An AI use policy is the cheapest, highest-impact piece of AI governance most UK companies can put in place. Here’s how to write one in 2026, cited to official sources. (dgm implements osFoundry as an independent partner. General information, not legal advice.)
What an AI use policy is for
An AI use policy tells your staff, in plain terms, what’s allowed and what isn’t: which tools they can use, what data they may (and may not) enter, and who’s accountable. Its main job is to prevent the common, avoidable mistakes — not to cover every edge case.
A simple structure
Adapt this to your business:
- Scope — who and what the policy covers (staff, contractors, which activities).
- Approved tools — the AI tools/platforms staff may use (and that they shouldn’t use others for work data).
- Data rules — what data may and may not be entered (the key boundary).
- Prohibited uses — e.g. solely-automated significant decisions without safeguards, generating misleading content.
- Human review — significant or customer-facing AI outputs must be checked by a person.
- Accountability — who owns AI use and answers questions.
- Review cadence — revisit as tools and rules change.
Keep it short — one to three pages for most SMEs. A policy people read beats a long one they skim.
The single most important rule
For most companies, the one rule that prevents the most incidents is: don’t paste personal, confidential or client data into consumer/public AI tools. Make it prominent — and pair it with an approved tool that keeps data under control, so staff have a compliant alternative rather than just a prohibition.
The UK rules it must reflect
Your policy should reflect:
- UK GDPR — lawful basis, transparency, and not exposing personal data inappropriately;
- automated decision-making safeguards under the Data (Use and Access) Act 2025;
- your sector regulator’s expectations; and
- EU AI Act transparency duties if you sell into the EU.
(The UK has no single AI Act, so these existing rules are what bind you.)
Make it real, not just words
A policy is only as good as its enforcement. The gap between “staff shouldn’t paste client data into ChatGPT” and “staff can’t, because there’s an approved, governed alternative” is the difference between a document and actual protection.
Where osFoundry and dgm fit
dgm helps translate a policy into technical controls: an approved platform that keeps data under control, enforced data boundaries (bring-your-own-key, self-hosting or an EU region so data isn’t sent to consumer tools), audit logging, and human-review steps for significant outputs — on osFoundry. That turns “don’t do X” into “here’s the safe way to do X”. Data control via self-hosting or an EU region (osFoundry publishes US/EU/JP regions, not a UK one).
dgm is an independent integration partner with zero integrations so far, and not a law firm. The policy itself is owned by your organisation, ideally with legal/HR input. To turn an AI policy into working controls, book a consultation with dgm.