Artificial Intelligence Acceptable Use Policy

1. Overview

{Company Name} is committed to providing a safe and secure environment for all its employees, partners and customers including the responsible use of Artificial Intelligence in our business practices.  This Artificial Intelligence Use Policy does not impose restrictions contrary to {Company Name}’s established culture of openness, trust and integrity. {Company Name} is committed to protecting our employees, partners, and clients from illegal or damaging actions by individuals, either knowingly or unknowingly.

Artificial Intelligence (AI) is rapidly transforming our world and business systems used in serving the interests of {Company Name}, and our clients.  The term Artificial Intelligence in this policy refers to various kinds of automated or semi-automated computer generated processing capabilities that a business might decide to use or that a software manufacturer might decide to embed in its product. In this Policy we use the term Artificial Intelligence to include several appropriate terms such as Generative Artificial Intelligence, Machine Learning, Large Language Models, and General Artificial Intelligence, the respective definitions for which appear below in Section 7.  

Effective security is a team effort involving the participation and support of all employees, contractors, consultants, temporary and other workers at {Company Name} and its subsidiaries who deal with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

2. Purpose

The purpose of this policy is to outline the acceptable use of Artificial Intelligence at {Company Name}. These rules are in place to prevent any employee and {Company Name} from essentially giving away Protected Information, such as trade secrets, financial information, and intellectual property. This Protected Information can be easily compromised and stolen, because all information gets ingested into an Artificial Intelligence model that can then reproduce the Protected Information on demand.

Furthermore, inappropriate use of Artificial Intelligence exposes {Company Name} to risks including compromise of network systems and services, privacy, and legal issues.

The use of Artificial Intelligence software does not guarantee accurate results, and a business must diligently review and approve when and how Artificial Intelligence technology is allowed to be used.

3. Scope

This policy applies to the use of all forms of Artificial Intelligence to conduct {Company Name} business or to interact with business systems, whether owned or leased by {Company Name} any employee, or a third party. All employees, contractors, consultants, temporary and other workers at {Company Name} and its subsidiaries are responsible for adhering to the guidelines of this Artificial Intelligence Acceptable Use Policy and exercising good judgment regarding appropriate use of Artificial Intelligence in accordance with {Company Name} policies and standards, and local laws and regulations. Exceptions to this policy are documented in section 5.2.

This policy applies to employees, contractors, consultants, temporary and other workers at {Company Name}, including all personnel affiliated with third parties. This Artificial Intelligence Acceptable Use Policy applies to all equipment that is owned or leased by {Company Name}.

4. Policy

4.1 General Policy Statement

4.1.1 The use of {Company Name}’s electronic systems, including all forms of Artificial Intelligence, is for company business and for authorized purposes only.

4.1.2 The use of Artificial Intelligence within previously approved software applications in the Authorized Applications List is allowed when the Artificial Intelligence capability has been embedded in the software by the manufacturer.

4.1.3 The use of third-party Artificial Intelligence applications or plug-in’s require the same approval process required by any other software installation & use as outlined in the Software Installation Policy and Software Usage Policy.  This approval process includes but is not limited to: approval to purchase licenses, justification for business use, and listing authorized users.

4.1.4 The approved uses of Artificial Intelligence will be in accordance with all other security policies including all provisions of the:

Internet, Email, And Computer Use Policy, including, but not limited to:  

• no inappropriate conduct;
• no unlawful or malicious activities;
• no violation of the laws and regulations of the United States or any other nation or any state, city, province, or other local jurisdiction in any way;
• no expectation of privacy;
• compliance with the license agreements for the software;
• individual employee liability for any and all damages incurred as a result of violating company security policy, copyright, and licensing agreements;
• employees' conduct provisions, including but not limited to: intellectual property, confidentiality, company information dissemination, standards of conduct, misuse of company resources, and information and data security.

Acceptable Encryption Policy:

• the use of encryption to set standards, and encryption for storage of data and its transmission;

Electronic Data Protection Policy:

• use of authorized data storage locations;
• the prevention of unauthorized access, distribution, or data exfiltration;
• external and removable media devices;

Social Media Policy:

• Governing the actions of individuals authorized to post content for {Company Name} on social media;

4.1.5 When the authorized use of Artificial Intelligence produces results such as business content, graphics & images, and data analysis, those results remain the property of {Company Name} as outlined in section 4.4.2 of Internet, Email, And Computer Use Policy.  

4.1.6 In order to ensure compliance with the section entitled Data Loss Prevention in the Electronic Data Protection Policy and to prevent the unauthorized transfer of Protected Information into Artificial Intelligence public databases, no Protected Information is to be used in publicly accessible Artificial Intelligence interfaces or databases without review and authorization from {Company Name}’s Information Security Team.

4.1.7 Access to any account enabling use of Artificial Intelligence software must comply with all provisions of the:  

Password Policy:

• separate, unique password, no shared use of password or accounts, and mandatory Multi-Factor Authentication

Password Manager Policy:

• passwords used in company systems must be created and stored in {Company Name}’s approved Password Manager software;

Password Construction Guidelines:

• passwords must be properly constructed according to the guidelines to create secure passwords;

4.1.8 Artificial Intelligence use must be disclosed to clients when such use includes “automated processing” or “facilitated decision making” using clients’ personally identifiable information (PII).  {Company Name} must include Disclosures in the privacy policies of the Website Policy Plan -- the data being collected, the use of third-party software for automation, the third-party analytics, and the reporting through data collection -- and must inform clients that content is being processed using Artificial Intelligence or that automated decision-making is being used.

{Company Name} must grant clients the right to opt out of automated decision-making.

4.1.9 {Company Name} must assign personnel to review Artificial Intelligence use within the company to ensure compliance with legal and ethical obligations.

4.1.10 {Company Name} must oversee Artificial Intelligence use in the company by implementing internal policies and procedures and providing training to employees.

4.1.11 {Company Name} must conduct a Data Privacy Impact Assessment to document the extent to which a company’s processing of Protected Information presents a “heightened risk of harm to a consumer.” These Data Privacy Impact Assessments are not currently intended to be made public; rather they must be made available to each state’s applicable regulator upon request.

5. Policy Compliance

5.1 Compliance Measurement

{Company Name}’s Information Security Team must verify compliance with this policy through various methods, including but not limited to, periodic walk-throughs, video monitoring, business tool reports, internal and external audits, and feedback to the policy owner.

5.2 Exceptions

Any exception to this Artificial Intelligence Acceptable Use Policy must be approved in advance and documented by {Company Name}’s Information Security Team.

5.3 Non-Compliance

An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

6. Related Standards, Policies, and Processes

Internet, Email, And Computer Use Policy
Password Policy
Password Manager Policy
Password Construction Guidelines
Software Installation Policy
Software Usage Policy
Authorized Applications List
Acceptable Encryption Policy
Electronic Data Protection Policy
Social Media Policy

7. Definitions and Terms

Protected Information is electronically stored data that contains Personally Identifiable Information (PII), or other confidential or sensitive information.  

Artificial Intelligence (AI) is intelligence—perceiving, synthesizing, and inferring information—demonstrated by machines, as opposed to intelligence displayed by humans or animals. Example tasks in which this is done include speech recognition, computer vision, translation between (natural) languages, as well as other mappings of inputs.

Generative Artificial Intelligence (Generative AI, or GenAI) is a type of Artificial Intelligence (AI) system capable of generating text, images, or other media in response to prompts. Generative AI models learn the patterns and structure of the input data, and then generate new content that is similar to the training data but with some degree of novelty (rather than only classifying or predicting data). Generative AI can be either unimodal or multimodal; unimodal systems take only one type of input (for example, text) whereas multimodal systems can take more than one type of input (for example, text and images).

Machine Learning is a subset of Artificial Intelligence (AI). It is focused on teaching computers to learn from data and to improve with experience – instead of being explicitly programmed to do so. In Machine Learning, algorithms are trained to find patterns and correlations in large data sets and to make the best decisions and predictions based on that analysis. Machine Learning applications improve with use and become more accurate the more data they have access to.

Large Language Model (LLM) is a model consisting of a neural network with many parameters (typically billions of weights or more), trained on large quantities of unlabeled text using self-supervised learning or semi-supervised learning. LLMs are general purpose models which excel at a wide range of tasks, as opposed to being trained for one specific task.

Artificial General Intelligence (AGI) is the intelligence of machines that allows them to comprehend, learn, and perform intellectual tasks much like humans.

You may go to the following link for a simple one-page reference defining Artificial Intelligence (AI) produced by Stanford University:
https://hai.stanford.edu/sites/default/files/2020-09/AI-Definitions-HAI.pdf