Your employees already use AI at work.

The policy vacuum is the real risk

Most organizations are in the same position: employees have discovered generative AI and are using it to draft, summarize, code, and analyze — productively — while the company has no policy governing any of it. That vacuum is the exposure. Without rules, an employee can paste confidential client data, trade secrets, or personal information into a public AI tool whose terms let the vendor retain and train on it; can ship AI-generated work whose ownership or accuracy is questionable; or can use AI in ways that violate the company's obligations to customers or regulators. The benefit of workplace AI is real, and banning it outright usually just drives it underground. The answer is governance: clear rules that let people use AI well while closing the specific risks.

Confidentiality: the line that must be drawn first

The single most urgent rule is about what data may never go into an AI tool. When an employee feeds information into a general-purpose AI system, that data may leave the company's control — retained by the vendor, used to train its models, or exposed. So the policy has to define clearly what is off-limits: client confidential information, trade secrets, personal and regulated data, privileged material, and anything under a confidentiality obligation. It also has to distinguish between tools — an enterprise AI deployment with contractual data protections is different from a free public chatbot, and the policy should steer sensitive work to the former and keep it out of the latter. This is where workplace AI policy connects directly to data-privacy and vendor-contract work: the rules only make sense in light of what each tool actually does with the data.

Ownership of AI-assisted work, and acceptable use

Two more pillars round out a workplace policy. Ownership: when employees produce work with AI assistance, the company needs clarity on what it owns and what it can rely on — including the unsettled question of rights in AI-generated content, and the practical need to ensure AI-assisted work product is actually the company's. Acceptable use: the policy should define where AI is encouraged, where it requires review or disclosure, and where it is prohibited — for example, high-stakes decisions that need human judgment, or uses that would implicate employment-AI law if applied to the workforce itself. A good policy is not a wall of prohibitions; it is a clear map of green, yellow, and red zones that employees can actually follow.

Policy written by someone who governs AI use in practice

Drafting a workplace AI policy that is both protective and usable benefits enormously from having actually governed AI use in an operating context. Adam designs and runs the guardrails and oversight for his own production AI system and holds the AIGP credential, so the policies he drafts reflect how people and AI actually interact at work — not a theoretical document that employees ignore because it does not fit how they work. The same operational sense that distinguishes real human-in-the-loop design from theater applies here: a policy works only if it maps to real behavior and real risk.

A practical deliverable

This is well-suited to a defined scope: an acceptable-use policy for employee AI, confidentiality and data-handling rules, guidance on ownership of AI-assisted work, and the supporting training or rollout so the policy is understood rather than just filed. For employers also subject to HB 3773 in how they use AI on their workforce, the internal-use policy and the employment-compliance work fit together. Engagements are flat-fee or hourly. The objective is simple: capture the productivity, close the leaks, and have a defensible record that the company governed its employees' AI use deliberately.

If your workforce spans more than one state

An employer whose people sit in several states has to write its internal AI-use and workforce-deployment policy against more than Illinois law. Where AI is applied to the workforce itself — screening, performance, scheduling, discipline — the rules of each state come into play: New York City's Local Law 144 requires an independent bias audit and candidate notice for automated employment decision tools; California's privacy regulations reach automated decision-making technology used in employment, with among the most stringent such obligations in the country phasing in over time; and Illinois adds HB 3773 and the earlier Artificial Intelligence Video Interview Act. These move and must be verified against current law. As a practical matter, a multi-state employer is usually better served writing one policy to the most demanding applicable standard than maintaining a different rulebook in every state — and where compliance turns on advising under another state's employment law, the firm coordinates with counsel admitted there rather than reaching beyond where it is authorized to practice.

What usually goes wrong

The most common and dangerous failure is no policy at all — employees pasting confidential client data, trade secrets, or personal information into public AI tools that retain and train on it, silently leaking the company's most sensitive material with no rule against it. A close second is the outright ban that drives AI use underground: employees use it anyway, on personal devices and accounts, entirely outside any oversight, which is worse than a governed allowance. The third is the policy that is a wall of prohibitions nobody follows because it does not fit how people actually work — a document that exists for the file but changes no behavior, leaving the real risk untouched.

Related

• Illinois HB 3773 — AI in Employment Compliance →
• AI & Data Privacy →
• AI Governance Frameworks & Policy →