Writing an AI Acceptable Use Policy That Does Not Kill Innovation
A poorly written AI AUP bans everything employees need or is too vague to guide anyone. Here's how to write one that works for security and operations alike.
Deliverables
What you get.
Framework mapping
One control set mapped to NIST AI RMF, ISO/IEC 42001, and EU AI Act — so you prove compliance across frameworks without duplicating work.
AI inventory & risk scoring
Complete inventory of models, datasets, and use cases with a risk score tied to your enterprise risk register.
AUP that doesn't kill innovation
Acceptable-use policy that tells employees what tools are approved, what data is off-limits, and how to ask for exceptions — in plain English.
Model evaluation pipelines
Every model gets evaluated on safety, bias, and fit before production — and re-evaluated on a defined cadence.
Incident & disclosure playbooks
When something goes wrong, you have a pre-approved path: triage, contain, notify, document.
FAQ
Common questions.
Do we need ISO 42001 certification?
Not necessarily. But aligning with it now makes future certification or customer attestation far cheaper.
Are we in scope for the EU AI Act?
If you do business in the EU or have EU users, likely yes. We help scope applicability and prioritize controls.
How do you avoid 'shelfware' policies?
Every policy has an owner, an enforcement mechanism, and a review cycle. If it doesn't, we don't write it.
Related insights
Writing on AI Governance & Compliance.
NIST AI RMF, ISO 42001, and the EU AI Act: A Pragmatic Map
NIST AI RMF, ISO 42001, and the EU AI Act overlap significantly. Here's how to satisfy all three without building three separate compliance programs.
The Air Canada Precedent: Your Chatbot Is Your Liability
Air Canada was ordered to honor a policy its chatbot invented. The ruling established that businesses are liable for what their AI tells customers — full stop.