How to write an AI usage policy for your team

An AI usage policy is a short document that tells your teams which AI tools are approved, what data may be pasted into them, and what must never leave. Without one, everyone improvises — and it's often a client name, a salary or an API key that ends up in a prompt. A good policy fits on two pages: scope, forbidden data, approved tools, and the reflex of anonymizing before anything is sent.

Why an AI usage policy is no longer optional

Your teams already use generative AI, with or without your blessing. Without a framework, that usage becomes “shadow AI”: unvetted tools fed with data nobody tracks. The risk isn't theoretical — it materializes at the exact moment of copy-paste.

• Personal data (clients, employees) leaking to a third-party service with no data-processing agreement.
• Technical secrets exposed: API keys, credentials, internal URLs pasted into a debugging prompt.
• Possible reuse of prompts for training, depending on the tool and its settings.
• GDPR non-compliance: no legal basis, no minimization, no notice to the people concerned.

The 6 sections of an AI usage policy

1. 1Scope and purpose: who is covered, and which uses of AI are encouraged (writing, summarizing, code).
2. 2Approved tools: the list of vetted assistants and, if needed, their allowed level by task type.
3. 3Forbidden data: the explicit list of what must never be pasted (see the callout).
4. 4Anonymization rule: the obligation to mask sensitive data before any send to an external model.
5. 5Human review: an AI answer is a proposal, not a decision — review is mandatory.
6. 6Ownership and contact: who owns the policy, who answers questions, how to report an incident.

The rule that makes all the difference: anonymize before you send

Banning sensitive data isn't enough if you don't provide a way to remove it. The reflex to tool up is anonymization: an engine detects identifying elements, replaces them with reversible tokens, then restores the AI's answer in the browser. The assistant reasons over structurally identical content, stripped of any sensitive data.

• Make anonymization automatic rather than optional: a forgotten reflex isn't a rule.
• Keep the token ↔ value mapping local: data must never transit to be protected.
• Prefer positive framing: AI is encouraged, provided you anonymize first.

Common mistakes to avoid

• A fifteen-page policy nobody reads: aim for two pages, one list, one reflex.
• Banning AI outright: a ban drives shadow AI, not compliance.
• Forgetting to name an owner: with no owner, the policy is never updated.
• Writing the rule without providing the tool that makes it workable day to day.

ONYRI Sanitize is the brick that makes your policy workable: it detects and masks sensitive data — from the client name to the API key — before the send to ChatGPT, Claude or Gemini, then restores the answer in the browser. Your teams keep AI's productivity without turning a prompt into a leak.