Artificial Intelligence Application & Use Policy (Template) This document is a TEMPLATE designed for adoption by organizations that wish to implement either a Permit All Not Denied (PAND) or Deny All Not Permitted (DANP) approach to Artificial Intelligence (AI). Conditional sections are intentionally included. Adopting organizations MUST select, retain, and complete the appropriate sections and remove those that do not apply. 1. Purpose To define acceptable uses of Artificial Intelligence (AI) within the organization and to address impacts on security, privacy, compliance, risk management, and accountability. 2. Scope This policy applies to all employees, contractors, consultants, temporary staff, and third parties who access or use organizational systems, data, or AI tools on behalf of the organization, unless otherwise excluded by contract. 3. Terms and Definitions Term Definition Artificial Intelligence (AI) Computer systems capable of performing tasks that typically require human intelligence. Artificial General Intelligence (AGI) A hypothetical form of AI with human‑level cognitive abilities across domains. AGI does not currently exist. Generative AI (GenAI) AI systems capable of generating text, code, images, audio, or other content. Large Language Model (LLM) A subset of GenAI focused on understanding and generating human language. Confidential, Proprietary, or Private Information (CPPI) Sensitive, regulated, proprietary, or non‑public information. Authorized AI AI tools explicitly approved by the organization’s designated governance function. Unauthorized AI AI tools explicitly prohibited by the organization. Permit All Not Denied (PAND) AI tools are permitted by default unless explicitly prohibited. Deny All Not Permitted (DANP) AI tools are prohibited by default unless explicitly authorized. 4. Governance and Oversight The organization SHALL designate an appropriate governance function (e.g., IT, Security, Risk, Compliance, or a cross‑functional committee) responsible for AI oversight, including tool authorization, exception handling, and incident management. 5. Policy Model Selection (REQUIRED) Adopting organizations MUST select ONE of the following policy models and remove the other prior to publication. Option A Permit All Not Denied (PAND) Description AI tools not explicitly authorized or unauthorized MAY be used, provided they are not used to process CPPI and otherwise comply with this policy. Option B Deny All Not Permitted (DANP) Description ONLY AI tools explicitly listed as Authorized AI MAY be used. All others are prohibited unless a formal exception is approved. 6. General Usage Requirements • Users SHOULD prefer Internal AI tools over External AI tools when available. • Users MUST review, verify, and validate AI output before use. • AI is not a substitute for human judgment or accountability. • AI output may be incorrect, incomplete, outdated, or misleading. • Information submitted to AI tools may be retained or exposed beyond organizational control. 7. Data Protection and CPPI Handling • CPPI MUST NOT be submitted to any AI tool unless explicitly approved and marked Safe for CPPI. • De‑identified or synthetic data may only be used if it cannot reasonably be re‑identified and is approved by governance. • Examples of CPPI include business data, regulated personal data, credentials, and images of identifiable individuals. 8. Attribution and Transparency Users MUST disclose the use of AI when it materially contributes to a work product. Suggested language: "Portions of this document or artifact were generated, evaluated, or augmented using an AI tool." 9. Information Technology and Development Usage • AI‑generated code MUST NOT be integrated into production systems unless the AI tool is authorized. • AI‑assisted code MUST be clearly annotated with the tool name. • Unauthorized AI tools MUST NOT be integrated via APIs or automation without an approved exception. 10. Authorized AI Tools (Template) [Insert Authorized AI table here or reference an externally maintained registry] 11. Unauthorized AI Tools (Template) [Insert Unauthorized AI table here or reference an externally maintained registry] 12. Incident Reporting Any suspected misuse of AI, inadvertent disclosure of CPPI, or malicious AI activity MUST be reported using the organization’s established incident reporting process. 13. Review and Maintenance This policy template SHOULD be reviewed periodically and updated to reflect changes in technology, regulation, and organizational risk tolerance.