Build the foundation.

Before deploying AI tools, build the policy foundation that governs how AI behaves in your organization. Bolting policy on after an incident is harder, more expensive, and misses the gap that caused the incident.

The four policies below are the structure of an AI Usage Policy. Decide on each one before you sign your first AI license. If you want a starting point, the policy builder at policybuilder.keystone.solutions generates a boilerplate draft based on your inputs — refine it to your business specifics and have qualified legal counsel review the final language before adopting it.

AI Security Posture

Your security posture sets the stance your organization takes toward AI risk. It defines the data sensitivity at play, the regulatory frameworks that apply, and the level of supervision required for AI output.

• The data categories your AI tools may and may not touch (PII, PHI, financial records, IP, customer data)
• The regulatory frameworks that govern your business and how they apply to AI use
• Whether AI output requires human review before it leaves the organization
• How AI use fits inside your existing access controls, logging, and incident response

AI Acceptable Use

Acceptable Use defines what employees may do with AI tools and what they may not. This section becomes a Permitted and Prohibited list. Decide what goes on each one.

• Use cases you want to permit (drafting, summarization, research, internal training material)
• Use cases you want to prohibit (inputting customer PII, generating client-facing communications, AI-driven decisions without human review)
• The approval path for use cases not on either list
• Whether contractors and vendors are bound by the same rules

Allowed AI Tools

Your Allowed Tools list is your approved AI inventory. Anything not on the list is not permitted. This section becomes a named list with scope of use for each tool.

• The AI tools you have evaluated and approved
• What each tool is permitted to do, and what it is not
• Who is authorized to use each tool
• The process for adding a new tool to the list

Compliance and Ethics

Compliance and Ethics assigns individual accountability and ties AI use to your regulatory and ethical obligations. This section becomes a numbered list of obligations every employee acknowledges.

• The reporting path when an employee observes a policy violation or unintended data exposure
• The retention requirements for AI-assisted work products
• The consequences for policy violations
• The standard for evaluating AI output before relying on it

Decide who owns it.

Governance defines who owns AI decisions, how new tools get approved, and how the organization keeps the policy current as the AI market shifts.

AI Owner

Name one person accountable for AI strategy, the approved tools list, policy updates, and vendor reviews. Without a named owner, the work happens by accident or not at all.

• A named individual with executive backing
• Authority to approve or reject new AI tools
• Ownership of the approved tools inventory and the policy itself
• A defined escalation path when a decision needs leadership input

Tool Approval Process

Document the path a new AI tool takes from request to approval. Without a written process, employees sign up for tools on their own credit cards, and your data goes with them.

• A request form or queue that captures business use case, data involved, and proposed user group
• A security and privacy review (vendor security certifications, data retention, training data use)
• A documented decision (approved, conditionally approved, rejected) with rationale
• A target turnaround time so requesters know what to expect

Training and Awareness

Employees cannot follow a policy they have not read. Set up onboarding training and an annual refresher tied to policy changes.

• Required AI awareness training before access to approved tools is granted
• Annual refresher covering policy updates and new tools added in the past year
• Role-specific training for high-risk users (finance, HR, legal, customer-facing roles)
• A documented acknowledgment that employees have read and understood the policy

Review Cadence

AI tools and vendors change faster than most policy cycles. Put reviews on a calendar at fixed intervals so they happen before something forces them.

• Quarterly review of the approved tools list and known shadow AI use
• Annual review of the full policy with IT, security, and leadership
• An incident review process that triggers an immediate policy revisit
• A vendor renewal review for AI tools coming up for contract renewal

See what is already there.

A living list of every AI tool in use across your organization, who uses it, and what state it is in. Build it once, then review and update it on the cadence set in Step 2.

Three categories cover most AI in business use. If a tool spans more than one, list it under the category that matches its primary purpose.

Productivity & Content

AI tools embedded in productivity suites, drafting platforms, and content workflows. These have the broadest user base and the loosest data boundaries, which makes them the highest-priority inventory category.

Common examples: Microsoft 365 Copilot, ChatGPT, Claude, Gemini, Notion AI, Grammarly. If employees use any of these, the tool belongs in your inventory whether or not your organization paid for it.

Security & Operations

AI built into security tooling, monitoring platforms, and IT operations. These run inside your IT stack, configured by your MSP or internal IT team rather than end users.

Common examples: Microsoft Copilot for Security, MDR platforms with AI correlation, AI-assisted SIEMs, RMM tools with AI summarization.

Customer-Facing & Specialized

AI in customer-facing channels, or AI built for a specific business function (legal, finance, HR, sales). These tools carry the most legal and reputational risk because their output reaches outside the organization.

Common examples: Website chatbots, AI-powered call center software, contract review tools, AI sales assistants, AI-powered HR screening platforms.

Status definitions

Define what success looks like.

A business outcome names a result the business cares about, the metric that proves it happened, the person accountable, and the date you expect to see it. Without those four pieces, you have a topic.

Compare “AI for customer service” with “reduce average ticket resolution time from 18 hours to 6 hours by Q4, owned by the head of support.” The second example is a plan you can fund, staff, and review. The first is not.

What makes a real business outcome

A business outcome you can build a plan around has four things:

• A result the business cares about, stated in business terms (revenue, cost, time, risk, customer experience)
• A measurable target with a baseline (what is true today, what will be true if the work succeeds)
• A named owner with the authority to make the call when something needs to change
• A timeline tied to a real decision point (budget cycle, quarterly review, renewal date)

Without all four, the work is not ready to fund.

Common outcome categories

The list below shows common categories. Yours may include others. Most organizations find their real outcomes by starting from a top-three operational pain point and working backward into AI capabilities.

Your outcomes

The six categories above cover the most common ground. Your actual outcomes will be specific to your business, your industry, and the pain points you have today. Pick the two or three that matter most this year. Write them down as real outcomes (result, baseline, target, owner, timeline) before you spend a dollar on an AI tool to deliver them.