A starting-point policy for manufacturers whose teams are already using AI—sanctioned or not. Replace every [bracketed placeholder], delete what doesn't apply, and have it reviewed before adoption. Aligned with the intent of ISO/IEC 42001:2023 controls for acceptable use and human oversight.
This template is provided as-is for general informational purposes and is not legal advice. Have counsel and your quality/IT leadership review before publishing.
1. Purpose
[Company Name] permits and encourages the productive use of approved artificial intelligence tools. This policy defines what is approved, what data may be used, and the oversight required—so AI improves our work without exposing our customers, our intellectual property, or our certifications to risk.
2. Scope
This policy applies to all employees, contractors, and temporary workers of [Company Name], on any device, whenever company information is involved—including personal devices and personal AI accounts.
3. Approved Tools
Only the tools listed below are approved for use with company information. Anything not listed is prohibited until reviewed and added by [owner, e.g., the AI Governance Lead].
Tool
Approved Uses
Account Type
Data Ceiling
[e.g., Claude for Work]
[e.g., drafting, summarizing, analysis]
Company-managed
[e.g., Internal]
[e.g., Quoting Agent (internal)]
[e.g., RFQ quote drafting]
Company-managed
[e.g., Confidential]
[Add rows]
4. Prohibited Without Written Approval
Entering customer drawings, specifications, CAD files, or part programs into any AI tool not on the approved list.
Entering pricing, cost data, customer lists, employee personal data, or anything covered by an NDA into consumer (personal-account) AI tools.
Using AI output in a quality-critical decision (disposition, inspection, release) without the human review defined in Section 6.
Connecting AI tools to company systems (ERP, MES, email, file shares) without approval from [owner].
Representing AI-generated work as independently verified when it has not been.
5. Data Classification Quick Rule
Public — already published. OK in any approved tool.
Confidential — customer data, drawings, pricing, quality records. Only in tools explicitly approved to that ceiling.
Restricted — [e.g., ITAR/export-controlled, regulated]. No AI use without written approval from [owner].
6. Human Oversight
AI drafts; people decide. Any output that ships to a customer, spends money, or affects product conformity requires documented human approval.
Named reviewers are accountable for AI-assisted output exactly as if they had produced it themselves.
Agent actions in connected systems are logged. Logs are retained per [records retention procedure].
7. Reporting & No-Blame Window
If you have been using an unapproved tool, report it to [owner] within [30 days] of this policy's effective date. Good-faith reports during this window will be treated as process findings, not disciplinary matters. Suspected data exposure must be reported immediately.
8. Review
This policy is reviewed [quarterly / semi-annually] by [owner] and updated as tools, regulations, and standards (including ISO/IEC 42001:2023) evolve.