AI Use Policy Template (One-Pager)

Most professional services firms need an AI policy yesterday. Partners are using ChatGPT for client work. Associates are feeding case files into Claude. Nobody knows what's allowed.

This template gives you a complete, fill-in-the-blank one-page policy you can deploy this week. It covers data boundaries, approval workflows, and escalation paths. Print it, post it, enforce it.

Without a written policy, you have:

• Partners uploading client data to public AI tools
• No audit trail when something goes wrong
• Zero defense if a client asks about your AI safeguards
• Inconsistent guidance across practice groups

A one-page policy solves this. It's short enough that people will actually read it. It's specific enough to be enforceable.

[FIRM NAME] AI USE POLICY
Effective Date: [DATE] | Version 1.0

1. APPROVED AI TOOLS
The following AI tools are approved for firm use:
- Microsoft Copilot (M365 Enterprise): Client data allowed, covered under BAA
- ChatGPT Enterprise: Non-client work only (research, drafting templates)
- [FIRM-SPECIFIC TOOL]: [USAGE PARAMETERS]

All other AI tools require written approval from [TITLE/COMMITTEE].

2. DATA CLASSIFICATION RULES
RED (Never in AI): Client names, case details, financial records, SSNs, health data, 
attorney work product, privileged communications, anything covered by NDA.

YELLOW (Approved Tools Only): Anonymized case summaries, general legal research, 
internal process documents, public filings.

GREEN (Any Approved Tool): Marketing copy, blog drafts, general business writing, 
publicly available information.

When in doubt, treat it as RED.

3. REQUIRED PRACTICES
Before using AI on any work product:
- Strip all client identifiers (names, case numbers, dates, locations)
- Verify the tool is on the approved list
- Review AI output for accuracy and hallucinations
- Disclose AI use to clients when required by engagement letter

Never copy-paste AI output directly into client deliverables without review.

4. APPROVAL PROCESS
New AI tool requests:
1. Submit request to [TITLE/EMAIL] with tool name, vendor, use case, data handling
2. [COMMITTEE] reviews within 5 business days
3. IT Security conducts vendor assessment (if approved)
4. Final approval requires sign-off from [TITLE] and General Counsel

Emergency requests: Contact [NAME] at [PHONE].

5. REPORTING VIOLATIONS
If you observe:
- Client data in unapproved AI tools
- Unreviewed AI output sent to clients
- Pressure to bypass this policy

Report immediately to [TITLE/EMAIL] or anonymous hotline [NUMBER].
No retaliation. Period.

6. CONSEQUENCES
First violation: Mandatory retraining
Second violation: Written warning, supervisor notification
Third violation: Suspension or termination

This policy applies to all attorneys, staff, contractors, and vendors.
Questions: [EMAIL] | Full AI Guidelines: [INTRANET LINK]

Step 1: Fill in the brackets. Replace every [PLACEHOLDER] with your firm's specifics. If you don't have an AI Governance Committee, assign responsibility to your COO, CTO, or managing partner.

Step 2: Get leadership sign-off. This needs buy-in from your managing partner and general counsel minimum. If you have a risk committee, loop them in.

Step 3: Announce it firm-wide. Send the policy as a PDF attachment in an all-hands email. Subject line: "New AI Use Policy - Effective Immediately." Include a 2-sentence summary in the email body.

Step 4: Post it everywhere. Pin it in Slack. Add it to your intranet homepage. Print it and tape it in the break room. Make it impossible to miss.

Step 5: Train your people. Schedule 15-minute practice group meetings to walk through the policy. Focus on the data classification rules - that's where most violations happen.

Law Firms: Add a line under Required Practices: "AI use must comply with Model Rule 1.1 (competence) and 1.6 (confidentiality). When in doubt, consult conflicts/ethics counsel."

Accounting Firms: Expand the RED category to include: "Tax returns, financial statements, audit work papers, client financial data, anything subject to SOX or SEC regulations."

Consulting Firms: Add to Approved Practices: "Client-facing deliverables must include standard AI disclosure: 'This document was prepared with AI assistance and reviewed by [FIRM] professionals.'"

Small Firms (under 20 people): Simplify the approval process. Replace the committee with a single decision-maker: "All AI tool requests require approval from [Managing Partner Name]."

Mistake 1: Making it too long. If your policy runs over one page, nobody will read it. Cut ruthlessly. Link to detailed procedures separately.

Mistake 2: Vague data rules. "Use good judgment with sensitive data" is not a policy. The RED/YELLOW/GREEN classification system works because it's binary and clear.

Mistake 3: No enforcement. If you don't follow through on consequences, the policy is worthless. Document violations. Apply penalties consistently.

Mistake 4: Set-it-and-forget-it. AI tools change monthly. Review this policy quarterly. Update the approved tools list as you vet new vendors.

Mistake 5: Blocking everything. An overly restrictive policy drives AI use underground. Better to permit specific tools with guardrails than ban everything and lose visibility.

Week 1: Monitor compliance. Ask associates randomly: "What's our policy on using ChatGPT for client work?" If they don't know, your rollout failed.

Week 2: Set up tracking. Create a shared spreadsheet or form for AI tool requests. You need visibility into what people want to use.

Month 1: Collect feedback. Are people confused about data classification? Is the approval process too slow? Adjust based on real usage patterns.

Quarter 1: Audit adherence. Spot-check work product for undisclosed AI use. Review browser logs if you have monitoring tools. Address violations immediately.

This policy takes 30 minutes to customize and gives you immediate, enforceable AI governance. It's not perfect. It won't cover every edge case. But it's 100x better than the nothing most firms have today.

Deploy it this week. Refine it next quarter. Your malpractice carrier will thank you.