OEN NewsYour First AI Policy: 6 Burning Issues for Every Growing Business to Consider Before You Scale

AI is already part of everyday work at growing companies. Employees use it to draft emails, summarize documents, generate marketing copy, assist with coding, and prepare meeting notes. In some organizations, that adoption has happened informally. The tools arrived first, and internal rules are still playing catch-up.

That sequence may create problems. Once employees get used to particular tools and habits, changing course later may require additional training, supervision, or remediation. An AI policy can help address the questions employees already face: which tools they may use, what information they may enter, when manual fact-checking is required, and who remains accountable for the final product.

Companies can address these questions without the need for a lengthy compliance manual. A concise, easy-to-understand policy can establish baseline expectations for employees. That being said, while it may be tempting to treat AI Acceptable Use Policies (AUPs) as policies that can be derived from common sense or pulled from an AI platform itself, these policies impact circumstances that may have legal consequences. Organizations should therefore consult with their legal counsel before adopting a policy to ensure that their AI AUP meets their legal and operational needs. 

Against this framework, here are the burning issues that growing businesses should consider when developing their AI AUP.

1. Limit Business Use to Approved Tools

A useful starting point is to answer a straightforward question: which tools may employees use for company business? Employees may gravitate toward whatever platform is fastest, cheapest, or already open on the screen, which can create legal, operational, and consistency concerns across teams. One employee may be using an enterprise tool with administrative controls and retention settings. Another may be using a free public chatbot. A third may be using a browser extension that no one else at the company even knows exists. It’s important to provide clear guidance on approved tools and acceptable use.

2. Prohibit Entry of Sensitive Information Without Approval

One common function of an AI policy is to define what information should stay out of AI tools, or what approvals are needed before certain information is submitted. The temptation to input information into an AI tool arises in the course of ordinary work. An employee drops a customer email into a chatbot to get help drafting a response. A manager pastes a contract provision into an AI tool to rewrite it. Someone uploads an internal spreadsheet and asks for a summary. That may feel insignificant in the moment, but depending on the tools used, the information involved, the laws that apply, and the applicable contractual obligations, the legal implications can be significant.

Depending on the organization, an effective AI AUP might identify categories of information that employees may and may not enter into AI tools, in which contexts, and when approval is necessary. Those categories can include customer data, employee information, financial records, internal strategy, source code, contract terms, legal advice, and materials subject to confidentiality obligations. Importantly, the legal framework for companies and the tools that are used mean that in this area in particular, AI AUPs will not be “one size fits all.” 

3. Adopt Specific Rules for AI Meeting Assistants, Recordings, and Transcripts

Meeting assistants raise a separate set of issues because they do more than generate text. Once turned on, they can record conversations, create transcripts, extract action items, and generate searchable summaries. In a routine, internal meeting, that may save time. But in a negotiation or a call involving legal advice, the same tool can create a detailed record that the company never intended to make or keep.

Whether in an AI AUP or in a dedicated notetaking policy, companies may want to address this issue expressly. An appropriate policy might address when those tools may be used and when they may not, and should account for state privacy laws. The policy could also address how notice is given to participants, who may access transcripts, where those records are stored, and how long they are kept. Addressing those questions in advance can reduce the chance that sensitive conversations are recorded by default simply because the tool makes recording easy.

4. Set Clear Boundaries for Permissible Uses

The risks associated with AI are not the same across all tasks. Using AI to generate the first draft of marketing copy might not create the same potential risk as using it to screen job candidates, respond to a customer dispute, generate production code, or support a legal or financial conclusion. In those settings, one flawed output could affect hiring decisions, customer relationships, system integrity, or statements the company may later have to defend.

An AI policy should identify categories of use that are permitted, not permitted, or require approval or additional review before AI is used at all. Because some AI uses may implicate additional legal, technical, or operational considerations, companies may need to identify higher-risk use cases and route them for appropriate review. 

5. Address When Employees Should Independently Verify Facts, Accuracy, and Reliability Before Using AI-Generated Output in Consequential Work

AI can produce a draft, summary, or block of code in seconds. For consequential work, companies may want the policy to specify when employees must independently verify that AI-generated output is accurate and reliable for the task at hand. In some circumstances, independent verification may also help identify legal, technical, or business issues before the company relies on the output. That may mean confirming facts, reviewing cited sources, or rereading language for accuracy and tone. 

6. Make Clear That Materials Created in Connection With AI Are Company Materials

An AI policy can address what happens to materials created in connection with the use of AI after they are generated. Prompts, transcripts, summaries, draft language, generated images, and similar materials can accumulate quickly. If employees treat those materials as informal side work, they may store them in personal accounts, scatter them across unapproved tools, or handle them differently from other business records covering the same subject. An AI policy should remind employees that materials created in connection with AI are company materials and should be handled accordingly.

The policy should answer a few practical questions. Where may those materials be stored? How long should they be kept? When should they be deleted? The policy should make clear that employees should understand whether and how the company’s ordinary rules for storage, retention, and deletion apply to AI-related materials.

For growing businesses, a simple policy covering these six issues can provide a strong starting point for managing AI use. Companies that evaluate these issues early may be better positioned to use AI effectively as the business scales.

---

Harlan Mechling is a senior associate in Ballard Spahr’s Litigation Department, where he handles a broad range of commercial litigation matters. Known for his commitment to clients and effective advocacy, Harlan excels in developing litigation strategies and crafting persuasive legal briefs. Active on the firm’s Artificial Intelligence Team, he advises clients on AI-related legal and regulatory challenges across multiple industries.

Priya Vivian is the co-leader of Ballard Spahr’s Labor and Employment Group. Priya is a dedicated employment litigator. Her solutions-oriented practice focuses on advising and representing employers throughout the full employment cycle—from hiring to terminations and beyond—by providing strategic counsel on a wide range of workplace matters, delivering up-to-date training on legal developments, and representing employers in a wide range of matters including employment class actions, single-plaintiff matters, and agency proceedings.

Copyright © 2026 by Ballard Spahr LLP. www.ballardspahr.com (No claim to original U.S. government material.) All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher. This article is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.