First up in the list that we all learned in elementary school is the “who.” Who needs an AI policy and who should it apply to? Well, this is an easy one, everyone. Even if you’re not the kind of company that has a lot of policies, an AI policy is especially important today. We’ll get more into the why later, but just about everyone is using AI these days in some fashion for work. Even people that can barely use a computer have heard about it, understand its usefulness, and have found someone in the office to show them how to get it to do a task they don’t want to do. So, make your AI policy company-wide, even if they don’t have a computer.

What is an AI policy and what should I put in it? First off, it doesn’t need to be much. You can probably fit it in a paragraph, and it doesn’t need to be signed off by your attorney. It should cover what tools are approved to use, what you are allowed to put in your prompts, who owns the output, and what needs human review before you publish it. Starting off with something as easy as, “We use Microsoft Copilot here. Only use Copilot when logged into your Work Account. Only enter confidential information if you see the EDR Shield in your chat. Our company owns the output from the agent. All AI-produced content needs to have a human review before it is published either internally or externally.” That’s all you need to get started.

Honestly, I’m reaching a bit for the where, but here goes. The where applies to everywhere you use AI. This is on phones, laptops, desktops, cloud, everywhere. And AI is, you guessed it, everywhere. So, whether you’re chatting with Gemini on your drive in through Android Auto, you have a personal ChatGPT that you have trained just like you want, or you are searching the Internet, there is some AI in play. This policy needs to apply to all the above. Okay, maybe not too much of a reach after all.

When is an easy one, that’s right now. As soon as possible. These things are already in use, and you need a policy now. We are seeing more tools reading people’s emails, sitting in at meetings, and gathering data all the time. Enacting a policy now will help people to think about what they’re putting into AI tools, and it needs to be swift.

And finally, why? This is the big one, and there are more reasons than I could possibly list. For one, if you think AI isn’t prevalent at your organization, you’re not talking about it enough. On many occasions, we hear about the less-than-savvy employee who has a task they want AI to get done, like write them the “How is this going to benefit the community” line on a grant. They ask the “techy guy” who has been playing with it at home, and he’s quick to show them how easy it is to sign up for a personal ChatGPT account to get it done. It’s not a problem that the employee wants to use AI to help write his grant proposal, it’s the personal tool that he just entered all the details of the business into. Your AI policy stops this before it happens because everyone knows what’s acceptable and which tools your business trusts with their data.

It also helps to get everyone on the same page. There are most likely some folks at your company that are going head-first into AI in the workplace. They’ve asked for a license to do it the right way and are producing amazing things with those tools in record time. Then some staff are still doing things the way they’ve always been done. They’re falling behind. An AI policy starts the conversation with your whole team and helps them catch up.

So, the bonus question after the W’s is the big H, how? It’s not that hard. Most importantly, start talking about it with your teams, and have them start talking about it internally. See what tools are being used, what they’re doing with them, and who is using them. Then have a meeting to discuss what you want your policy to say. Finally, this is the first draft. Revisit it often. Does it still work? Are there new tools we need to add? Make it firm, but also flexible for rewrites. This is a new frontier, and we’re all just figuring it out as we go. But start now, because it’s here even if you haven’t seen it.

-Nate