An AI Use Policy Template for BC Businesses - North Star IT Insights
North Star IT
Free Assessment
HomeInsightsAI Automation
AI Automation

An AI Use Policy
Template for BC Businesses

AI tools are in your business whether IT approved them or not. Here's why you need a policy and what it should say.

AI Automation 2026-03-03 8 min read

AI tools are in your business whether IT approved them or not. Here's why you need a policy and what it should say.

Why bother with a policy

Three reasons: data goes places you don't expect, decisions get made with tools you don't audit, and the people accountable for outputs may not have approved the inputs. A policy gives you something to point to when something goes wrong.

Scope: which AI tools are covered

Define what's in scope. Public chatbots (ChatGPT, Claude, Gemini). Embedded AI in tools you already use (Copilot in M365, AI features in CRM). Custom AI you build or commission. All three need treatment, with different rules.

Data classes and what you can share

Public info: anything you'd put on the website. Internal: not public but not sensitive. Confidential: customer data, financials, IP. Restricted: regulated data (health, legal privilege, trade secrets). Define what classes can be input into which tool.

Human-in-the-loop where it matters

AI can suggest. Humans approve. Codify this for the categories where it matters: customer-facing communication, financial transactions, hiring decisions, legal positions, medical advice. Required human review with audit.

Vendor due diligence

Before adopting a paid AI tool, document: data handling, training data policy, retention, breach notification, and SOC 2 status. Most consumer AI tools are not suitable for confidential data. Most enterprise AI tools are.

Output verification

AI hallucinates. Outputs that affect customers or compliance need a verification step. Define what that step looks like, who owns it, and how it's recorded.

Training and awareness

Annual training is not enough. Short, role-specific guidance when a new tool is rolled out. Anonymous reporting for misuse or surprises. Quarterly review of incidents.

Template starting points

Section 1: Purpose and scope. Section 2: Definitions. Section 3: Approved tools list. Section 4: Data class matrix. Section 5: Required human review. Section 6: Vendor due diligence. Section 7: Incident reporting. Section 8: Review cadence. Most BC businesses can have a useful policy in a week of focused work.

← Back to Insights Get a Free Assessment →

Want this in your inbox?

We send a short monthly note with one cybersecurity or IT topic that BC business owners should know about. No sales pitch.

Get the monthly note Read more Insights