AEGIS · AEGIS Policy Core
Artifact 1.1
AI Acceptable Use Policy
The single source of truth for how the organization uses AI. Written to be acknowledged by every employee, enforceable by managers, and auditable by regulators.
- Client
- [CLIENT NAME]
- Engagement
- [ENGAGEMENT ID]
- Version
- v1.0
- Issued
- 2026-05-18
Delivered by TechFides under the AEGIS Governance Operating Services engagement. This document is proprietary to the client named above. Redistribution beyond the engagement steering committee requires written consent.
Purpose & Authority
Intent — Establish the authority of this policy, define its scope, and make clear that acknowledgment is a condition of employment and contractor engagement.
This policy governs the use of artificial intelligence tools, models, and agents by all employees, contractors, and consultants of [CLIENT NAME]("the Organization"). It is issued under the authority of the AI Governance Council ("the Council"), ratified by the Executive Sponsor, and enforced by line management. Violations may result in disciplinary action up to and including termination.
This policy supersedes any informal practice, team norm, or prior guidance on AI use. Where this policy conflicts with a contractually-binding customer or regulatory requirement, the more restrictive rule applies.
Scope
This policy applies to every AI system used on behalf of the Organization, including (a) third-party SaaS AI tools, (b) foundation-model APIs integrated into internal software, (c) AI-enabled features built into other products the Organization licenses, and (d) AI agents that act autonomously on behalf of an employee, contractor, or the Organization.
Acknowledgment
All personnel must acknowledge this policy at onboarding and at each annual refresh. Acknowledgment is tracked by HR and is a condition of continued access to production systems. New-hire onboarding will include a 20-minute live briefing on this policy chaired by the AI Governance Lead.
Foundational Principles
Intent — The five non-negotiable principles that govern every AI decision. Everything else in this policy is a specific expression of one of these.
- 1
Human Accountability
Every output produced with AI has a human owner. AI is a tool, not an actor. No decision with material consequence is made by AI alone — a named human is always accountable.
- 2
Data Minimization
No AI tool receives more data than the task requires. Prompts are written to the narrowest scope. Data not needed for the task is not sent.
- 3
Disclosed Use
When AI is used in a deliverable or decision that affects a customer, employee, or partner, that use is disclosed. Clients are told when AI is used on their work. Employees are told when AI is used in decisions about them.
- 4
Auditable Operation
Every AI system operates leaving evidence: what model, what prompt, what output, which user, what time. Evidence is retained per the data retention schedule and produced on request.
- 5
Reversible by Default
AI-generated outputs in production can be turned off, corrected, or rolled back. No AI feature ships without a kill switch, an owner, and a defined rollback procedure.
Data Handling by Classification
Intent — The hard rule that governs what data is allowed in which AI tools. This is the line auditors and regulators will draw first.
P0 · Regulated / Restricted
Examples — PHI, full PII, payment data, client-privileged material, trade secrets, source code containing proprietary algorithms.
Rule: Prohibited in any AI tool except those explicitly approved by CISO with a signed Vendor Risk Assessment and zero-retention settings verified.
P1 · Confidential
Examples — Non-public financials, internal strategy, client names and engagement details, personnel records, vendor contracts.
Rule: Only in approved enterprise tenants with documented retention controls. Never in consumer or personal-account tools.
P2 · Internal
Examples — Internal docs without client identifiers, non-confidential planning material, general operational notes.
Rule: Permitted in approved enterprise tenants. Avoid in consumer tools unless the content is intended for public release.
P3 · Public
Examples — Material already published, publicly available research, marketing copy intended for external release.
Rule: No restrictions beyond normal usage policies.
Permitted, Conditional, and Prohibited Uses
Intent — The practical table every manager will point to when answering 'can I use AI for this?'
Public, Non-Sensitive Work
Permitted
- Drafting internal memos, agendas, and meeting summaries from non-classified notes.
- Producing first drafts of public-facing marketing copy, job descriptions, and external blog posts.
- Generating slide outlines, diagrams, and images from prompts that contain no client or personnel data.
Conditional
- Research summaries where the prompt includes general industry context but no named client data.
Prohibited
- None.
Client & Engagement Work
Permitted
- Using approved, contractually-reviewed AI tools on client material where the client has signed the AI addendum.
- Summarizing meeting transcripts inside the approved workspace tenant bound by the client agreement.
Conditional
- Using AI on client material when the contract is silent — requires written approval from the engagement lead and General Counsel before the first use.
- Fine-tuning, embedding, or storing client material in a vector database — requires an approved Vendor Risk Assessment and client notification.
Prohibited
- Pasting client-confidential, personal, or regulated data into any AI tool not on the approved list.
- Using a consumer AI tool (free tier, personal account) for any client work, under any circumstance.
Code & Engineering
Permitted
- Using approved AI coding assistants inside the company-managed IDE, with telemetry and license compliance enabled.
- Generating code scaffolding, refactors, and unit tests for internal tooling where no proprietary algorithm is exposed.
Conditional
- Submitting code that contains proprietary business logic or trade secrets to any AI tool — requires CTO approval and the use of an enterprise tenant with zero-retention settings verified in writing.
Prohibited
- Committing AI-generated code without human review, test coverage, and an attribution note in the commit message.
- Using AI to generate cryptographic, security, or authentication code without a human security reviewer.
HR, Finance & Legal
Permitted
- Using AI to summarize public regulatory filings, case law, and general guidance.
- Drafting internal communications from outlines approved by the function lead.
Conditional
- Applying AI to hiring workflows (resume screening, interview scoring) — requires a completed bias assessment, HR sign-off, and annual audit.
Prohibited
- Using AI to generate final legal opinions, employment decisions, or financial filings without a qualified human reviewer of record.
- Entering salary, benefits, health, or performance-review data into any AI tool without explicit HR and Legal approval.
Customer-Facing AI
Permitted
- Deploying AI features that have passed the pre-launch governance checklist, including a disclosure and escalation path.
Conditional
- Piloting customer-facing AI in a limited cohort — requires written scope, success criteria, opt-out path, and a kill switch owner named on record.
Prohibited
- Shipping any customer-facing AI feature without disclosure to the customer that AI is being used.
- Using AI to generate regulated communications (medical, financial advice, legal guidance) without a licensed human review step and disclaimers reviewed by counsel.
Approved Tools & Access
Intent — The concrete list of what is in bounds today. This section is revised quarterly by the Council; the dated revision below governs until superseded.
Approved Enterprise AI Tools
The following tools are approved for use subject to the data classification rules in §3. This list is dated and is revised by Council decision; any tool not on this list is not approved, regardless of individual preference or vendor marketing.
| Tool | Tier / Tenant | Max Class | VRA On File |
|---|---|---|---|
| [TOOL 1] | [ENTERPRISE / TENANT] | [P0/P1/P2/P3] | [YES + DATE] |
| [TOOL 2] | [ENTERPRISE / TENANT] | [P0/P1/P2/P3] | [YES + DATE] |
| [TOOL 3] | [ENTERPRISE / TENANT] | [P0/P1/P2/P3] | [YES + DATE] |
| [TOOL 4] | [ENTERPRISE / TENANT] | [P0/P1/P2/P3] | [YES + DATE] |
| [TOOL 5] | [ENTERPRISE / TENANT] | [P0/P1/P2/P3] | [YES + DATE] |
Requesting a New Tool
Employees may propose adding a tool to the approved list by submitting a request to the AI Governance Lead. The request must include the intended use case, data classification, business case, and a contact for the vendor. The Council will respond within 10 business days with an approval, a request for additional information, or a formal decline.
Roles & Responsibilities
Intent — Make enforcement concrete. Every employee knows who to ask, who decides, and who is accountable.
- Every Employee / Contractor
- Read and acknowledge this policy. Classify the data in any prompt before sending. Escalate ambiguity to your manager. Report suspected violations to the AI Governance Lead.
- Line Managers
- Ensure acknowledgment for your team. Approve routine use cases within your function. Escalate conditional uses to the AI Governance Lead. Enforce the policy in practice — including when it is inconvenient.
- AI Governance Lead
- Maintain this policy. Operate the exception process. Chair Council reviews. Own the approved tools list and the revision schedule.
- General Counsel
- Review the policy annually for regulatory and contractual alignment. Sign off on conditional use cases involving legal, privileged, or regulated material.
- CISO
- Own the data classification rules, the Vendor Risk Assessment process, and the security review of any tool on the approved list.
- Executive Sponsor
- Ratify policy changes on the Council's recommendation. Escalate to the board when material exceptions, incidents, or tradeoffs require a board-level decision.
Exceptions & Violations
Intent — Every policy is tested on its exceptions. Make the exception process real — and make the violation consequence real too.
Exception Process
Any use that falls in the Conditional column of §4, or that requires deviation from this policy for a specific engagement, is an exception. Exceptions require (1) a written request stating the use case, data involved, and duration; (2) approval from the relevant function lead; (3) approval from the AI Governance Lead; (4) a record in the Exception Log. Standing exceptions are reviewed at every Council meeting and expire if not re-ratified quarterly.
Violations
Violations are handled proportionately. First-time, good-faith errors are addressed with coaching and a documented note. Repeated violations, willful violations, or violations resulting in data exposure trigger the incident response process (artifact 2.3) and may result in access revocation, formal discipline, or termination. Violations that involve client data are also reviewed against the client's contractual notification obligations.
Review & Revision
Intent — Policies decay if not revisited. Commit to the cadence up front so decay is visible when it happens.
This policy is reviewed quarterly by the AI Governance Council. A full revision is issued annually. Out-of-cycle revisions are issued when (a) a regulatory change requires it, (b) a material incident exposes a gap, or (c) the Council determines a principle requires clarification. All revisions are version-controlled; the current version and effective date are recorded on the cover page of this document.
Effective Date
[DATE]
Next Scheduled Review
[DATE (QUARTERLY)]
Acknowledgment
Intent — The legal signal that an employee has read, understood, and agrees to be bound by this policy. Collected at onboarding and at each annual refresh.
I acknowledge that I have read and understood the AI Acceptable Use Policy. I understand that compliance with this policy is a condition of my continued employment or engagement. I agree to escalate any ambiguity to my manager or the AI Governance Lead before acting. I understand that violations may result in disciplinary action, access revocation, or termination.
Name
[FULL NAME]
Signature
[SIGNED]
Date
[DATE]