Most company AI policies read like they were written by a committee that had never actually used AI. Two pages of "employees must use AI responsibly" followed by zero examples of what responsible means. Nobody reads them. Nobody follows them. And then someone pastes a client contract into ChatGPT and HR has to send an all-hands email.

You can use AI to write a better policy. That's not ironic. It's practical. But the prompts matter, and the judgment still has to come from you.

These AI policy prompts are designed for HR managers, operations leads, legal-adjacent people, and anyone who got voluntold to "handle the AI thing" at work. The goal is a policy people actually understand, approve tools that make sense, and rules that don't require a law degree to interpret. No fabricated statistics. No fake compliance claims. Just prompts that get you 80% of the way there, so you can spend your energy on the 20% that actually requires a human brain.

Before you start: Don't paste confidential customer data, employee records, legal issues, unreleased strategy, proprietary datasets, or security incidents into any AI tool. Use anonymized, fictional examples. Verify final policy language with your legal, security, and HR teams. AI should draft. Humans should decide.

Why AI policy prompts work better than starting from scratch

Writing policy is the kind of work that looks easy and isn't. You stare at a blank document, type "Employees shall..." and immediately realize you have no idea what you're actually trying to say. AI is useful here not because it has better judgment than you, but because it can generate a usable first draft fast, and a draft is infinitely easier to edit than nothing.

The catch: AI will produce confident, professional-sounding text regardless of whether it's correct. It will invent compliance requirements. It will add legal-ish phrases that sound authoritative and mean nothing. It will make tradeoffs without telling you it's making them. Rule #5 in Don't Replace Me covers this exactly: AI isn't smart. It's fast. Someone still has to make the real calls about risk, trust, and what your company actually does.

So treat these prompts as a way to skip the blank-page problem. Not a way to skip the thinking.

The reusable formula for every AI policy prompt

Before the 10 prompts, here's the pattern that makes each one work:

[Role] + [Context] + [Specific output] + [Constraints]

Example: "You are an HR policy writer for a 200-person B2B software company. We're writing an internal AI use policy for our customer support team. Draft a one-paragraph rule about when employees must get manager approval before using AI on a customer-facing task. Keep it under 150 words. Write in plain English, no jargon."

Role gives the AI a useful frame. Context stops it from generating generic boilerplate. Specific output gets you something usable immediately. Constraints prevent it from writing a dissertation.

Every prompt below follows this formula. Adjust the company size, industry, and team to match your situation.

AI policy prompts: the 10 templates

Prompt 1: Map your current AI use

Before you write rules, find out what's actually happening. Most companies are already using more AI tools than they think.

You are an internal comms writer helping a [company size] [industry] company 
understand its current AI usage. Write a 10-question anonymous survey for employees 
that covers: which AI tools they're currently using for work, what tasks they use AI 
for, whether they've shared any work data with external AI tools, and whether they 
have concerns about AI at work. Keep questions specific and non-judgmental. Include 
one open-text question at the end.

Run this survey before you write anything else. You need the data. If you skip this step and write policy based on assumptions, you'll write rules for problems you don't have and miss the ones you do.

Prompt 2: Define allowed and banned data categories

This is the most important policy section and the one most companies get vague. "Don't share sensitive data" is not a policy. "Don't paste anything from these five categories into any external AI tool" is.

You are a data governance writer for a [company size] [industry] company. We need 
a clear internal policy section that defines what data employees MAY and MAY NOT 
share with external AI tools (like ChatGPT or Claude). Use a two-column table: 
"Allowed" and "Not Allowed." Examples of not allowed: customer names and contact 
info, financial records, employee personal data, unreleased product details, legal 
correspondence, credentials, and anything marked confidential. Examples of allowed: 
publicly available information, general questions, anonymized fictional scenarios, 
draft text that contains no proprietary details. Keep language plain.

Your legal and security teams will want to review and expand this list. That's expected. The draft just needs to be specific enough that employees can tell the difference without calling HR.

Prompt 3: Write your approved tools list

A policy with no approved tools is a policy that nobody can act on. People will use whatever they found themselves, which is usually fine, until it isn't.

You are an IT policy writer for a [company size] [industry] company. Draft a 
one-page "Approved AI Tools" section for our internal AI policy. Include: a list 
of currently approved tools (leave placeholders: [Tool 1], [Tool 2]), what each 
tool is approved for, which team manages the account, and how employees can request 
a new tool be reviewed for approval. Add a sentence making clear that unapproved 
tools should not be used for work tasks involving company or customer data.

Blanks and placeholders are fine. You're building a template your actual team fills in. The structure matters more than the content at this stage.

Prompt 4: Write your disclosure rules

If someone on your team uses AI to write a client deliverable, does the client need to know? Does your manager? These questions don't have one right answer, but your policy needs to pick one. If you're wondering about the personal side of this question, should you tell your boss you use AI? covers the workplace politics in more detail.

You are an HR policy writer for a [company size] [industry] company. Draft a 
policy section on AI disclosure. Cover three scenarios: (1) internal documents 
only seen by employees, (2) client-facing work products, (3) public communications 
like social media or press releases. For each, specify whether AI use must be 
disclosed, to whom, and how. Keep it under 200 words. Write plainly. Don't invent 
legal requirements.

Prompt 5: Set human review requirements

This is where a lot of policies fall apart. They say "AI output must be reviewed by a human" without saying what that review involves. Read it? Fact-check it? Have a manager sign off? That ambiguity is where errors and liability slip through.

You are a quality and compliance writer for a [company size] [industry] company. 
Draft a policy section defining "human review" requirements for AI-generated content. 
Specify: what types of AI output require review before use, what a review must 
include (at minimum: accuracy check, tone check, data privacy check), who is 
qualified to review in different contexts, and what employees should do if they 
spot an error in AI output they've already sent. Keep it practical and under 
250 words.

Prompt 6: Write role-specific examples

Generic policy language fails because people can't picture themselves in it. Role-specific examples fix that. A customer support agent and a financial analyst have completely different AI use cases. Treat them differently.

You are a training content writer for a [company size] [industry] company. Write 
three brief "scenario examples" for our AI policy: one for a customer support 
role, one for a finance or operations role, and one for a marketing or 
communications role. Each scenario should show a realistic work task, describe 
how the employee could appropriately use AI for it, and flag what they should 
NOT do in that scenario (e. g., don't paste customer account data, don't let AI 
generate a financial figure without verification). Keep each scenario to 
75-100 words. Use fictional names.

Prompt 7: Write a manager review checklist

Policies don't enforce themselves. Managers need to know what they're looking for. This prompt generates a practical checklist they can actually use in team reviews or 1:1s.

You are an HR and operations writer for a [company size] [industry] company. 
Create a one-page manager checklist for reviewing AI use on their team. Include: 
whether team members know which tools are approved, whether anyone has shared 
restricted data with AI tools (ask, don't assume), whether AI outputs are being 
reviewed before use, whether any AI-related mistakes have occurred and been 
reported, and whether team members have questions about the policy. Format as a 
simple checklist with space for notes.

For a broader look at how to actually start using AI at work without the hype, that guide covers the practical side managers often overlook.

Prompt 8: Draft a lightweight employee FAQ

Nobody reads the full policy. They read the FAQ. Write a good one.

You are an internal comms writer for a [company size] [industry] company. Write 
a 6-question FAQ for employees about our new AI use policy. Questions should 
include: Can I use AI for my regular work tasks? What data can I share with AI 
tools? What tools are approved? Do I have to tell anyone if I use AI on something? 
What do I do if I make a mistake using AI? Where do I go with questions? Write 
answers in plain English, under 75 words each. Don't invent legal answers.

Prompt 9: Create an incident response plan for accidental data sharing

Someone will eventually paste something they shouldn't have. You need a plan for that before it happens, not after.

You are a security and HR policy writer for a [company size] [industry] company. 
Draft a short incident response plan for the scenario where an employee accidentally 
shares restricted data with an external AI tool. Include: what the employee should 
do immediately (stop, don't share further, report), who to report to and how, what 
information to capture when reporting, how the company will respond, and whether 
the incident will affect the employee's standing (frame this as non-punitive to 
encourage reporting). Keep the whole plan under 300 words. Note that legal 
implications should be reviewed by counsel.

Prompt 10: Turn the policy into a one-page rollout memo

You've got a policy. Now you need people to actually read it. A one-page memo that explains why the policy exists, what's new, and what employees need to do by when, is more likely to get read than a 12-page PDF attachment. Pair this with the 12 AI work prompt templates if you want practical follow-on resources for employees.

You are an internal comms writer for a [company size] [industry] company. Write 
a one-page email memo announcing our new AI use policy to all employees. Include: 
a brief explanation of why we're putting this policy in place (not alarming, 
practical), two or three key things employees need to know immediately, a link 
to the full policy (placeholder: [LINK]), who to contact with questions, and the 
date by which employees should confirm they've read the policy. Keep the tone 
direct and non-threatening. Under 300 words.

This came from a book.

Don't Replace Me

200+ pages. 24 chapters. The honest version of what AI means for your career, written by someone who actually builds this stuff.

Get the Book →

What AI can't do for your policy

AI is good at first drafts. It's bad at making real tradeoffs.

It doesn't know your industry's regulatory environment. It doesn't know which clients you've made confidentiality commitments to. It doesn't know that your IT team has a specific reason for blocking a certain tool, or that your legal counsel has opinions about what "approved" actually means for liability purposes.

Every section of your AI policy still needs a human sign-off from whoever owns that domain: legal for liability language, security for tool approvals and data categories, HR for employment implications, and leadership for anything that touches client relationships. The prompts above are a way to do the drafting work faster and more coherently. They're not a way to skip the organizational thinking. That part is yours.

If you want to understand what AI can and can't actually do before you write rules about it, that's worth 5 minutes of your time before you start.

Frequently asked questions

Can I use AI to write my company's AI policy?

Yes, with supervision. AI can produce solid draft policy sections quickly, but it will sometimes invent compliance requirements or make tradeoffs without flagging them. Use AI for the drafting, then have legal, HR, and security review the output before anything gets published.

What data should employees never paste into ChatGPT or Claude at work?

At minimum: customer names and contact data, employee personal records, financial details, unreleased product or strategy information, legal correspondence, security incidents, credentials, and anything marked confidential or regulated. Use anonymized fictional examples instead when prompting AI for work tasks.

How specific does an AI policy need to be?

Specific enough that an employee can tell, without calling HR, whether a task they're doing right now is allowed. "Use AI responsibly" is not a policy. "Don't paste customer data into external AI tools; use approved tools listed here for these specific tasks" is a policy.

Do I need a lawyer to write an AI workplace policy?

You don't need a lawyer to draft one, but you should have legal counsel review the final version, especially sections covering data handling, employee obligations, and incident response. AI-generated policy language can sound legally plausible while being incorrect for your jurisdiction or industry.

What's the most common mistake in company AI policies?

Being vague about data. Policies that say "don't share sensitive information" without defining what sensitive means, where the line is, or what happens if someone crosses it, don't change behavior. The approved/not-approved data table in Prompt 2 above is usually the most useful thing a policy can include.

How do I get employees to actually read and follow the AI policy?

Keep it short, write a plain-English FAQ, use role-specific examples they can see themselves in, and announce it with a clear memo rather than burying it in a policy wiki. Prompt 10 handles the memo. The FAQ and examples are Prompts 8 and 6. None of this is complicated. It's just easier to skip.