80% of employees at small and mid-sized companies who use AI at work are doing it with their own personal tools, outside any company sanction. The figure comes from Microsoft’s 2024 Work Trend Index, a survey of 31,000 knowledge workers across 31 countries. The same study found that 52% of AI users globally are reluctant to admit using the tools for their most important work. If your firm has more than ten people in it, most likely someone pasted client work into ChatGPT this week.
Most firms know this is happening, yet only a few have written down rules for it. The reason we hear most often from managing partners and COOs around the DMV is either AI is moving too fast to commit to a policy that won’t be out of date in six months, or IT is waiting for someone to say what’s approved. The result is silence, and the silence gets filled by whoever is closest to the work.
But imagine a team member has a deposition summary due in two hours, opens ChatGPT, pastes in the file, gets a clean draft back, and moves on with their day. What no one notices is that the prompt and the upload are now sitting on a third party’s server, possibly being used to train future versions of the model. Repeat that across thirty employees and multiple deadlines.
What works is giving people a sanctioned way to do what they’re already doing.
What an AI Acceptable Use Policy needs to cover
A good policy is short, specific, and written for the people who’ll read it. At a minimum, it covers six things.
Approved tools
A named list of what the firm has licensed and vetted: Microsoft 365 Copilot, ChatGPT Team or Enterprise, and sector-specific platforms like Harvey or CoCounsel. Anything off the list needs sign-off before use.
Data handling
Plain rules about what can and cannot go into a prompt, the same data discipline you’d apply to any other vendor. Public information, internal templates, and generic research are fine. Client matter content, protected health information, and anything covered by attorney-client privilege are prohibited unless the tool is on the approved list and the data processing agreement allows it.
Prohibited uses
AI doesn’t give legal advice, sign off on a tax return, or make hiring, firing, or client termination decisions without a human in the loop. This section protects the firm from the things AI is not yet trustworthy to do alone.
An approval path
How does someone get a new tool reviewed? Name the owner, usually a vCIO or operations lead. Name the form and the turnaround time. If the path takes three weeks, people will skip it.
Training
Article 4 of the EU AI Act, in force since February 2025, requires any organization that builds or uses AI systems in the EU to ensure staff have a sufficient level of AI literacy. U.S. regulators are heading in a similar direction.
Disclosure
If AI is used on client work, when do you disclose it? Some clients have started asking. Better to have a position than to work it out under pressure later.
Rolling it out without stifling the work
Writing the policy is the easy part. Getting people to follow it is where firms struggle.
Three things matter more than the document itself.
The first is making the approved tool the path of least resistance. Whatever you sanction has to be the easy choice. If logging into Copilot takes more steps than opening ChatGPT in a browser tab, you’ve already lost.
The second is treating training as part of onboarding rather than a one-time email. A sixty-minute working session per team, with real examples from the actual workflow, beats a thirty-page PDF every time.
The third is reviewing the policy on a fixed cadence. Twice a year is reasonable. AI tools shift faster than any other category of software a firm uses, and a policy that hasn’t been touched in twelve months has usually drifted out of date without anyone noticing. Put the review on the IT strategy calendar, not the to-do list.
The mistakes we see most often
Two stand out.
The first is writing a policy and never using it again. AI is one of the few areas where a six-month-old document is genuinely out of date.
The second is the blanket ban. Cisco’s 2024 Data Privacy Benchmark Study found that 48% of organizations admit non-public company information has been entered into GenAI tools, even though 27% had banned the tools outright and 61% had limits on which ones employees could use. A ban doesn’t stop AI use but instead stops you from seeing it. Whatever risk you thought you were managing now happens on personal phones and personal accounts, with no logs and no recourse.
The right answer sits on the fence of accepting and rejecting AI, closer to managed adoption than either extreme. NIST’s AI Risk Management Framework, the U.S. government’s reference for managing AI risk, is built on four functions: govern, map, measure, manage.
Where to start
If your policy doesn’t exist yet, getting one in place is easier than it sounds.
Start with an audit. Find out what’s being used right now, rather than what’s been approved. Then pick the approved tool and get it deployed before anything else. The policy is much easier to enforce when the sanctioned option is already on people’s machines and working. Most of the firms we work with land on Microsoft 365 Copilot for this stage, because the data stays inside the tenant they already pay for, but the right answer depends on the work.
The audit tells you what to cover. The deployed tool gives the policy something concrete to point at.
Where this leaves you
Good governance starts with the foundation that lets people work faster and safer than yesterday. The restrictions come second. An AI policy is one of those foundations. Without it, the climb gets harder and shakier every quarter.
If you’re staring at a blank document and not sure where to begin, that’s the conversation we have most often. Talk to BASE Solutions today about building an AI policy that fits your business.
