As staff start using AI tools — often unsanctioned — an AI usage policy becomes essential to protect data, IP and compliance. Here’s how to write one that’s actually followed. (dgm implements osFoundry, a separate company’s platform — dgm is an independent integration partner, not osFoundry, and not a law firm. General information, not legal advice.)
Why you need one
Without a policy, staff may paste personal, financial or confidential data into uncontrolled external AI tools — a real and growing exposure risk. A policy sets clear boundaries and points staff to safe options.
Core sections
- Approved tools — which AI tools are sanctioned (and which aren’t).
- Data rules — what data may and may not be entered (especially personal/confidential).
- Prohibited uses — clearly listed.
- Human review — AI output must be reviewed, especially in regulated work.
- Accountability — who owns outcomes.
Reference DPDP obligations and confidentiality throughout.
Make it enforceable
- Keep it practical, not a long document no one reads.
- Pair it with training.
- Offer a sanctioned alternative — a policy that only prohibits, without providing an approved tool for what staff want AI for, gets ignored.
The “approved option must be convenient” principle
The most effective control is making the approved, controlled tool the easy one to use — so staff don’t reach for risky external tools (see deploying AI securely).
How dgm helps
dgm deploys controlled, self-hostable AI on osFoundry that staff can use safely — making the approved option the convenient one. We don’t write your legal policy (use counsel for that), but we make it practical to follow. Pricing: $399 assessment, $3,999/month (INR approximate; 18% GST domestic).
General information, not legal advice. Have qualified counsel review your policy.