Most AI policies are written for lawyers, not for the people who need to follow them.
They're comprehensive. Well-organized. They cite relevant regulations and establish governance frameworks and define accountability structures. They're also unread by 95% of the people they apply to, and when someone does something the policy prohibits, the reason is almost never "I didn't know it was prohibited." It's "I didn't understand why it mattered."
We built an AI policy for a distribution company from scratch. The policy needed to cover a field operations team, a customer service team, administrative staff, and a management layer, all with different levels of AI familiarity and different risk profiles in terms of what they'd do with AI tools if left unsupervised.
Here's what we learned.
Start with the behavior you're actually worried about
Before writing a single policy sentence, we spent two hours with the leadership team asking one question: what are you actually afraid will happen?
The answers were specific:
- Field technicians taking photos of customer equipment and uploading them to consumer AI apps
- Customer service reps using AI-generated responses without reviewing them for accuracy
- Management using AI to analyze employee communications without disclosure
- Someone inputting customer PII into a free chatbot to help draft a letter
These aren't theoretical scenarios. They're the things that happen when a workforce gains access to powerful consumer AI tools without guidance, which is what's happening right now in every organization that doesn't have a policy.
The policy we wrote addressed each of these scenarios directly, not as abstract prohibitions but as concrete examples. "Do not upload photos of customer equipment to consumer AI applications such as ChatGPT or Google Gemini" is more actionable than "respect customer data privacy when using AI tools."
Write for the person with the least AI familiarity
The policy needs to work for the employee who has never thought about where data goes when they type it into a chatbot. Not the data scientist who understands model training pipelines. The dispatcher who figured out that ChatGPT helps her draft difficult emails and has been using it for six months.
This means defining terms that seem obvious. "Consumer AI applications" needs to be defined and examples need to be named. "Sensitive business information" needs to be defined with concrete examples. "AI-generated content" needs to be defined so that autocomplete suggestions don't get swept into the policy inadvertently.
It also means plain language without exceptions. "Never use AI to make employment decisions without human review" is clear. "AI should not be a primary factor in employment-related determinations absent appropriate human oversight mechanisms" says the same thing but requires parsing.
The three categories that matter
Every AI policy covers a lot of ground. Not all of it is equally important. The three categories that drive the most risk and the most needed guidance:
Data handling. What can employees put into AI systems? What can't they? The answer needs to be specific: customer PII (no), proprietary pricing (no), industry-standard information (yes with caveats), draft communications that don't contain confidential information (yes). The test that's easy to communicate: "Would you be comfortable if a customer saw everything you typed into this system?"
Output review. AI-generated content is not finished content. It requires review. This applies to customer communications, financial analysis, reports, and code. The policy should specify who reviews what, not as a bureaucratic layer but as a clear statement that the human is responsible for the output, not the AI.
Disclosure. When is it appropriate to tell customers, partners, or other employees that AI was involved? This is the most culturally variable question, and it requires actual discussion rather than a blanket rule. The answer for a customer service team is different from the answer for a management team preparing financial reports.
The training problem
A policy document is not training. A policy document plus a one-time all-hands presentation is not training.
Training is the ongoing process by which people internalize why the rules exist, not just what the rules say. The why is what drives behavior in edge cases, situations the policy didn't anticipate, where the employee has to make a judgment call.
For the distribution company, we built the policy and then ran a series of scenario-based training sessions. Half-hour discussions organized by team, built around realistic situations that team members might actually encounter. Not case studies from other companies. Scenarios that the specific team could imagine themselves in.
The test of effective training is not whether employees can recite the policy. It's whether they make good decisions in situations the policy doesn't explicitly cover. The only way to know that is to create those situations in training and see what happens.
What the policy can't do
An AI policy creates accountability. It doesn't create judgment.
The most common AI policy failure is treating policy as a substitute for conversation. Write the rules, distribute the document, check the compliance box. Employees who never understand why the rules exist will follow them when someone is watching and ignore them when it seems like nobody is.
The organizations that get this right treat the policy as a starting point for an ongoing conversation about how AI fits into their specific work, what it's good for, what it's bad for, where it creates risk they haven't thought about yet.
That conversation is more valuable than any document. The document creates the structure for the conversation to be productive. Neither one works without the other.
The version 2 problem
Every AI policy will need a version 2 within twelve months. Probably sooner.
The tools are changing faster than any policy document can track. Version 1 should be designed with that in mind: core principles that remain stable (data handling, output review, disclosure) plus specific guidance that will need to be updated as the landscape changes.
Build the update cadence into the policy itself. "This policy will be reviewed every six months by [name]" is a commitment that keeps the document from becoming shelfware the moment the tools shift.
PurviewX helps organizations build AI governance that works for the people who have to follow it. Start a conversation.