Artificial Intelligence offers real opportunities for productivity, creativity, and efficiency. We want everyone in the business to benefit from these tools and to do the best work of their careers with them.

However, AI also introduces new risks. Data leakage, copyright issues, and misinformation can threaten our business, our clients, and our reputation if tools are used carelessly.

This policy exists to make sure we use AI safely and responsibly. It is not here to slow anyone down. It is here to protect the business so we can continue to innovate without putting our hard work at risk.

If you find a tool that makes your job easier, we want to hear about it. Just ask before you use it so we can check it is safe.

You are responsible for the accuracy, legality, and privacy of any work you submit, regardless of whether AI was involved in producing it.

AI is a tool, not an employee. Using AI does not excuse errors, bias, or copyright infringement. You must verify all AI-generated outputs before they leave your desk.

Think of AI as a junior assistant. It is fast, eager, and helpful, but it does not know our business context, our clients, or our ethical standards the way you do. Your professional judgment is the final filter.

To keep this policy clear, here are the key terms used throughout:

Generative AI — Artificial intelligence that creates new content (text, images, code) in response to prompts. Examples: ChatGPT, Microsoft Copilot, Midjourney.

Hallucination — When AI confidently generates false, misleading, or nonsensical information as though it were fact.

Training Data — Information fed into an AI model to teach it. If company data is used as training data by a public AI tool, that data may become part of the public model and be exposed to others.

Shadow IT — The use of unauthorised or unvetted software by employees without IT department approval.

Jailbreaking / Prompt Injection — Using specific inputs to trick AI into bypassing its safety filters or security rules.

PII (Personally Identifiable Information) — Any data that could identify a specific individual: names, National Insurance numbers, addresses, phone numbers.

Anonymisation — Removing or masking sensitive details from a document before sharing it with an AI tool.

Deepfake — Synthetic media (video, audio, image) created by AI to convincingly impersonate a real person.

API (Application Programming Interface) — A software bridge that allows two applications to exchange data. Automation tools like Zapier and Power Automate use APIs.

Human Oversight — A process requiring human review and approval before an AI-generated decision is finalised.

BYOD (Bring Your Own Device) — Employees using personal devices for work purposes.

This policy applies to all forms of AI usage within the business, including but not limited to:

• Web-based tools — ChatGPT, Claude, Gemini, and similar platforms.

• Browser extensions — Grammar checkers, page summarisers, writing assistants.

• Operating system features — AI features built into Windows, macOS, iOS, or Android (e.g. Copilot in Windows, Apple Intelligence).

• Meeting recorders — Automated transcription and note-taking tools.

AI features and tools pre-installed on company devices are also covered by this policy.

To protect against data leakage, we restrict which AI tools may be used for business purposes.

Unvetted tools expose the company to Shadow IT risks, where data may be used to train public models or stored on insecure servers outside our control.

Rules:

• You may only use AI tools that have been formally approved and set up by the IT department.

• Subscriptions to unapproved AI tools will not be reimbursed.

• Any AI tool, browser extension, or plugin that is not on the Authorised Software List is prohibited.

We do not maintain a "banned apps" list because new tools appear daily. Unless a tool has been vetted and added to the Authorised List, it may not be used for company business.

Refer to Appendix A for the current Authorised AI Software List.

Innovation is encouraged. If you would like to request an AI tool to be added to the Authorised Software List, contact YOUR IT CONTACT.

They will perform an AI Vendor Review covering privacy, security, and data governance to ensure the tool is safe for your environment.

You must classify data before entering it into any AI tool. Use the following guide:

PUBLIC DATA — Safe to Use
Information already in the public domain. No restrictions.
Examples: Marketing copy, general industry research, brainstorming.

INTERNAL DATA — Use with Caution
Internal business documents that are not confidential. Anonymisation required before input.
Examples: Internal memos, process documentation, draft emails.

RESTRICTED DATA — Never Input into AI
Any data that would cause harm if leaked.
Examples: Client names, National Insurance numbers, home addresses, bank account details, credit card numbers, passwords, API keys.

If you are ever unsure how to classify a document, contact your IT department or IT provider before proceeding.

Processing data subject to specific privacy or industry regulations requires a compliance review by IT before use with any AI tool.

Most standard AI tools do not automatically meet regulatory standards. Many regulations require data to remain within a specific country or require strict audit logs that public AI tools do not provide.

Just because a tool is popular does not mean it is compliant with the laws governing your industry.

You are responsible for adhering to the regulations relevant to your role. If you have questions about compliance, speak to your IT or legal team.

Client contracts come first.

Before using AI on any client project, verify that the relevant Master Services Agreement (MSA) does not prohibit the use of AI.

If a contract forbids AI usage, you must not use it regardless of the data classification.

Meeting Recorders: Third-party AI bots (e.g. Otter.ai, Fireflies) are prohibited from joining meetings unless authorised by IT. If an unauthorised bot joins a meeting, the host must remove it immediately.

Browser Extensions: Installing browser extensions that use AI features is prohibited unless deployed by the IT department. These extensions often require full read-access to web traffic, including private emails and banking portals.

Company-provided AI accounts are company property.

The business reserves the right to audit, monitor, and review all prompts, inputs, and outputs generated on company AI accounts to ensure compliance with this policy.

Company AI accounts are monitored and should not be treated as private.

AI models frequently hallucinate — they confidently present incorrect information as fact.

You are required to fact-check 100% of AI-generated claims against a primary source.

Never rely on AI for:

• Legal statutes or case law

• Mathematical calculations

• Factual citations or historical dates

If you make a business decision based on AI output, you must validate the underlying data first.

AI-generated content occupies a complex legal grey area.

Copyright Risks: Do not use AI to generate content that copies the distinct style of existing copyrighted works or deliberately reproduces protected trademarks.

Brand Representation: Be cautious using AI to generate photos, videos, or audio representing your brand. AI often introduces subtle errors (misspelled logos, physical anomalies) that can damage professional reputation.

Code Generation: Using AI to generate software code is prohibited unless you are qualified to audit the code for security vulnerabilities. Ensure AI-generated code does not inadvertently incorporate open-source code that could create legal issues.

Creating automated workflows (e.g. via Zapier, Power Automate, Make.com) that automatically send company data to an AI API without prior IT review is prohibited.

A misconfigured automation can accidentally leak thousands of emails or files in minutes. Even if the AI tool is approved, the API connection must be secured by IT.

Using AI to clone, simulate, or mimic the voice or likeness of any person — including staff, contractors, suppliers, or public figures — is strictly prohibited unless explicitly authorised in writing by company leadership.

This includes using text-to-speech tools trained on a specific individual's voice samples.

Deepfake technology is now used to commit wire fraud.

Any urgent request for funds (wire transfers, gift cards, invoice payments) or credential changes received via voice, video, or email requires secondary verification through a known, trusted channel.

If you receive an unexpected call from a senior figure requesting money, hang up and call them back on their known internal number to verify.

AI tools lack human judgment, ethical reasoning, and real-world context. They frequently hallucinate or rely on biased training data while sounding completely authoritative.

A human must review and approve all AI-assisted decisions. This applies to any professional judgment, including but not limited to:

• Hiring and termination decisions

• Employee performance evaluations

• Financial approvals

• Strategic business planning

• Professional advice (legal, medical, financial)

Transparency is key to maintaining trust.

External Disclosure: If AI is used to generate content for a client deliverable (report, code, image, article), you must disclose the use of AI unless your contract states otherwise.

Internal Disclosure: When submitting work to a manager, flag if the content was AI-assisted to ensure proper review.

Watermarking: Where technically feasible, AI-generated images should retain their metadata or visible watermarks indicating their artificial origin.

Using AI apps on personal devices to process company data is prohibited.

You may not copy company emails, files, or chat logs into AI apps (e.g. the ChatGPT mobile app) on a personal device.

Mobile access to AI tools is only permitted via a company-managed work profile or approved apps installed by IT.

Access to company AI tools is conditional on competence.

Access is typically granted upon successful completion of required AI training programmes, including AI Security Awareness, AI Usability Training, and Ethics modules.

The company reserves the right to revoke AI access for any employee who fails to complete required annual training.

Security standards extend to the supply chain.

Contractors, vendors, and freelancers must use company-approved and provisioned AI tools when working with company data. Use of personal or free AI accounts by contractors is prohibited unless explicit written permission is granted by the IT department.

All vendors should sign this AI Acceptable Use Policy as part of their onboarding process.

All prompts, inputs, and outputs generated using company AI accounts are the exclusive property of the business.

Upon termination of employment, IT will archive the employee's AI account to ensure business continuity. Employees may not delete, export, or transfer AI chat history to a personal account prior to departure.

AI tools may not be used to generate content that violates the company's Code of Conduct or Harassment Policy.

Prohibited uses include:

• Generating discriminatory, sexually explicit, hateful, or harassing content

• Facilitating cyberattacks, creating phishing emails, or generating malicious software

Attempting to bypass the security filters, content moderation protocols, or safety guardrails of any AI tool — commonly known as "jailbreaking" or "prompt injection" — is strictly prohibited.

Manipulating an AI tool to ignore its safety instructions is a violation of this policy.

If you accidentally input restricted data into an AI tool, or suspect an unauthorised bot has recorded a meeting, report it immediately.

Self-reporting accidental errors is encouraged. Early reporting allows rapid remediation and protects the entire team.

To report an issue, open an emergency security ticket or call your IT provider immediately.

Due to the rapid pace of AI advancement, this policy is a living document.

It should be reviewed and updated at least every six months, or upon the release of significant new AI capabilities, to ensure it addresses emerging risks.

Employees should be notified of any major updates. Continued use of company systems after an update constitutes agreement to the new terms.

These guidelines exist to protect employees, clients, and the company's reputation. Mistakes happen, but wilful disregard for these safety measures is a serious issue.

Violations will be investigated. Accidental errors — especially self-reported ones — are typically treated as learning opportunities. Deliberate violations or negligence will be met with appropriate disciplinary action.

Acknowledgment:
All employees should read and confirm they understand this policy. Employees acknowledge that AI technology evolves rapidly and that it is their responsibility to seek clarification from IT or their manager if they are ever unsure about the safety of a specific tool or action.