Generative AI Policy Addendum

Overview

Generative AI is already in your organization—whether you've approved it or not. Employees are using ChatGPT for drafting, Copilot for coding, and image generators for content. The question isn't whether to allow GenAI, but how to govern it effectively.

This policy addendum provides the specific guidance employees need for generative AI. Customize the bracketed fields for your organization, get legal review, and deploy to bring GenAI under governance.

What's Inside

1. Purpose & Scope

• Coverage of all generative AI tools: LLMs, chatbots, image generators, code assistants, voice/audio AI
• Application to employees, contractors, third parties
• Relationship to main AI Acceptable Use Policy

2. Approved & Prohibited Tools

• Approved tools table: tool name, approved uses, data restrictions
• Prohibited tools and uses:
  • Consumer/free-tier tools for business (unless approved)
  • Entering customer PII/PHI
  • Uploading confidential documents
  • Sharing proprietary code
  • Creating deepfakes or deceptive content
  • Using GenAI for high-stakes final decisions

3. Data Protection Requirements

• Data classification matrix for GenAI:
  • Public: Any approved tool ✓
  • Internal: Enterprise tools only ⚠
  • Confidential: Not permitted ✗
  • Restricted/PII: Never permitted ✗
• Training data concerns and vendor data protection terms

4. Output Quality & Verification

• Mandatory human review requirement
• Verification responsibilities
• Fact-checking for factual claims
• Code review for generated code
• Legal review for legal content

5. Disclosure Requirements

• When AI use must be disclosed
• Customer-facing content requirements
• Regulatory submission requirements
• Marketing and advertising requirements

6. Intellectual Property

• Ownership of AI-assisted work
• Copyright considerations
• Confidential information protection
• Third-party IP respect

7. Incident Reporting

• What constitutes a GenAI incident
• Reporting procedures
• Examples: data exposure, harmful output, copyright claims

8. Policy Compliance

• Acknowledgment requirement
• Violation consequences
• Questions and guidance contacts

Who This Is For

• AI Governance Teams developing GenAI policies
• HR/Legal implementing employee guidelines
• Compliance Officers managing GenAI risks
• IT governing approved tools
• All Employees understanding GenAI expectations

Why This Resource

GenAI moves too fast for policies that take months to develop. This addendum provides a ready-to-customize framework—fill in the bracketed fields, customize for your approved tools and data classification, get legal review, and deploy. You can have GenAI governance in place within days.

The focus on practical guidance (approved tools, data classification, verification requirements) makes the policy actionable for employees.

FAQ

Q: Should GenAI be a separate policy or addendum?

A: Addendum to your existing AI Acceptable Use Policy is typically faster to implement and easier to update as GenAI evolves. A separate policy works if your main policy doesn't exist or needs major revision.

Q: How do we determine which tools to approve?

A: Evaluate data handling practices (does the vendor train on your data?), security certifications, enterprise features (audit logs, admin controls), and contract terms. The approved tools table lets you specify restrictions for each approved tool.

Q: What about personal GenAI use on company devices?

A: The policy should clarify whether personal use is permitted on company devices/networks. Many organizations prohibit it to prevent inadvertent business data exposure.