Write an AI-use policy before we let staff use ChatGPT at work?
Public AI services caused 42% of enterprise data leaks in 2024, yet 71% of knowledge workers use AI outside governance, exposing organizations to significant risk and loss of control.
The question
Our employees are already using ChatGPT and similar tools for work, with no formal policy. Do we write and roll out an acceptable-use policy now — covering what data can go in, which tools are approved, and what is off-limits — or is a formal policy premature for a company our size?
Counsel's position
Implement a clear, phased acceptable-use policy now to mitigate escalating data security and compliance risks while enabling productive AI use.
Verdict
The verdict: Implement a clear, phased acceptable-use policy now to mitigate escalating data security and compliance risks while enabling productive AI use.
Public AI services caused 42% of enterprise data leaks in 2024
Given your employees are already using ChatGPT, the absence of a formal policy exposes your proprietary data to third-party models.
71% of knowledge workers use AI outside organizational governance frameworks
Waiting to establish an acceptable-use policy allows "Shadow AI" to proliferate, significantly increasing your risk of a costly data breach.
Unapproved AI usage trades organizational visibility for local task speed
High employee adoption of AI without an acceptable-use policy results in speed at the expense of visibility and control.
Shadow AI causes data breaches in 1 in 5 organizations
Without a formal acceptable-use policy, your employees' casual use of personal AI accounts can inadvertently leak proprietary code or customer records to third-party servers.
98% of practitioners manage AI spend without adequate scale guardrails
While establishing an acceptable-use policy, you must also implement automated guardrails to prevent unchecked spending as non-technical users adopt AI tools.
Read another verdict
- How do we show the board our AI is actually governed?
- Let an AI agent act on its own — or keep a human in the loop?
- Cut back junior hiring because AI can do the work?
- Put one person in charge of AI — or is a Head of AI premature for us?
- Slow our EU AI Act prep now the deadline's moved to 2027?
- Stand up a FinOps practice for tokens and GPUs now?
- Pay for the 'agentic' tier upgrade — or wait for proof?
- Set our LLM data retention policy now, or wait for an incident to force it?