Artificial intelligence (AI) is rapidly transforming how businesses operate. By automating routine tasks, reducing costs, and enhancing decision-making, AI boosts business efficiency. However,, rushing into AI adoption without a robust AI policy can be risky.
Unlike traditional software, AI tools raise unique privacy and data handling concerns, particularly when it’s unclear how providers store, retain, or reuse submitted information. IBM found that 13% of organizations reported AI-related breaches, and 97% of those breaches lacked proper AI access controls.
For organizations, AI security strategies encompass two critical fronts: how employees utilize AI assistants in their daily workflows and how companies integrate AI into their own products. While both are important, this article focuses on the first use case. The reason is simple: employees use tools like ChatGPT, Copilot, or AI browser extensions before formal policies are in place. This “shadow AI” introduces immediate privacy and compliance risks, as employees may unknowingly share sensitive data, rely on unverified outputs, or use unapproved platforms. To address these risks, modern businesses must have a working policy on acceptable use of AI tools.
ISO/IEC 42001 is the world’s first international standard for AI management systems, designed to help organizations adopt artificial intelligence in a safe, ethical, and compliant way. It provides a structured framework for identifying risks, setting governance controls, and ensuring AI is used responsibly. Following ISO/IEC 42001 is especially important because it aligns AI use with privacy laws, such as GDPR, HIPAA, and CCPA, while also building trust with customers and regulators.
Get practical guidance and learn how organizations can create effective AI policies, define acceptable and unacceptable use, and equip their workforce to leverage AI securely without exposing sensitive data or breaching compliance obligations.
ISO/IEC 42001: a framework for responsible AI use
To address the risks of unsanctioned AI adoption, organizations can turn to ISO/IEC 42001, the world’s first international standard for AI management systems. Published in 2023, the standard provides a structured framework for governing AI adoption, encompassing areas such as risk management, transparency, accountability, and the ethical use of AI. For businesses in regulated industries like healthcare and finance, ISO 42001 is crucial because it complements existing compliance obligations under laws such as HIPAA and PCI DSS.
ISO 42001 should lay the foundation of an organizational AI policy. Let’s explore how organizations can define acceptable and unacceptable use, implement safeguards, and train employees to use AI tools securely in their daily workflows.
How to establish an effective AI security policy
As artificial intelligence becomes an integral part of business operations, organizations must establish clear policies to ensure its responsible use. Without proper safeguards, AI tools can expose sensitive data, create legal risks, or generate unintended outcomes. An AI policy provides employees with clear rules on how to use AI securely, ethically, and in compliance with regulatory requirements. It also demonstrates the organization’s commitment to transparency, accountability, and trust.
Only approved AI tools can be used
Only AI tools (including browser extensions) explicitly approved by company rules may be used. Approved tools have undergone security, compliance, and risk assessments to ensure they align with the organization’s data protection standards and regulatory obligations.
Organizations should prohibit using personal AI accounts, consumer-grade apps, or experimental platforms for work purposes. Free or personal versions of AI tools such as ChatGPT, Google Gemini, or Midjourney may store prompts, use input for model training, or lack enterprise-level security. For example, an employee entering sensitive client information into a personal AI chatbot could unintentionally expose that data to third parties, creating risks of data breaches, regulatory penalties, or reputational damage.
To safeguard the organization, all requests for new AI tools must go through an internal review and approval process managed by IT and compliance teams. This ensures that every tool in use has documented security controls, clear data handling policies, and contractual guarantees that protect the company and its stakeholders.
No sensitive data should be submitted
Employees must never enter sensitive information into AI tools. This includes, but is not limited to, Personally Identifiable Information (PII), Protected Health Information (PHI), or any confidential business data such as trade secrets, partnership details, upcoming news developments, or other proprietary information. This rule applies even when using AI tools that are approved by the company. While enterprise AI platforms may offer enhanced security features, the safest approach is to treat all AI systems as external entities that should not have access to confidential business or personal information. Once submitted, sensitive data may be stored, transmitted, or repurposed in ways beyond the organization’s control, exposing it to data breaches, regulatory violations, and reputational harm.
For example, it is unacceptable to copy and paste a patient’s medical history into an AI chatbot to draft a summary. However, it is acceptable to ask the AI chatbot to create a general template for medical summaries, without including any sensitive patient data.
Disable model training and data retention
Organizations should only rely on AI tools that explicitly prohibit data retention and comply with applicable privacy laws (e.g., GDPR, HIPAA, CCPA). It’s important to configure your AI tools to protect sensitive information. Any option that allows entered data to be stored or used for training must be switched off.
For example, many platforms allow administrators to disable chat history or opt out of data sharing for model training. In Microsoft Copilot and ChatGPT Enterprise, enterprise settings guarantee that prompts and responses are not used to retrain models. In contrast, free consumer versions of the same tools may automatically retain user inputs unless the feature is disabled.
The risks of failing to apply these safeguards are hazardous. If sensitive information is accidentally stored, it can later be exposed through system vulnerabilities. In 2023, Italy’s data protection authority temporarily banned ChatGPT over concerns that data could be improperly retained and reused without adequate user consent. At the end of 2024, it issued a 15 million euro fine to OpenAI because it trained ChatGPT with users’ personal data without first identifying a proper legal basis for the activity, as required under the GDPR.
In the event of the accidental submission of confidential or sensitive data, employees should notify their management immediately.
Do not trust AI outputs without human review
When using GenAI, employees must remember that generated content should not be considered accurate or reliable by default. GenAI systems can produce outputs that sound convincing but contain factual errors, omissions, or biases. If unchecked, this poses serious reputational risks, and even leads to compliance and legal liabilities. For example, in 2023, two U.S. lawyers were fined for submitting a legal brief drafted with ChatGPT that cited nonexistent case law invented by the model. Both lawyers and their firm were ordered to pay a $5,000 fine.
For this reason, every AI-generated output must undergo human review, validation, and approval before being used in company documents, communications, reports, or decision-making processes. AI should be treated as a support tool that accelerates, as opposed to an authority. Instead of copying an AI-generated contract clause directly into a client proposal without review, use the AI draft as a starting point, then fact-check, edit, and validate it.
Unacceptable use
To safeguard the organization, employees must understand what constitutes unacceptable use of AI tools. Even when using approved platforms, certain applications of AI are strictly prohibited because they expose the company to security, legal, ethical, and reputational risks.
Examples of unacceptable use may include:
- Developing malicious code or exploits: AI tools must not be used to generate malware, ransomware scripts, or other harmful code.
- Bypassing security controls: Using AI to bypass security measures implemented by the company. For example, identifying weaknesses in systems to bypass authentication or privilege escalation.
- Producing misleading, deceptive, or unethical content: Employees must not use AI to create fake news, impersonate individuals, generate manipulated media (“deepfakes”), or draft misleading financial, legal, or medical information. A widely cited case involved AI-generated deepfake videos of public figures, which spread misinformation and created reputational harm.
- Automating discrimination or bias: AI must not be used in ways that could lead to discriminatory practices, such as filtering job candidates by gender, ethnicity, or age. Back in 2018, Amazon shut down its AI hiring tool after discovering it systematically discriminated against female applicants. The system, trained on historical resumes, penalized terms like “women’s” and favored male-dominated job histories.
- Unauthorized data scraping or surveillance: Employees should not deploy AI tools to harvest personal or proprietary information from websites, competitors, or social media platforms without consent. This can result in regulatory fines under privacy laws, such as the GDPR or CCPA.
Non-compliance sanctions
Violations of AI policy will undermine the organization’s ability to protect sensitive data, maintain regulatory compliance, and preserve stakeholder trust. For this reason, any misuse of AI tools, intentional or unintentional, should be subject to disciplinary action.
Sanctions may range from verbal or written warnings to suspension or termination of employment in cases of severe or repeated violations. For example, an employee who casually tests AI tools using sensitive client data may expose the company to regulatory violations, resulting in fines and reputational damage.
The seriousness of non-compliance is illustrated by real-world cases. In 2023, Samsung employees inadvertently leaked confidential source code and strategy documents by pasting them into ChatGPT; the incident led the company to ban all generative AI use internally. Similar missteps in other organizations have triggered regulatory investigations, client distrust, and financial penalties.
Building a clear AI policy with Planet 9
Building a clear AI policy is not just a compliance requirement, but an additional layer of security. Planet 9 helps organizations develop tailored AI policies that align with ISO/IEC 42001, protect sensitive data, and ensure the secure adoption of AI with our information security management services. From risk assessments to policy design and employee training, we provide the expertise that SMBs and startups need to responsibly embrace AI while staying compliant and competitive.
Ready to build a secure and compliant AI framework? Our information security management services help organizations design secure, ethical, and regulation-ready AI practices.
