AI at Work: What Your Company Policy Should Say

It’s a Wednesday morning and your marketing manager just saved three hours by running a competitive analysis through ChatGPT. She pasted in the internal strategy deck, the quarterly revenue projections, and a list of enterprise clients who haven’t renewed yet. The output was great. The problem? All of that confidential data just left your building and landed on someone else’s servers. Nobody told her not to do it, because nobody wrote a policy that said she should.

This is happening everywhere. Nearly half of U.S. employers have embedded generative AI tools into daily workflows, but only about a third have written formal rules for how those tools should be used. That 14-point gap between adoption and guidance isn’t just an oversight — it’s a ticking liability. And while leadership debates whether to “embrace AI” or “wait and see,” employees are already making decisions every day about what to feed into these systems.

Nearly half of U.S. employers have embedded generative AI into daily workflows, but only about a third have written formal rules for how those tools should be used. That gap is a ticking liability.

If you manage people, run a business, or just use AI tools at your desk, this article is your practical guide to what a good company AI policy looks like, what “shadow AI” means and why it matters, and how to use AI at work without putting your organization at risk.

The shadow AI problem is bigger than you think

Here’s a term worth knowing: shadow AI. It’s the workplace cousin of “shadow IT” — when employees adopt AI tools on their own without approval, security review, or IT awareness. And it’s rampant.

Think about it from an employee’s perspective. They’ve got a deadline, they know ChatGPT or Claude can help them draft that report in twenty minutes instead of two hours, and nobody has told them they can’t use it. So they do. They paste in the project brief, the client’s requirements, maybe some internal metrics for context. The AI gives them a polished draft. Everybody’s happy — except the security team, who has no idea that proprietary data just traveled through a third-party API.

Research shows that 84% of popular workplace AI applications have experienced at least one security breach, with half of those involving credential theft that gave attackers access to proprietary files and customer records. And companies that suffer AI-related security incidents are paying an average of €4.5 million per breach. That’s not a theoretical risk. That’s real money walking out the door because nobody built a fence around how AI gets used.

The instinct might be to ban AI tools outright. But that almost never works. Employees who find AI genuinely useful will just move their usage underground — personal devices, personal accounts, workarounds that make the visibility problem even worse. The better approach is to bring shadow AI into the light with clear, practical policies that acknowledge the productivity benefits while drawing firm lines around data protection.

What belongs in a company AI policy

A good AI policy doesn’t need to be fifty pages long. It needs to be clear enough that someone in accounting and someone in engineering both understand what they can and can’t do. Here are the essentials.

Which tools are approved. Start with a simple list. Which AI tools has your organization reviewed, vetted, and approved for use? If your company pays for an enterprise ChatGPT license with data protections, say so. If employees shouldn’t be using the free consumer version, say that too. People can’t follow rules they don’t know exist.

What data can go in. This is the single most important section. Employees need to know exactly which categories of information are safe to use with AI tools and which are off-limits. A useful framework: treat AI prompts like emails to an external consultant. Would you email your client list, your salary data, or your product roadmap to a stranger? Then don’t paste it into an AI chatbot either.

At minimum, your policy should prohibit entering personally identifiable information (employee or customer data), trade secrets and proprietary formulas, unpublished financial data, client-confidential materials, and access credentials or internal system details. Some organizations create a simple traffic-light system: green data (publicly available information) can go into any approved tool, yellow data (internal but not sensitive) can go into enterprise-licensed tools with data protections, and red data (confidential, personal, financial) never goes into any AI system.

Who reviews AI-generated output. As we explored in When AI Gets It Wrong, AI makes things up. Confidently, fluently, and without warning. Any policy needs to address the verification question — who checks AI-generated work before it goes to a client, gets published, or informs a business decision? For high-stakes outputs like legal documents, financial analyses, or customer communications, a human review step isn’t optional.

How to handle AI in client work. If your company does client-facing work, your policy should address whether and how AI tools are used on client deliverables. Many clients have their own AI restrictions. Some contracts explicitly prohibit running client data through third-party AI services. Getting this wrong doesn’t just risk data — it risks relationships.

Incident reporting. What should an employee do if they realize they’ve accidentally shared sensitive data with an AI tool? If the answer is “nothing, because they’re afraid of getting in trouble,” you’ve got a culture problem, not just a policy problem. Make it easy and blame-free to report mistakes so your security team can respond quickly.

What employees should know about AI monitoring

Here’s a topic that makes people uncomfortable on both sides of the desk: AI-powered employee monitoring. And it’s growing fast.

Modern workplace AI platforms can track keystrokes per minute, analyze the sentiment of your Slack messages, measure how much you talk versus listen in video meetings, score your “engagement level” based on mouse movements and app switching, and flag “anomalous” behavior patterns. If that sounds invasive, that’s because it often is.

Some of this monitoring runs quietly in the background of productivity suites that employees assume are just helping them work. The line between “AI assistant” and “AI surveillance” is blurrier than most people realize.

From a legal perspective, this is an evolving landscape. The EU AI Act classifies workplace systems that influence hiring, promotion, or surveillance as “high-risk,” which means they require impact assessments, human oversight, and detailed documentation. The U.S. Department of Labor’s 2025 principles push employers to notify and involve employees whenever AI influences evaluation or scheduling. Regulatory agencies on both sides of the Atlantic are paying attention.

What good companies do: They tell employees exactly what monitoring is in place, why it exists, and what the data is used for. They provide dashboards where employees can see what’s being collected about them. They establish clear limits — monitoring work output is one thing; analyzing the emotional tone of private messages is another. And they give employees genuine channels to raise concerns without retaliation.

What employees should ask: If your company uses AI-powered productivity or monitoring tools, you have every right to know what data is being collected, how it’s analyzed, who sees the results, and how long it’s retained. If your employer can’t or won’t answer those questions clearly, that tells you something important about the organization’s approach to AI governance.

When AI makes HR decisions, humans need to stay in the loop

One of the most consequential uses of AI at work is also one of the least visible: algorithmic decision-making in human resources. AI systems are now screening resumes, scoring candidates, recommending promotions, flagging performance issues, and even predicting which employees are likely to quit.

The efficiency gains are real. A recruiter drowning in 500 applications for a single position genuinely benefits from AI that can surface the most relevant candidates. But the bias risks are serious and well-documented. Research from the University of Washington found that resume-screening AI models favored names perceived as White 85% of the time and never once preferred Black male-associated names over White male equivalents. That’s not a theoretical concern — it’s a measured outcome from systems companies are deploying right now.

Resume-screening AI favored names perceived as White 85% of the time and never once preferred Black male-associated names over White male equivalents. That is a measured outcome from systems companies are deploying right now.

The problem isn’t that AI is inherently biased. It’s that AI amplifies whatever biases exist in the data it was trained on, and it does so at scale. A biased human recruiter might unfairly reject fifty candidates. A biased AI system can unfairly reject fifty thousand before anyone notices the pattern.

This is why human oversight in AI-assisted HR decisions isn’t just good ethics — it’s increasingly the law. GDPR Article 22 gives individuals the right not to be subject to decisions based solely on automated processing. The EU AI Act puts workplace AI systems that influence hiring and promotion into its highest risk category. Several U.S. states and cities have passed or are considering laws requiring bias audits of automated hiring tools.

What organizations should do: Use AI to assist, not decide. Let the algorithm shortlist candidates, but keep humans in the decision loop. Run regular bias audits — not once at deployment, but continuously, because model behavior drifts over time. Document how AI recommendations are generated. And establish a clear appeal process for anyone who believes an AI-influenced decision was unfair.

Professional data boundaries: what’s yours, what’s theirs, and what’s the AI’s

Working with AI tools every day creates a new category of data boundary questions that most professionals haven’t thought through. Here are the ones that matter most.

Your work product and AI. If you use AI to help write a report, who owns the result? In most employment relationships, your employer owns work product created on company time with company resources. But what about the prompts you crafted? The creative direction? These questions are still being settled in courts and contracts. If your employment agreement doesn’t address AI-assisted work, it probably should.

Client data and AI. If you’re a lawyer, accountant, consultant, or anyone who handles client information, the rules are even stricter. Professional ethics codes in most fields require you to protect client confidentiality. Feeding client data into an AI tool — even an enterprise-approved one — may violate those obligations unless the client has explicitly consented. When in doubt, ask. Better to have an awkward conversation than a malpractice claim.

Treat every AI prompt like an email to an outside consultant. If you would not send it to a stranger, do not paste it into a chatbot.

Your personal data at work. The information you share in workplace AI tools doesn’t just belong to you. When you use your company’s AI platform, your prompts, your writing patterns, your questions, and your work habits may all be logged, analyzed, and visible to administrators. Treat every interaction with a workplace AI tool as if your manager could read it — because technically, they probably can.

AI-generated content and accuracy. Here’s a boundary that’s easy to forget: AI doesn’t know the difference between your confidential data and public information. It will happily mix real facts with fabricated details and present everything with the same confidence. If you use AI output in a professional context without verification, you’re putting your professional reputation on the line. The AI won’t face consequences for getting it wrong. You will.

Building AI governance that actually works

If you’re responsible for setting AI policy at your organization, here’s what separates policies that gather dust from policies that actually shape behavior.

Start with an inventory. You can’t govern what you don’t know about. Map every AI tool currently in use across your organization, including the ones nobody officially approved. This is usually a humbling exercise. Most companies discover they have three to five times more AI tools in active use than they thought.

Make it cross-functional. AI governance can’t live exclusively in IT, legal, or HR. It touches all three, plus operations, compliance, and executive leadership. The organizations that handle this well create cross-functional governance committees with clear responsibilities. The ones that struggle assign it to a single department and wonder why nobody else follows the rules.

Train by role, not by lecture. A forty-five minute all-hands webinar on “AI safety” will be forgotten by Friday. What works better is role-specific training that addresses the actual AI use cases each team encounters. Your sales team needs to know about CRM data and AI. Your engineers need to know about code and IP protection. Your HR team needs to know about bias in hiring tools. Tailor the training to the work.

Monitor and adapt. AI technology changes fast, and your policy needs to keep up. Build in quarterly reviews. Track which tools employees are actually using. Measure incidents — not just breaches, but near-misses and policy questions. The volume of questions your team asks about AI usage is a leading indicator of whether your policy is clear enough.

Measure what matters. Good governance programs track concrete metrics: percentage of AI systems that have completed impact assessments, average time to detect and respond to AI-related incidents, employee confidence scores around workplace AI tools, and reduction in manual processing time without a corresponding rise in errors or complaints.

What to do now

Whether you’re writing company policy or just trying to be smart about your own AI usage at work, here’s your action list.

1. Audit your own behavior first. Look back at your last week of AI usage. Did you paste anything into a chatbot that you wouldn’t want on the front page of your industry newsletter? If so, adjust.

2. Ask about your company’s AI policy. If your organization has one, read it. If it doesn’t, raise the issue with your manager or IT department. The fact that you’re asking sends a signal that the organization needs to address this.

3. Treat AI prompts like external communications. Before you hit send, ask yourself: would I put this in an email to an outside consultant? If not, don’t put it in an AI tool.

4. Push for transparency on AI monitoring. If your employer uses AI-powered productivity or performance tools, ask what’s being measured and how. You have a right to understand how algorithms influence your work life.

5. Keep humans in the loop for consequential decisions. Whether you’re hiring, evaluating performance, or making strategic choices, AI should inform your judgment — not replace it. The algorithm can suggest. The human decides.

6. If you’re a manager, lead by example. Your team watches what you do more than what you say. If you model careful, thoughtful AI usage — checking outputs, respecting data boundaries, asking questions when you’re unsure — your team will follow suit.

7. Stay current. The regulatory landscape around workplace AI is moving fast. Subscribe to updates from your industry association, your legal team, or a trusted AI governance resource. What’s acceptable today may be regulated tomorrow.

The organizations that will thrive with AI aren’t the ones that adopt fastest or restrict hardest. They’re the ones that build clear, practical frameworks — explored further in AI Governance — that let people use powerful tools responsibly. That starts with a policy that actually says something — and a culture that makes following it the easy choice.