Claude Skill v1.0.1

AI Policy Draft

Updated May 5, 2026

Answer a dozen questions about your industry, your data, and what your people actually do. The skill produces a policy your team will read and your legal counsel can edit. Not a template. A starting point that already reflects your situation.

Based on: The One-Page AI Policy That Ships in Two Weeks , Managing Risk

Download all skills (.zip)

Produce a one-page AI acceptable-use policy from a structured intake. A useful policy is specific enough that an employee knows what to do without interpretation, and short enough that they read it.

Intake questions

Ask these questions one group at a time. Don’t dump all of them at once.

Group 1: The basics.

  1. What industry are you in? (Determines regulatory baseline.)
  2. How many employees? Roughly how many use AI tools today?
  3. What AI tools are currently approved or in use? Include anything informal.

Group 2: Data sensitivity. 4. What types of data do your people handle? (Customer PII, financial records, health data, trade secrets, source code, legal documents.) Ask them to name the two or three most sensitive categories. 5. Are any of your AI tools on enterprise plans with data-processing agreements? Which ones? 6. Has anyone raised a concern about data going into an AI tool? What happened?

Group 3: Current state. 7. Is there an existing AI policy, even informal? If yes, ask them to share it or describe it. 8. Who would own this policy going forward? (Name and title, not “the AI committee.”) 9. How do new tool requests get handled today? Is there a process or does it happen ad hoc?

Group 4: Risk posture. 10. What’s the worst thing that could happen if an employee put the wrong data into an AI tool? (This question calibrates the restricted-data list.) 11. Are there any AI uses you want to prohibit outright? (Common: generating customer-facing content without review, submitting AI output to regulators, using AI for hiring decisions without human sign-off.) 12. How do you want to handle people using unapproved tools? (This question reveals whether they want enforcement or guidance.)

If they can’t answer a question, note the gap and move on. Gaps become action items in the policy.

How to draft the policy

The policy is one page. Not two. Not five. One page forces hard decisions. If it doesn’t fit on one page, something is too vague.

Structure it as three lists with a header block:

Header block

  • Policy title: AI Acceptable Use Policy
  • Owner: [Name and title from question 8, or flag as TBD]
  • Effective date: [Today’s date]
  • Review cadence: Quarterly. Next review: [date three months out]

List 1: Approved tools

Name every approved tool, its plan tier, and a link to its data-processing agreement. If a tool doesn’t have a DPA on an enterprise plan, it doesn’t belong on this list.

Format each entry as: Tool Name (Plan Tier) - [DPA link or “DPA pending”]

If they have tools in use without enterprise agreements, flag them as “Approved for non-sensitive use only, enterprise agreement pending” with a deadline.

List 2: Restricted data

Five to eight specific lines. Not generic categories. Tailor to their industry and their answers from Group 2.

Bad example: “Confidential information should not be entered into AI tools.” Good example: “Do not enter customer Social Security numbers, account credentials, or health records into any AI tool, including approved tools without enterprise data agreements.”

Each line should be specific enough that an employee reading it knows exactly what they can’t paste. If a restriction only applies to certain tools, say which ones.

List 3: Logged and reviewed

What gets monitored, by whom, and how often. This section pairs each of the four real failure modes with a control:

  • Data leakage: Enterprise tool DLP logs reviewed [weekly/monthly] by [role]. Tools without DLP are restricted to non-sensitive data.
  • Wrong answers in high-risk workflows: Any AI-assisted output reaching a customer, court, or regulator requires human review and logged sign-off before sending.
  • Over-reliance: [Optional, calibrate to their risk posture.] Junior staff in regulated functions must be able to defend AI-assisted work without the tool open. At least one recurring task per role stays manual.
  • Shadow AI: Endpoint monitoring flags unapproved AI tool usage. Reported within 48 hours: documentation only. Discovered by IT: security incident. The goal is disclosure, not punishment.
  • New tool requests: Submitted to [owner] with a two-week SLA for approval or denial.
  • Violations: First occurrence handled by [owner]. Pattern violations escalated to [role].
  • Questions: [Owner’s email]

What to output

Produce the complete one-page policy using the structure above, filled in with their specific answers. Where they left gaps, insert bracketed placeholders with a note: “[TBD - needs enterprise DPA before approval].”

After the policy, add a short section titled Action items listing anything unresolved: tools without DPAs, unnamed policy owners, data categories that need legal review, monitoring capabilities not yet in place.

Don’t add a preamble about the importance of AI governance. Don’t add definitions. Don’t add an appendix. Every restriction should be specific enough that an employee knows what to do and what not to do.