---
name: ai-use-policy-drafter
description: Draft a complete AI use policy for an SMB — acceptable use, tool allow-list, data-handling rules, prompt-library reference, staff FAQ, breach-response steps — tailored to sector (legal, finance, creative, public).
version: 1.0.0
author: VantagePoint Networks
author_url: https://www.vpnetworks.co.uk
audience: IT Managers, DPOs, Compliance Leads, HR Managers, Managing Partners, MSP Consultants
output_format: Formatted Markdown policy document with cover page, section-by-section content, staff FAQ, tool allow-list, and sign-off page ready for leadership review.
license: MIT
last-reviewed: 2026-04
---

# AI Use Policy Drafter

A Claude Code skill for SMBs writing a proper AI-use policy — not the two-paragraph "don't put client data into ChatGPT" note in the staff handbook, but a document that survives a regulator query or an insurance renewal.

## How to use this skill

1. Download this `SKILL.md` file.
2. Place it in `~/.claude/commands/` (macOS/Linux) or `%USERPROFILE%\.claude\commands\` (Windows).
3. In Claude Code, run `/ai-use-policy-drafter`. Describe your organisation in plain English. Answer the clarifying questions. Receive a complete, tailored policy.

## When to use this

- Your insurer, client, or regulator has asked whether you have an AI-use policy and you need one by end of month.
- Staff are using ChatGPT / Copilot / Claude already and you want guidance before an incident forces the conversation.
- You're pitching a Copilot / private-AI rollout and leadership wants the governance document before signing off on licences.
- You're in a regulated sector (law, finance, healthcare, public) and your trade body has published AI guidance you now need to reflect.
- You're renewing cyber insurance and the carrier's AI questionnaire is on your desk.

## What you'll get

A single Markdown document containing:

- A **cover page** with scope, owner, review date, approved-by line
- A **purpose statement** in plain English
- **Principles** (5-7 short principles staff can recall without looking)
- A **tool allow-list** with approval status, data-sensitivity level permitted, and named owner
- **Data-handling rules** by data class (public / internal / confidential / restricted)
- **Permitted and prohibited uses** with examples
- A **prompt library reference** (policy, not the library itself)
- **Training & acknowledgement** requirements
- **Incident response** for "AI caused harm" scenarios
- A **staff FAQ** (12-15 questions)
- **Governance** (review cadence, change process, exception handling)
- A **sign-off page** for leadership

## Clarifying questions I will ask you

1. **Sector?** (law, accountancy, finance, healthcare, creative agency, public sector, general SMB)
2. **Regulator(s)?** (SRA, FCA, ICAEW, ICO, sector-specific)
3. **Headcount in scope?**
4. **Which AI tools are already in use, officially or shadow?** (Copilot, ChatGPT, Claude, Gemini, Perplexity, sector-specific)
5. **Primary data sensitivity?** (client privileged files, PII, financial records, health data, general)
6. **Are you using Copilot for M365?** (licensed, with EU Data Boundary, without, considering)
7. **Do staff have company devices, BYOD, or mixed?**
8. **How do you want the tone?** (permissive — "use it, with care" / cautious — "allow-list only" / restrictive — "approved tasks only")
9. **Do you have sensitivity labels or DLP deployed?**
10. **Any existing Information Security Policy this should cross-reference?**
11. **Who's the policy owner?** (DPO, IT Manager, Compliance Lead, Managing Partner)
12. **Target review cadence?** (6 months recommended for AI given pace of change)

## Output template

```markdown
# AI Use Policy — <organisation>

**Version:** 1.0 · **Effective date:** <date> · **Review date:** <date + 6 months>
**Owner:** <role> · **Approved by:** <role>

## 1. Purpose
<Plain-English why. Two sentences.>

## 2. Scope
Applies to all staff, contractors, volunteers, and associated parties using AI tools in the course of <org> business, on any device. Excludes personal AI use on personal time on personal devices where no <org> data is involved.

## 3. Principles
1. **We don't leak client data.** No client-identifiable or privileged material enters a non-approved tool.
2. **A human is always accountable.** AI drafts, humans decide.
3. **We document AI-assisted work** where it could be material to an outcome.
4. **We use approved tools.** Shadow-AI is treated as a data-handling incident.
5. **We stay current.** Policy reviewed every 6 months; staff trained annually.
6. **We escalate uncertainty.** When in doubt, ask before using.
7. **We respect others' rights.** Copyright, privacy, confidentiality apply unchanged.

## 4. Tool Allow-List
| Tool | Permitted data class | Approved tasks | Owner | Notes |
|---|---|---|---|---|
| Microsoft 365 Copilot | Internal, Confidential (with labels) | Drafting, summarising, search | IT Manager | EU Data Boundary on |
| ChatGPT (Enterprise, if licensed) | Internal only | Research, idea generation | IT Manager | No personal data |
| Claude (via Anthropic API for approved workflows) | Internal, Confidential | <specific workflows> | IT Manager | Logged |
| Any other / personal-tier AI | None (prohibited for work) | — | — | Use approved tool instead |

## 5. Data-Handling Rules
| Data class | Permitted in approved AI tools? | Notes |
|---|---|---|
| Public | Yes | No restriction |
| Internal | Yes, approved tools only | Review outputs before external share |
| Confidential | Yes, in approved tools with appropriate label | Never in personal-tier tools |
| Restricted (client privileged, HR, M&A, payment card, special-category PII) | No | Handle outside AI tools |

## 6. Permitted & Prohibited Uses
### Permitted examples
- Drafting first-pass emails, proposals, reports (then reviewed and edited)
- Summarising meetings and long documents for internal use
- Coding assistance for non-client code
- Brainstorming, outlining, research synthesis

### Prohibited examples
- Pasting client-privileged material into any non-approved tool
- Using AI-generated output as final work product without human review
- Generating or processing special-category personal data in any AI tool
- Using AI to deceive (impersonation, fabricated evidence, synthetic client approval)
- Uploading proprietary third-party material beyond fair-dealing limits

## 7. Prompt Library
We maintain a shared prompt library at <location>. Use proven prompts. Contribute new ones. Do not embed client data in prompts that may be shared.

## 8. Training & Acknowledgement
- All staff complete AI-use training on induction and annually.
- Acknowledgement of this policy is required before first use of any approved AI tool.
- Evidence retained for 3 years.

## 9. Incident Response
An AI-related incident includes: data pasted into a non-approved tool; AI-generated output used without review that caused harm; a vendor notifying us of a training-data or security issue.

1. Report to <role> within <N> hours.
2. Preserve the prompt, output, and any recipient communications.
3. Assess data-subject impact. If personal data involved, trigger UK GDPR Article 33 72-hour timer.
4. Notify clients per contract.
5. Review and update policy / training as needed.

## 10. Staff FAQ
**Q: Can I use ChatGPT to draft a client email?** — Yes, in our approved enterprise instance, with no client-identifiable data in the prompt. Review before sending.

**Q: Can I use Copilot on a document stored in our SharePoint?** — Yes, provided the document carries the correct sensitivity label and the site is within the approved Copilot scope.

**Q: What if I've already pasted something I shouldn't have?** — Tell <role> immediately. Honest early disclosure is always better than a discovered concealment.

**Q: Can I use AI to write my CV / personal emails / hobby projects?** — Yes, on your own time, on your own device, with your own account. Not our business.

**Q: What about transcription tools for client calls?** — Only our approved tool <name>. Explicit consent from all parties required. Recordings retained per our DPA.

**Q: Can I use AI to generate images of our brand or client work?** — <Yes/No with scope>. Attribution required where published.

**Q: Does the policy apply to AI features inside tools I already use?** — Yes. Outlook's Copilot suggestions are AI. So is predictive text. Treat accordingly when drafting to clients.

**Q: Can I use AI to summarise a legal document / contract / regulator letter?** — <Yes — approved tool only, with appropriate label. / No — handle manually.>

**Q: What if a client asks whether we use AI?** — Answer honestly. See our client-facing AI statement at <link>.

**Q: Will I be monitored?** — AI tool usage is logged centrally. Outputs are not reviewed unless an incident is suspected.

**Q: Can I install my own AI tool on my company device?** — No. Submit a request via <process>.

**Q: Can I use AI to help recruit / screen candidates?** — Restricted. HR-approved tools only. Bias assessment required.

## 11. Governance
- **Policy owner:** <role>. Single point of accountability.
- **Review cadence:** every 6 months, or sooner on material change.
- **Exception process:** submit via <process>; documented, reviewed, time-limited.
- **Change log:** appended to this document.

## 12. Related Policies
- Information Security Policy
- Data Protection Policy
- Acceptable Use Policy
- Confidentiality / Privilege (sector-specific)

## 13. Sign-Off
Approved by: ______________________  Role: __________  Date: __________
Next review due: __________
```

## Example invocation

**User:** "45-person accountancy firm, ICAEW-regulated, M365 Business Premium, Copilot licences arriving next month. Want a policy before rollout. Conservative tone."

**What the skill will do:**
1. Ask the 12 questions, especially drilling on: ICAEW AI guidance references, which data classes the firm handles (client financial records = Confidential), whether sensitivity labels are deployed.
2. Produce the complete policy with:
   - ICAEW ethical-code references in the Principles and Data-Handling sections
   - Copilot (with EU Data Boundary) as the primary approved tool, ChatGPT restricted to Internal-only data
   - A prohibited-uses list including "pasting client financial records into ChatGPT personal"
   - An FAQ tailored to partners and senior associates (billable-hour assurance, client confidentiality, regulator reporting)
   - A conservative tone throughout — "with approval" rather than "feel free"
3. Flag that acknowledgement-tracking needs a mechanism (Intranet form, HR system, training platform) before rollout.

## Notes for the requester

- **Don't hide the policy inside the staff handbook.** Publish it separately. Link it from the AI-tool login pages. Remind staff quarterly.
- **A policy with no tool allow-list is not a policy.** Every SMB we audit has the same failing — generic "use good judgement" text with no guidance on which tool, what data, who approves.
- **Update after every material change.** New Copilot feature, new ChatGPT product tier, new regulator guidance — these trigger a policy review. Six months is a maximum, not a target.
- **The FAQ is the most-read section.** Spend the most time there.
- **Good looks like:** 12 months after publication, you can answer "what's your AI policy?" in a procurement questionnaire with one PDF attached.

---
*VantagePoint Networks · <https://www.vpnetworks.co.uk> · Authored by Hak · Free under the MIT licence*