review genuinely needs it, and ideally the whole document does.

It also fails when the inputs are vague. If you tell it your concerns are "data protection" and nothing else, you get a generic policy that reads like every other template on the internet. The specific examples in section 3 are the most valuable part; feed the model real scenarios from your organisation to get them.

AI output is a first draft, not a finished product. You are responsible for whatever you send, publish, or decide with it.