A marketing agency starts using AI tools informally. Within six months: three employees have submitted confidential client briefs to ChatGPT, one account manager published AI-generated content attributed to a human author, and a data analyst used a tool that stored query data with third-party vendors.
Nobody acted maliciously. There was simply no policy. The agency loses two clients and faces potential legal liability.
This module teaches you to write an AI usage policy that actually prevents harm — one that is specific, enforceable, and usable by real people in real situations.
Meridian Marketing is a 60-person creative agency based in Chicago. In January 2024, they started offering ChatGPT+ subscriptions to all employees to "improve productivity." There was no guidance.
By June, three separate incidents had occurred. First, a junior copywriter, trying to speed up a proposal, pasted a confidential client brief into ChatGPT, asking it to summarize key insights. The brief contained information the client had explicitly marked as proprietary. Second, an account manager used Claude to generate social media content for a mid-sized client, then published it with a byline crediting the human copywriter without any disclosure that AI had been used. The client later complained they had been misled about where the content came from. Third, a data analyst used a free web-based AI tool (not ChatGPT) to analyze some marketing campaign data, only to later discover the tool's privacy policy stated it used all uploaded data to train its models.
The marketing director realized the agency had exposed itself to serious liability: potential violation of client confidentiality, misrepresentation of AI content, and unauthorized data sharing. She had to tell the CEO: we need a policy, and we need it now. The CEO asked her to write one that would actually be followed — not something that would sit in a filing cabinet.
The challenge was to create a policy that was specific enough to prevent harm, but not so restrictive that it banned tools that could legitimately help employees work better.
A complete AI usage policy addresses five distinct concerns. Without all five, you have coverage gaps that will eventually become problems.
Define what counts as "AI." Does it include ChatGPT? Claude? Copilot? Free tools? Paid tools? Custom models? Be specific. Say who the policy applies to (all employees? contractors? interns?). Say where it applies (client work? internal projects? personal use on company devices?). Vague scope means people will apply the policy inconsistently.
Can you use AI to draft emails? Yes. Can you use AI to summarize a confidential client brief? No. Can you publish AI-generated content as human work? No. Can you use AI on proprietary data? No. Be explicit about the boundaries. The goal is not to ban AI — it is to prevent specific harms you have identified.
Client confidential information: do not input. Employee personal data: do not input. Public information: okay to input. Internal project data (non-confidential): depends on the system. Name the specific tools that are approved for different types of work. If a tool stores data with third parties, say so. Employees should know what happens to what they input.
If you deliver AI-generated content to a client, the client must know. If you train employees on AI-generated materials, disclose it. If you publish AI-assisted work, mark it. The rule: anyone affected by your use of AI has a right to know you used it. Transparency is not optional.
If someone violates the policy, who investigates? Who decides on consequences? Is there a way to report violations anonymously? Who reviews the policy and updates it? If accountability is unclear, the policy becomes unenforceable.
A complete policy is actionable, specific, and enforceable because it answers all five questions.
Before you write a policy, three design questions will help you avoid the common pitfalls.
For Meridian, the worst case was leaking a confidential client brief and losing the client. The policy must make it clear: proprietary client data does not go into AI tools. Test every provision by asking: would this have prevented the incident? If not, rewrite it.
A policy that says "use AI responsibly" is useless because "responsibly" is vague. A policy that says "do not input client confidential data into any AI tool, defined as X, Y, or Z" is enforceable because it is specific. Specificity enables accountability.
If there is no approval process, the policy is toothless. Someone (a manager, a compliance person) should review proposed AI tool use before it happens. That decision should be documented so you can prove you were following the policy if something goes wrong.
A policy is only useful if it prevents the harm you are trying to prevent and if it is enforced consistently.
You are writing an AI usage policy for an organization. Pick your organization type, then build the policy section by section. I'll help you refine each section until it is complete and enforceable.
Choose one: startup, school, hospital, law firm, or nonprofit
Start by picking your organization. Then we build each section together, starting with Scope.