Back to Blog
Sanitized AI Team

Why Your AI Acceptable Use Policy Probably Isn't Working

Most organizations rolled out an AI acceptable use policy sometime in the last 18 months. Most of them aren't working, and the reason isn't what people think.

It's not that employees haven't read the policy. It's that the policy lives in a place the employee will never visit at the moment they actually need it.

Consider a typical Tuesday afternoon. A product manager is preparing for a board update. She has three weeks of customer feedback in a spreadsheet, including names, emails, and a few unflattering quotes about a competitor. She pastes the whole thing into ChatGPT and asks for themes. The response is exactly what she needed. She gets back to her day.

Somewhere in the company's internal wiki, there is a policy that says she shouldn't have done that. She knows it exists. She might have even completed the training. But the policy didn't reach her at the keyboard, at 2:47pm, with a deadline in 90 minutes.

The gap nobody budgets for

This is the gap that most AI governance programs underestimate. Policies are written for moments of reflection. AI usage happens in moments of urgency. The two rarely intersect.

A few patterns we see again and again:

  • The policy is too broad to be actionable. "Do not share confidential information with AI tools" sounds clear in a meeting. At the keyboard, it asks the employee to mentally classify every document, snippet, and conversation in real time. Most people don't, and those who try get it wrong often.
  • The policy assumes employees know what counts as risky. The line between a customer's first name and a customer's full PII record looks obvious in a training deck. Inside a product spec or a support transcript, it's a judgment call, and judgment calls go fast under deadline pressure.
  • The policy treats AI like a single tool. It isn't. It's now embedded in browsers, IDEs, note-taking apps, CRMs, and a growing list of SaaS products that quietly added an "AI assistant" feature last quarter. A policy that names ChatGPT and Gemini by hand misses most of the actual surface area.

The control has to move to where the risk lives

The fix isn't another policy refresh. It's recognizing that risk has moved from the boundary of the network to the moment of the prompt, and that the controls have to follow it there.

The most effective programs we've seen pair their policy with something that intervenes at the keystroke level: a check that runs locally, before the prompt leaves the device, and gives the employee a quick chance to redact, anonymize, or reconsider. Not a block. Not a lecture. A small, well-timed nudge that turns the policy into something the employee can actually act on.

That's the part most governance programs are still missing. The policy is fine. The training is fine. What's missing is presence, being there, in the moment, when the decision is actually made.