Writing your AI policy is half the job, getting people to follow is the other half most firms skip.


!-- FRIDAY · VAULT DROP —

⬡ Shadow AI & Building Your Policy · Issue 5 of 5 · The Template

Friday · July 10, 2026 · Issue #038

Happy Friday. We close the week where we said we would — with something concrete you can use.

Today you get the one-page AI policy template. Below that, you'll find three things that make AI policies fail after they're published — because writing the policy is only half the job. Getting people to follow it is the other half, and it's the part most firms skip.

One important reminder before you use this: this template is a starting point, not a finished document. Fill in the bracketed sections with your firm's actual information. For regulated industries — healthcare, financial services, legal — have your relevant counsel review the final version before it goes live. This is general governance guidance, not legal advice, and the specific requirements in your industry may call for additional provisions this template doesn't include.

⬡ The One-Page AI Policy Template · Adapt and Use

[FIRM NAME] · AI Acceptable Use Policy

Version [1.0] · Effective [DATE] · Review Date [DATE + 12 months]

PURPOSE

[Firm Name] uses AI tools to improve the quality and efficiency of our work. This policy tells every member of our team what tools are approved, what data can and can't go into those tools, what review is required before AI-assisted work leaves the firm, and what to do when something isn't clear. Following this policy is how we use AI responsibly — for our clients and for ourselves.

SECTION 1 · APPROVED AI TOOLS

The following AI tools are approved for work use, on the specified account tiers:

TOOL APPROVED TIER APPROVED FOR
[Tool Name] [Business/Enterprise Plan] [Specific use cases]
[Tool Name] [Business/Enterprise Plan] [Specific use cases]

Free consumer accounts of any AI tool are not approved for use with any work-related data. Any tool not on this list requires approval from [designated person/role] before use.

SECTION 2 · DATA RULES

Before using an AI tool, determine which category your data falls into:

GREEN — Approved for any approved tool
Internal brainstorming · Editing non-confidential text · General research · Creating templates with no client specifics · Summarizing publicly available information
YELLOW — Approved enterprise tool only + approval from [role] required
Internal business data · Non-client-specific financial projections · Internal strategic documents · [Add your firm's specific yellow-category data]
RED — Never enters any AI tool without explicit written authorization
Client names combined with any other client data · Client financial records · Health information of any kind · Legal matter details · Personnel records · Anything marked confidential · Passwords or credentials · [Add your firm's specific red-category data]

When in doubt, treat data as RED until you've checked with [designated person/role].

SECTION 3 · HUMAN REVIEW REQUIREMENT

The following AI-assisted outputs require human review before leaving the firm. Review must be documented in [CRM / project management system / shared doc] with the reviewer's name and date:

→ All client-facing emails, reports, proposals, and deliverables
→ Any submission to a regulator, court, or official body
→ Any analysis that directly influences a client decision or recommendation
→ [Add your firm's specific output types]

Review means checking the output for accuracy, verifying any facts or citations, and confirming the content is appropriate for the intended audience. The person who reviews is accountable for the content — not the AI tool.

SECTION 4 · WHEN YOU'RE NOT SURE

If a situation arises that this policy doesn't clearly address:

Contact: [Name / Role] via [email / message / phone]
Expected response time: [within one business day]
Default rule if approval can't be reached in time: Do not use AI for that task. Proceed without it until guidance is received.

All team members confirm receipt and understanding of this policy as part of onboarding and at each annual review. This policy will be reviewed and updated at least once per year, or whenever significant changes occur in our AI tool usage or applicable regulations. Questions about this policy go to [designated person/role].

⬡ Three Things That Make AI Policies Fail After They're Published

FAILURE MODE 1 · Publishing without explaining

Dropping a policy document in a shared drive and calling it done produces a policy that doesn't change behavior. The team needs to hear two things from leadership: why this matters specifically to this firm and its clients, and what's different now versus before. A 15-minute all-hands covering those two points increases adoption meaningfully — and costs almost nothing.

The framing that works: "This protects our clients and protects all of us. Here's the specific situation we're preventing." Concrete is better than abstract. If you can use an example from your own firm's audit (without identifying individuals), use it.

FAILURE MODE 2 · Not providing the approved alternative

A policy that says "stop using unapproved tools" without providing approved ones drives usage underground. People need AI tools to do their work effectively. Removing the unauthorized option without replacing it with something better doesn't create compliance — it creates a situation where compliance and productivity feel like opposites. And productivity wins.

The policy launch should be accompanied by access to at least one well-configured approved tool. It doesn't have to be perfect. It has to be available, usable, and demonstrably easier to use than the workaround. This is what Jordan does in the Airia setup context — the governance layer gives people a governed pathway that's easier than the ungoverned alternative.

FAILURE MODE 3 · Not reviewing it when things change

AI tools evolve faster than almost any other technology category right now. A policy written in January that names specific approved tools may be significantly outdated by July — because those tools have updated their data practices, because new tools have emerged that the team wants to use, or because a regulation has changed that affects what's required.

The review cadence that works for most professional services firms: annually scheduled, plus an ad hoc review whenever a new tool becomes available that the team wants to use, or when a regulatory development affects your industry. The annual review doesn't need to be intensive — 30 minutes to check whether the approved tools list is current, whether the data categories still make sense, and whether anything in your regulatory environment has shifted.

⬡ Jordan · AI Solutions Director · thepromptory.com

Free · No account required · No sales call after

F

I've read the whole week. I want to build this policy for our firm — we're a 14-person financial planning practice. But I'm stuck on Section 1. I don't actually know which AI tools are appropriate for our regulatory environment. How do I evaluate that?

J

Good question to get specific on. For a financial planning practice, there are four things I'd check on any tool before adding it to an approved list: does it have a signed Data Processing Agreement available, does it operate under SOC 2 or equivalent certification, what does its data retention policy say for business accounts specifically, and does it explicitly prohibit using your prompts for model training on the paid tier? Every tool in The Promptory vault has been evaluated on those criteria. Want me to walk through which of the tools your team is currently using pass all four? Tell me what you're working with now.

Jordan · thepromptory.com →

Need help evaluating tools for your specific regulatory context? → thepromptory.com

💡 The One Thing — Week 12 Close

The firms that will look back on 2026 as the year they got ahead of AI governance are the ones who wrote the policy this month. Not a perfect policy. A real one.

We started Monday by naming shadow AI honestly — what it is, why it happens, and why banning tools doesn't solve it. Tuesday we traced how an incident actually unfolds. Wednesday we gave you the audit that tells you where your firm stands. Thursday was the framework. Today was the template.

The whole series took five issues because the problem and the solution both deserved honest treatment — not a one-paragraph fix or a fear-based framing. Shadow AI is a solvable problem. An AI policy is a manageable document. The gap between where most firms are and where they need to be is smaller than it looks.

Have a good weekend. And if you want Jordan to help you evaluate your current tool stack against the four criteria mentioned in today's conversation — that's exactly the kind of thing a ten-minute Jordan session is built for.

📬 Next Week · Issue #039

Week 13 shifts to the question coming up more and more in enterprise sales conversations: "What's your AI policy?" — and how having a good answer to that question is becoming a competitive differentiator, not just a compliance requirement. Plus: the five-question AI governance checklist enterprise clients are increasingly adding to vendor assessments.

Ready to get your stack and policy in order? Jordan is the starting conversation → thepromptory.com

The Promptory Daily

Stay ahead of AI .Curated AI news, tool spotlights, tips & real-world use cases — delivered every weekday morning in 5 minutes or less.

Read more from The Promptory Daily

⬡ Shadow AI & Building Your Policy · Issue 4 of 5 Thursday · July 9, 2026 · Issue #038 Today we start building. Before I get into the framework, one thing I want to be clear about: an AI policy is not a legal document. It doesn't need to be reviewed by a lawyer before it exists. It needs to be reviewed by a lawyer before it becomes binding on employees or clients in high-stakes ways — but the version you write this week is a governance starting point, not a legal instrument. Treat it that way...

⬡ Shadow AI & Building Your Policy · Issue 3 of 5 Wednesday · July 8, 2026 · Issue #038 Before you can write a policy, you need to know what you're governing. Most firms that decide to address AI governance skip straight to the policy document — and end up writing rules around tools they think their team uses, for workflows they assume are the risky ones, based on data they've never actually collected. The policy looks fine on paper. It governs a business that doesn't quite exist. Today's...

⬡ Shadow AI & Building Your Policy · Issue 2 of 5 Tuesday · July 7, 2026 · Issue #038 Let me tell you how a shadow AI incident actually starts. Not the dramatic version. The real one. It starts with someone doing something completely reasonable on a Tuesday afternoon. ⬡ How It Starts · A Composite Scenario Note: The following is a composite scenario drawn from publicly reported incident patterns, not a single documented case. The details are illustrative of how shadow AI incidents typically...