Blue Vector • Free Resource

AI Acceptable Use Policy — Template

A starting-point policy for manufacturers whose teams are already using AI—sanctioned or not. Replace every [bracketed placeholder], delete what doesn't apply, and have it reviewed before adoption. Aligned with the intent of ISO/IEC 42001:2023 controls for acceptable use and human oversight.

This template is provided as-is for general informational purposes and is not legal advice. Have counsel and your quality/IT leadership review before publishing.

1. Purpose

[Company Name] permits and encourages the productive use of approved artificial intelligence tools. This policy defines what is approved, what data may be used, and the oversight required—so AI improves our work without exposing our customers, our intellectual property, or our certifications to risk.

2. Scope

This policy applies to all employees, contractors, and temporary workers of [Company Name], on any device, whenever company information is involved—including personal devices and personal AI accounts.

3. Approved Tools

Only the tools listed below are approved for use with company information. Anything not listed is prohibited until reviewed and added by [owner, e.g., the AI Governance Lead].

ToolApproved UsesAccount TypeData Ceiling
[e.g., Claude for Work][e.g., drafting, summarizing, analysis]Company-managed[e.g., Internal]
[e.g., Quoting Agent (internal)][e.g., RFQ quote drafting]Company-managed[e.g., Confidential]
[Add rows]

4. Prohibited Without Written Approval

5. Data Classification Quick Rule

6. Human Oversight

  1. AI drafts; people decide. Any output that ships to a customer, spends money, or affects product conformity requires documented human approval.
  2. Named reviewers are accountable for AI-assisted output exactly as if they had produced it themselves.
  3. Agent actions in connected systems are logged. Logs are retained per [records retention procedure].

7. Reporting & No-Blame Window

If you have been using an unapproved tool, report it to [owner] within [30 days] of this policy's effective date. Good-faith reports during this window will be treated as process findings, not disciplinary matters. Suspected data exposure must be reported immediately.

8. Review

This policy is reviewed [quarterly / semi-annually] by [owner] and updated as tools, regulations, and standards (including ISO/IEC 42001:2023) evolve.

VersionDateApproved ByChange Summary
1.0[date][name, title]Initial release