AI Usage Policy - DeveloPassion

# AI Usage Policy Organizational rules governing how employees can use AI tools, what data can be shared with AI, which tools are approved, and what use cases are prohibited. The practical enforcement layer of [[AI Governance]]. ## Why every organization needs one Without a policy, employees use AI however they see fit. Some paste proprietary code into ChatGPT. Some upload confidential documents to free-tier tools. Some let AI make decisions without review. An AI usage policy sets boundaries before incidents happen. ## What a policy covers ### Approved tools and tiers - Which AI tools are sanctioned (e.g., Claude API via enterprise plan, not consumer ChatGPT) - Which tiers/plans are approved (API access vs consumer chat vs enterprise) - Which [[AI Open Weight Models]] can be self-hosted - Approval process for adopting new AI tools ### Data classification for AI - **Public**: can be shared with any AI tool - **Internal**: can be shared with approved enterprise AI tools only - **Confidential**: can only be processed by self-hosted models or not at all - **Restricted**: never share with AI under any circumstances (PII, credentials, legal privilege) - See [[AI Privacy]] and [[AI Training Data Collection]] for why this matters ### Permitted use cases - Code assistance, drafting, summarization, research (typically allowed) - Decision-making, customer communication, legal/medical advice (typically restricted or requires review) - Fully autonomous agent actions (typically prohibited without [[Human-in-the-Loop]]) ### Prohibited actions - Sharing credentials, API keys, or secrets with AI - Using AI for regulated decisions without human review - Bypassing AI permission systems (e.g., `--dangerously-skip-permissions` in production) - Using consumer-tier AI tools for confidential work ### Accountability - Who reviews AI output before it's used - Who is responsible when AI-generated work causes issues - Incident response for AI data leaks ## Connection to [[Enterprise Context Management (ECM)]] An AI usage policy is one component of ECM. It defines the guardrails within which teams and individuals manage their AI context. Without it, [[Team Context Management (TCM)]] and [[Personal Context Management (PCM)]] operate in a governance vacuum. ## References - ## Related - [[AI Governance]] - [[AI Context Governance]] - [[AI Privacy]] - [[AI Training Data Collection]] - [[AI Safety]] - [[Responsible AI]] - [[AI Agent Permissions]] - [[Enterprise Context Management (ECM)]] - [[Human-in-the-Loop]] - [[EU AI Act]]