Cornerstone Cyber · AI Acceptable Use Policy
Policy template

AI Acceptable Use Policy

Clear rules for using generative AI safely, aligned to your information security management system.
Document reference
ISMS-AI-USE-POLICY
Version
1.0
Document owner
[Insert Owner]
Classification
Internal
Cornerstone Cyber · Adapt for [Insert Company]
How to use this templateThis is a starting point, not a finished policy. Replace every [Insert …] placeholder, confirm the approved tool list and the platform table match what your organisation actually licenses, and have it reviewed and approved by your governance or ISMS function before you publish it. Where this policy conflicts with your broader Acceptable Use Policy or ISMS, the stricter position applies.
Revision history
VersionDateAuthorSummary of changes
1.0[Insert Date][Insert Author]Initial policy for AI use aligned with ISMS
Approval
NamePositionDate
[Insert Name][Insert Position][Insert Date]
Contents

What's inside

01Purpose & application
02Definitions
03Roles & responsibilities
04Guidelines
05Minimum standards of acceptable use
06Platform data security reference
07Compliance & enforcement
08Approved tools & use cases
09Model limitations & risk disclosure
10Continuous improvement & review
11Access provisioning & revocation
12Third-party AI usage
13Legal, licensing & intellectual property
14Commercial acumen & project profitability
15User acknowledgement
Cornerstone CyberAI Acceptable Use Policy

01 · Purpose & application

This policy sets out [Insert Company]'s position on the acceptable use of generative artificial intelligence (AI) tools approved for use within the organisation, such as Microsoft Copilot and ChatGPT Enterprise.

Use of AI must never compromise [Insert Company]'s security obligations, client confidentiality, or regulatory responsibilities. This policy applies to all employees, contractors, and third parties who have access to [Insert Company] systems, data, or environments.

This policy is a subset of [Insert Company]'s Acceptable Use Policy and Information Security Management System (ISMS). Where any conflict arises, the stricter policy prevails.

02 · Definitions

  • AI tools: Microsoft Copilot, ChatGPT Enterprise, or other generative AI tools explicitly approved by [Insert Company].
  • Generative AI: systems that produce new content (text, code, images, audio) from a prompt, based on patterns learned from training data.
  • Personnel: all employees, contractors, and authorised third parties acting on behalf of [Insert Company].
  • Sensitive data: Commercial-in-Confidence, Internal-Only, personal information, client data, or any information classified as restricted under [Insert Company]'s data classification scheme.
  • Human in the loop: a person reviews, validates and takes responsibility for AI output before it is used or released.
  • Hallucination: confident but false or fabricated output from an AI model.
  • Enterprise tooling: AI services provisioned under a business or enterprise agreement with data isolation, admin control and audit, as opposed to free or consumer tiers.

03 · Roles & responsibilities

  • Users are fully accountable for the outputs generated by AI tools.
  • It is the user's responsibility to ensure outputs are reviewed for factual accuracy, ethical appropriateness, and compliance with client and internal obligations.
  • [Insert Company] may monitor and audit AI usage to maintain compliance with this policy.
  • Department leads are responsible for ensuring their teams are trained and informed about this policy.
  • All personnel must complete mandatory AI usage and risk training before access is granted, with refresher training completed annually.
  • Training covers acceptable use, ethical boundaries, output validation, and secure handling of data in AI workflows.
  • As AI models evolve, users must seek approval before adopting new features or capabilities.
Cornerstone CyberPurpose · Definitions · Roles

04 · Guidelines

Use of approved AI tools must be:

  • Limited to [Insert Company]-managed and secured environments.
  • Applied to approved use cases such as internal documentation, summarisation, productivity enhancement, ideation, or content development.

Users must:

  • Review all outputs critically before using them in deliverables.
  • Not rely on AI as a replacement for expert or legal advice.
  • Not treat AI outputs as authoritative unless validated against a trusted source.
  • Use only approved templates and prompt frameworks for AI tasks involving sensitive topics such as security, HR, or financial content (where internally built and distributed).

Use of private or sensitive information is permitted only:

  • Within secure, approved platforms; and
  • Where it is not used for training or fine-tuning, unless explicitly authorised by the Information Security or Governance function.

05 · Minimum standards of acceptable use

  • Accountability: all AI-generated content must be reviewed, edited, and verified by the person who generated it.
  • External use: any client-facing or public deliverable must undergo peer review and, where appropriate, include a disclosure such as "This content was partially generated using AI-assisted tools."
  • Data sensitivity: do not upload Commercial-in-Confidence, Internal-Only, or Sensitive data unless using an approved secure application with integrated AI controls (for example Defender, Purview, Intune, Netskope).
  • Ethical use: AI must not be used for manipulation, misinformation, or any purpose outside legitimate business use.
  • Human in the loop: AI cannot make decisions or generate final deliverables without human review.
  • Sanctioned models: the use of personal, unapproved, or non-enterprise AI tools (including browser extensions, free-tier models, or locally hosted tools) is strictly prohibited for any business activity. Only AI tools explicitly approved and provisioned by [Insert Company] are permitted on company systems or data.
Cornerstone CyberGuidelines · Minimum standards

06 · Platform data security reference

Approved enterprise AI platforms and their data-handling posture. Confirm these against your own agreements and tenant configuration before relying on them, as vendor terms change.

FeatureMicrosoft CopilotChatGPT EnterpriseGoogle Gemini EnterpriseAnthropic Claude for Work
Data used for model trainingNoNoNoNo
Data stays in your instanceYesYesYesYes
Australian data sovereigntyYes (data region)NoNoYes
Admin control over accessYesYesYesYes
Logging & auditMicrosoft PurviewAdmin console / APIAdmin console / cloud logsAdmin console / API

These tools are provisioned under enterprise configurations where available, ensuring data isolation, prompt confidentiality, and alignment with [Insert Company]'s data governance standards. Tools not provisioned with enterprise-grade controls must not be used without explicit written approval.

  • All AI tool activity must be logged and retained for a minimum of 12 months.
  • Logs must include prompt history, user ID, date and time, and IP or device context where possible.
  • [Insert Company] reserves the right to export and review AI usage data for compliance or legal purposes.
  • AI vendors must store and process data in jurisdictions that meet [Insert Company]'s data sovereignty and residency requirements. Use of AI tools hosted in prohibited regions is not permitted.
Cornerstone CyberPlatform data security

07 · Compliance & enforcement

Breaches of this policy may result in:

  • Suspension of AI tool access;
  • Disciplinary action, up to and including termination;
  • Legal or contractual consequences depending on severity.
  • All AI use is subject to periodic audit. Suspected misuse must be reported to your manager and escalated via the cybersecurity or HR channel.
  • All suspected AI misuse, data leakage, or tool malfunction must be reported immediately to the cybersecurity team via [Insert Escalation Channel].
  • AI-related incidents are managed under the existing Information Security Incident Management Policy.
  • Logs and outputs must be preserved for forensic review.
  • Any deviation from this policy must be documented and approved via the Policy Exception Register and reviewed by Information Security.

08 · Approved tools & use cases

The following tools are currently approved (provisioned on request):

  • Microsoft Copilot
  • ChatGPT for Teams / Enterprise
  • Google Gemini for Enterprise
  • Anthropic Claude for Work
  • Others as approved by the Governance Committee

Approved use cases

  • Documentation summarisation
  • Data analysis support
  • Content drafting (internal use)
  • Email summarisation
  • Meeting action capture
  • Research and market analysis

Unapproved use cases

  • Legal or contractual drafting
  • Decision automation for critical processes
  • Anything involving public disclosure without review
Cornerstone CyberEnforcement · Approved use

09 · Model limitations & risk disclosure

Users must understand and acknowledge:

  • AI tools are probabilistic, not deterministic; output may be inaccurate or misleading.
  • Models can hallucinate or infer false information.
  • AI should augment, not replace, expert review and judgement.
  • Final responsibility always lies with the human operator.

Use of AI for data interpretation or decision support requires disclosure of AI involvement in the process, and verification of facts against source data.

10 · Continuous improvement & review

This policy is subject to:

  • Review every six months by the Governance or ISMS team;
  • Input from user feedback or incident reviews;
  • Updates based on changes in technology, regulation, or company position.

Suggestions for improvement can be submitted to the Policy Owner or Governance Lead via [Insert Contact Channel].

11 · Access provisioning & revocation

  • All AI tools must be provisioned by IT or Security Admins via approved channels only.
  • Access is role-based and must align to a business justification.
  • Access must be reviewed quarterly by department leads.
  • Access must be revoked immediately on role change, departure, or policy breach.
  • Use of AI tools on unmanaged or personal devices (BYOD) is prohibited unless explicitly authorised and monitored through mobile device management (MDM).
  • Installation or use of AI models outside [Insert Company]'s approved platforms is a violation of this policy and may result in immediate revocation of access.
Cornerstone CyberLimitations · Review · Access

12 · Third-party AI usage

  • Use of AI tools by vendors, contractors, or clients on [Insert Company] projects must meet the same security, ethical, and usage standards.
  • No third-party AI integration may occur without formal review and approval by Information Security and Legal.
  • Contract clauses must reflect data protection obligations when AI is involved.

13 · Legal, licensing & intellectual property

  • Personnel must ensure AI-generated outputs do not violate copyright, licensing, or IP rights.
  • Generated content must be validated for originality, using plagiarism detection tools where appropriate.
  • All AI-assisted work created during employment remains the intellectual property of [Insert Company].

14 · Commercial acumen & project profitability

AI tools can accelerate deliverables and improve margin. However, transparency is critical:

  • Estimate the time savings gained via AI versus manual completion.
  • Disclose and discuss with the Project Owner to agree on billing or profitability implications.

This ensures responsible use of AI while safeguarding client value and internal margin integrity.

15 · User acknowledgement

All personnel must acknowledge that they have read, understood, and agree to comply with this policy. Acknowledgement is tracked via the Learning Management System (LMS) or onboarding portal.

Make it realA policy only works when it is provisioned, trained and enforced. Cornerstone helps put the controls behind it, secure AI tooling, data classification with Purview, guardrails with Netskope, and Conditional Access, so the rules in this document are enforced by the platform, not just written down. cornerstonecyber.com.au
Cornerstone Cyber · cornerstonecyber.com.auAI Acceptable Use Policy