Building an AI Use Policy: What General Counsel Needs to Cover in 2026

Only 37% of organizations have a formal AI governance policy despite 69% suspecting unauthorized employee AI use. Here's the seven components every AI use policy needs, plus how to fold in TRAIGA and EU AI Act obligations.

Building an AI Use Policy: What General Counsel Needs to Cover in 2026
Loading AudioNative Player...

The Governance Gap — Why AI Use Policies Can't Wait

Employees have already decided how generative AI fits into their workday. The question is whether General Counsel has caught up. A Gartner survey of 302 cybersecurity leaders conducted between March and May 2025 found that 69% of organizations suspect or have confirmed evidence that employees are using prohibited public generative AI tools. That figure describes tools the company already knows about or fears exist — the actual number of unauthorized ChatGPT sessions, Claude prompts, and browser-extension AI assistants running against corporate data is almost certainly higher.

Governance has not kept pace with adoption. Gartner projects that by 2030, more than 40% of enterprises will experience a security or compliance incident tied to unauthorized shadow AI use, and the same research found that only about 37% of organizations currently maintain a formal AI governance policy, as reported by Fortra's coverage of the Gartner findings. That leaves roughly two-thirds of organizations exposed to a use pattern they neither sanctioned nor documented.

The absence of a written policy is not a neutral gap — it is an active liability. Without a defined boundary, no one can say which categories of confidential or trade-secret information employees may enter into a third-party AI tool, and no one has agreed in advance what happens to that data once it leaves the company's control. Without a policy, there is no basis for disciplinary action when an employee pastes a client contract into a public chatbot, and no escalation path when someone discovers it happened. Companies have been here before with unmanaged BYOD and shadow IT — the difference is that AI tools ingest and retain content in ways personal devices never did.

Regulatory timelines are closing that window. The Texas Responsible AI Governance Act takes effect January 1, 2026, and it does not stop at AI developers — it reaches private entities that deploy AI systems in the course of business in Texas. For General Counsel weighing whether an AI use policy is a near-term project or a someday initiative, that effective date answers the question.

⚠️
69% of organizations suspect employees are using prohibited AI tools, but only 37% have a formal governance policy in place — a gap TRAIGA's January 1, 2026 effective date will start converting into legal exposure.

The Seven Components Every AI Use Policy Must Cover

A usable AI policy does more than declare that employees should act responsibly. It draws bright lines around what is allowed, what is off-limits, and who is accountable when those lines get crossed. The following seven components form the operational core of that policy — the parts that determine whether it actually changes behavior or just sits in a shared drive.

Permitted vs. Prohibited Uses

The single most common failure in AI policies is vagueness about which tools employees may actually use. An effective policy names its sanctioned AI tools explicitly and treats everything else as prohibited by default, rather than asking employees to guess where the line sits. Strac.io's 2026 AI Acceptable Use Policy template recommends building this as an allow-list that maps data sensitivity classes to permitted use for each approved tool — so a tool cleared for drafting marketing copy isn't automatically cleared for handling client financial data. That mapping does the real work: it tells employees not just what tools exist, but what each tool is allowed to touch.

Confidentiality Rules for Prompts

Every prompt entered into a public AI tool is a potential disclosure, and policies need to say so in plain terms. Strac.io's model language captures the standard well: no user may input, upload, or disclose client confidential information or firm confidential information into any AI system unless the system is approved as enterprise AI and use is consistent with the policy and any client restrictions. The distinction that matters here is between consumer-grade tools, which may train on submitted data, and enterprise-approved tools that are contractually restricted from doing so. A policy that doesn't separate the two is effectively giving employees permission to leak trade secrets one prompt at a time.

IP Ownership of AI Outputs

Policies also need to address who owns what an AI tool produces, because the default assumption of automatic copyright protection doesn't hold. The U.S. Copyright Office's January 2025 report on AI and copyrightability concludes that work generated entirely by AI is not copyrightable, and that prompting alone — even detailed, iterative prompting — doesn't give a human enough control over the expressive output to change that. A policy should flag this gap rather than let employees assume that everything they generate is automatically protectable company IP.

Third-Party Data Restrictions

Before any AI vendor makes it onto the sanctioned tools list, the contract behind it needs scrutiny. Strac.io's template recommends requiring SOC 2 or ISO 27001 certification, an executed Data Processing Agreement, a specified data residency commitment, and — critically — a contractual promise that the vendor will not train its models on customer or client data. Skipping this step means the confidentiality rules in the policy's second component are unenforceable in practice, since the vendor's own terms of service may permit exactly what the policy prohibits.

Verification and Accuracy Requirements

Generative AI output needs a human check proportional to what's riding on it, and the policy should say that directly rather than leaving verification to individual judgment. ABA Formal Opinion 512, issued July 29, 2024, addresses this exact question for lawyers: it holds that the duty of competence under Model Rule 1.1 requires understanding generative AI's benefits and risks, that the degree of independent verification required scales with the task, and that uncritical reliance on AI output without verification can itself be a competence violation. That opinion binds lawyers, not general employees — but the reasoning transfers cleanly. A policy that asks staff to spot-check a first-draft email is asking for a different level of verification than one asking staff to rely on AI output in a customer-facing financial disclosure, and the policy should name that distinction.

⚠️
ABA Formal Opinion 512 is binding ethics guidance for lawyers under the Model Rules of Professional Conduct — it is not a source of legal obligation for non-lawyer employees. Treat it as a useful analogy for calibrating your own verification standard, not as authority you can cite to justify or excuse a non-lawyer's reliance on unverified AI output.

Employee Supervision and Accountability

A policy without teeth is a suggestion. Strac.io's template ties enforceability to two specific sections: a defined roles-and-responsibilities section that names who signs off on AI use in each business function, and a stated consequences-for-violation section that spells out what happens when someone doesn't. Without both, the policy has no escalation path — nobody knows who to flag a questionable use case to, and nobody expects a real consequence for ignoring the rules. That ambiguity is precisely what makes shadow AI use so persistent in the first place.

Incident Reporting

The policy should define, in advance, what counts as a reportable AI incident — a data leak through an unapproved tool, biased or materially erroneous output that reached a customer, or a compliance failure traceable to AI use — and specify exactly who gets notified and how fast. Companies already have a template for this in their existing data breach response plans, which commonly build in 24-hour reporting windows once an incident is discovered. Extending that same discipline to AI-specific incidents keeps the policy consistent with practices employees are already expected to follow, rather than introducing a separate, unfamiliar reporting regime.

Integrating TRAIGA and EU AI Act Obligations

A well-drafted AI use policy has to do more than set internal ground rules — it has to survive contact with the statutes actually regulating AI deployment where your company operates. Two frameworks matter most for U.S.-based General Counsel right now: the Texas Responsible AI Governance Act (TRAIGA) and the EU AI Act. Neither requires a separate policy document. Both require the policy you already built in the section above to explicitly reference their obligations, because generic "use AI responsibly" language will not satisfy either regulator's documentation expectations.

Texas Responsible AI Governance Act (TRAIGA)

TRAIGA takes effect January 1, 2026, and its reach is broader than its name suggests. Per Norton Rose Fulbright's analysis of the Texas Responsible AI Governance Act, the law applies to any entity that develops or deploys an AI system in Texas, advertises or conducts business in the state, or offers products and services used by Texas residents — meaning ordinary corporate deployers of third-party AI tools are covered, not just AI vendors. TRAIGA defines "AI system" broadly as any machine-based system that infers from inputs how to generate outputs such as content, decisions, predictions, or recommendations, which sweeps in most of the generative AI, scoring, and recommendation tools already embedded in enterprise software.

The statute does not regulate AI use generally; it prohibits specific categories of conduct. Perkins Coie's analysis identifies the prohibited uses as AI intentionally designed to cause harm, engage in criminal activity, infringe constitutional rights, unlawfully discriminate against a protected class, or produce and distribute unlawful sexually explicit content. Enforcement runs exclusively through the Texas Attorney General, who must provide notice and a 60-day cure period before pursuing action — civil penalties then range from $10,000 to $200,000 per violation, with continuing violations assessed at $2,000 to $40,000 per day. Because TRAIGA only became effective this year, no implementing regulations or enforcement guidance have been issued yet, so how aggressively the Attorney General's office will interpret these categories in practice remains an open question your policy should revisit as guidance develops.

TRAIGA also builds in an incentive to formalize governance rather than avoid it. As the American Bar Association notes on TRAIGA's safe harbor provision, companies that substantially comply with a recognized AI risk-management framework — NIST's AI Risk Management Framework is the named example — or that self-discover violations through internal audits or red-team testing gain safe-harbor protection. This is the strongest argument for adopting a documented framework rather than an informal set of practices: the framework itself becomes a legal defense.

The EU AI Act

If your company has EU operations, employees, or offers AI-enabled products or services in the EU market, the AI Act imposes obligations that run parallel to but do not mirror TRAIGA's. Under Article 26, deployers — not developers — of high-risk AI systems must "assign human oversight to natural persons who have the necessary competence, training and authority," monitor the system's operation, and retain logs for at least six months. For employers specifically, Article 26 also requires that companies "inform workers' representatives and the affected workers that they will be subject to the use of the high-risk AI system" before deployment — a notice obligation with no real TRAIGA equivalent, and one that should be built directly into your policy's rollout and consent workflow.

The AI Act's obligations are tiered by risk rather than uniform. Article 5 bans eight specific practices outright — including subliminal manipulation that causes harm, exploitation of vulnerable groups, social scoring, workplace or educational emotion recognition, and untargeted scraping for facial recognition databases — backed by fines up to €35 million or 7% of global annual turnover, whichever is higher. Limited-risk systems, such as customer-facing chatbots, carry a lighter obligation under Article 50: users must be informed they are interacting with AI. That transparency requirement takes effect in August 2026, giving companies a defined runway to update customer-facing disclosures.

⚠️
TRAIGA penalties top out at $200,000 per violation; EU AI Act fines for prohibited practices reach 7% of global turnover. The two regimes are not scaled the same way, and a policy calibrated only to Texas exposure will understate EU risk for any company with EU touchpoints.

Folding Regulatory Obligations Into the Policy

Neither TRAIGA nor the EU AI Act requires rewriting your AI use policy from scratch, and neither should be bolted on as an afterthought. The more durable approach is a dedicated compliance appendix that maps each jurisdiction's triggers — Texas residents as users, EU employees or EU-market products — to specific obligations: prohibited-use categories and safe-harbor documentation for TRAIGA, human-oversight assignments and worker notice for EU Article 26, and transparency disclosures for Article 50 chatbot deployments. That structure lets the appendix expand as more states pass AI statutes without forcing a redraft of the policy's core seven components.

A Draft Policy Outline You Can Adapt

Everything covered so far — the seven core components, the regulatory appendix concept — needs to live somewhere concrete before a policy drafter can act on it. What follows is a structural outline, not finished policy language. It sequences the components discussed in this article into an order a drafter can hand to outside counsel, a compliance team, or a legal ops lead and get a usable first draft back.

This is not a novel structure. Strac.io's 2026 AI Acceptable Use Policy template independently arrives at a nearly identical fifteen-section sequence — purpose, scope, definitions, a sanctioned tools list, data classification, prohibited uses, human oversight, shadow AI discovery, monitoring, incident reporting, training, consequences, roles, review, and acknowledgment. The convergence matters: it suggests this ordering reflects how AI governance problems actually surface in practice, not one vendor's stylistic preference. The outline below consolidates some of those fifteen sections and adds a dedicated regulatory appendix, producing twelve sections that map directly onto the components discussed earlier.

  1. Purpose & Scope — States why the policy exists and who it covers (employees, contractors, vendors with system access).
  2. Definitions — Defines "AI tool," "generative AI," "confidential information," and other terms used throughout so later sections aren't argued over on meaning.
  3. Sanctioned AI Tools List — Names the tools employees are permitted to use, the tools that are explicitly prohibited, and the process for requesting a new tool be added.
  4. Data & Confidentiality Rules — Sets out what categories of information (client data, trade secrets, personal data) can never be entered into a prompt, consistent with the confidentiality component covered earlier.
  5. IP & Ownership of AI Outputs — Assigns ownership of AI-generated work product and addresses the open questions around copyrightability discussed above.
  6. Vendor & Tool Approval Requirements — Describes the intake and vetting process a new AI vendor or tool must pass before it can be added to the sanctioned list.
  7. Human Review & Verification Requirements — Specifies which categories of AI output require human sign-off before use, particularly anything client-facing or filed with a regulator or court.
  8. Supervision & Accountability — Assigns ownership by role, defines escalation paths, and states the consequences for policy violations.
  9. Incident Reporting — Defines what counts as a reportable AI-related incident and who it gets reported to internally.
  10. Regulatory Compliance Appendix — Houses jurisdiction-specific obligations under TRAIGA, the EU AI Act, and any future state or international AI laws, kept separate from the core policy body.
  11. Training & Acknowledgment — Requires employees to complete AI use training and sign an acknowledgment before system access is granted.
  12. Policy Review Cadence — Sets a fixed interval — annually, at minimum — for revisiting the policy as tools and regulations change.

The tenth section is the connective tissue to the regulatory discussion earlier in this piece. IAPP's sample compliance framework for Texas's Responsible AI Governance Act recommends this same isolation strategy — keeping jurisdiction-specific obligations in a standalone appendix rather than threading TRAIGA or EU AI Act requirements through the main policy body. The appendix format means a company operating only in Texas today can add an EU AI Act section later, or a future Colorado or California AI statute, without renegotiating the entire policy internally.

No court decision or statute mandates this exact section order. Adapt the depth and sequence of each section to your company's size, risk profile, and the regulatory footprint of the jurisdictions you operate in.

A twelve-section outline reads as more work than most legal teams have bandwidth for, which is exactly why the next section covers how to roll it out without stalling on perfect language for every clause.

Rollout, Training, and Enforcement

A finished policy document is not a functioning governance program. Superblocks' 2026 guide to AI governance policy identifies rollout as the stage where most AI governance policies stumble in practice — not the drafting stage. The fix is a phased pilot rather than a company-wide launch: test the policy with one heavy-AI-use business unit for two to four weeks, let that group surface friction points (unclear approval workflows, tools that don't fit the approved-tools list, ambiguous guidance on customer data), and revise the policy before it reaches the rest of the company.

Once the pilot has stress-tested the policy, access to AI tools should be gated behind mandatory training and a documented attestation, not just a link to a document in the employee handbook. This is the pattern Colorado used when it rolled out Gemini Advanced across 20 state agencies and roughly 1,700 licenses: employees completed training and signed an attestation before they were granted tool access. That is a public-sector deployment, and the compliance apparatus behind a state government rollout will not map one-to-one onto a 50-person startup — but the underlying mechanism, gating access behind proof of training rather than a passive policy read, is a workable enforcement lever for private companies of any size.

From there, the policy needs a permanent home in onboarding. Every new hire with access to email, code repositories, or customer data should complete AI-use training and sign the attestation in their first week, at the same point they sign confidentiality and IP assignment agreements. Treating it as a one-time rollout event rather than a standing onboarding step is how policies quietly go stale within a year.

Review cadence should be tied to regulatory deadlines rather than an arbitrary calendar date. TRAIGA takes effect January 1, 2026, and the EU AI Act's Article 50 transparency obligations become enforceable in August 2026 — both dates already shape the substantive requirements in this policy, and both should trigger a mandatory review, not just an annual one twelve months after signing. The AI governance committee, or the general counsel's office where no committee exists, should own that review and be accountable for confirming the policy still reflects current law each time one of those milestones passes.

Enforcement is the piece most policies leave vague, and vague enforcement is functionally no enforcement. Strac.io's acceptable-use template pairs its "Consequences for Violation" section directly with the company's existing disciplinary framework rather than inventing a parallel one — a violation of the AI policy should route through the same progressive-discipline process as a violation of the confidentiality policy or the code-of-conduct. What that means in a specific case — whether pasting client data into an unapproved chatbot warrants a warning or termination — depends on the severity of the exposure, the employee's history, and the company's existing at-will and progressive-discipline practices, none of which a generic policy template can settle. That determination should be made with employment counsel before the policy is finalized, not improvised after the first violation occurs.

Rollout sequence: pilot with one team, gate access behind training and attestation, fold it into onboarding, then enforce through the discipline process that already exists — reviewed against the TRAIGA and EU AI Act dates, not just the calendar.
  1. Identify one business unit with heavy day-to-day AI use and run a two-to-four-week pilot of the draft policy before any company-wide announcement.
  2. Build a short mandatory training module and a signed attestation, and make both a prerequisite for AI tool access rather than optional reading.
  3. Add the training and attestation to new-hire onboarding, alongside confidentiality and IP assignment paperwork.
  4. Confirm with employment counsel how AI policy violations will slot into the existing disciplinary framework before you publish the policy, not after the first incident.
  5. Calendar two mandatory review dates now: before January 1, 2026 for TRAIGA and before August 2026 for the EU AI Act's Article 50 transparency obligations.
  6. Name a single accountable owner, the AI governance committee or the general counsel's office, responsible for both reviews and for updating the policy as new state or federal AI statutes take effect.

Need help building or strengthening your company's AI use policy? Promise Legal works with in-house teams on governance frameworks that meet TRAIGA, EU AI Act, and internal compliance requirements.

Start the conversation