Most AI policies fail because they’re written by people who don’t use AI for people who do. Here’s how to build one that works.
The Policy Problem
Every organization right now is in one of three places with AI:
- No policy. People are using AI tools however they want, with no guardrails and no consistency. Some are pasting confidential data into consumer tools. Others are avoiding AI entirely because they’re afraid of getting in trouble.
- A policy so restrictive that nobody follows it. “AI tools are prohibited for all work-related purposes.” Meanwhile, half the team is using ChatGPT on their phones during meetings.
- A practical policy that people actually follow. This is the goal. Most organizations aren’t here yet.
If your organization is in category one or two, you have a problem. And as a PM, you’re well-positioned to help solve it.
I’ve been thinking about this through the lens of my GDPR compliance experience at Microsoft. In 2018-2019, I was managing GDPR compliance across Windows, Internet Explorer, and other teams. We had to build policy around a new set of requirements that affected how every team handled data. The parallels to AI policy are striking: new technology capabilities, unclear boundaries, real risk if you get it wrong, and a workforce that needs practical guidance rather than legal documents they’ll never read.
Why PMs Should Care About AI Policy
In my “PM Who Uses AI Daily” post, I wrote: “Follow your company’s policy for what can and can’t be shared with AI.”
That’s solid advice. But it assumes your company has a policy. And that the policy is practical enough to actually follow.
Many PMs are hitting one of two walls:
- “We don’t have an AI policy yet.” So you’re making judgment calls on your own, with no organizational guidance and no air cover if something goes wrong.
- “Our AI policy says don’t use it.” But AI saves you hours every week, so you’re either ignoring the policy or losing productivity that your peers at other companies aren’t.
Neither situation is good. And PMs have exactly the right skill set to fix it.
Think about it: stakeholder management, risk assessment, policy creation, facilitating conversations between groups with different priorities. That’s what building an AI usage policy requires. And that’s what project managers do every day.
What I Learned From GDPR That Applies to AI
When I was managing GDPR compliance at Microsoft, I saw three patterns that apply directly to AI policy:
1. Policy written without practitioners fails. The first drafts of GDPR compliance procedures were written by legal teams who understood the regulation but not the day-to-day work. The result was guidance that was technically correct but practically impossible to follow. We had to bring in the people doing the work to create processes that actually functioned.
2. Classification systems work. GDPR introduced data classification tiers that told teams exactly how to handle different types of information. Instead of “be careful with data” (vague), teams got “this type of data requires these specific protections” (actionable). The same approach works for AI.
3. Policy needs regular updates. GDPR compliance wasn’t a one-time project. Interpretations changed, new guidance emerged, and teams found edge cases that the original policy didn’t cover. We built in regular review cycles. AI policy needs the same cadence—arguably faster—because the tools are evolving rapidly.
The Green-Yellow-Red Framework
The most practical AI usage policy I’ve seen uses a traffic light classification system. It’s simple, memorable, and gives people clear guidance without requiring them to read a 30-page document.
Table 1 - AI Usage Classification Framework
| Classification | Meaning | Examples | Action Required |
|---|---|---|---|
| Green - Go Ahead | Safe to use AI freely for these tasks | Brainstorming ideas, drafting non-sensitive emails, summarizing public information, generating meeting agenda templates, learning a new concept | None - use your judgment |
| Yellow - Ask First | May be appropriate, but check before proceeding | Drafting internal documents with project names, summarizing meeting notes that mention team members, analyzing non-confidential but internal data, using AI with vendor or partner information | Get manager or IT approval; anonymize when possible |
| Red - Never | Do not use AI for these tasks under any circumstances | Client confidential data, employee HR information, financial data (budgets, revenue, pricing), strategic plans and M&A activity, passwords or access credentials, legally privileged information | Prohibited - no exceptions |
How to Use This Framework
Green tasks are low-risk. If the information is something you’d share publicly or discuss openly at a conference, it’s green. Most brainstorming, learning, and template generation falls here.
Yellow tasks are where judgment matters. The information isn’t confidential, but it’s internal. A good rule of thumb: if you’d be uncomfortable seeing it on a competitor’s desk, it’s at least yellow. Anonymize what you can. Use enterprise AI tools with proper data agreements when available. Ask your manager or IT if you’re unsure.
Red tasks are non-negotiable. It doesn’t matter how convenient AI would be. It doesn’t matter that you “just need a quick summary.” Confidential data stays out of AI tools. Period. This includes consumer AI tools AND enterprise tools unless your organization has specifically approved them for that data classification.
Building Your Policy: A Practical Guide
Here’s how to create an AI usage policy that people will actually follow.
Step 1: Start With What People Are Already Doing
Before writing policy, find out how your team is already using AI. You’ll probably be surprised. Some people are using it daily. Others haven’t tried it. A few are doing things that would make your IT security team uncomfortable.
Ask these questions:
- What AI tools are you using? (Include consumer and enterprise tools)
- What tasks are you using them for?
- What data are you putting into them?
- What concerns do you have?
This isn’t an audit. It’s research. You need to understand the current state before you can design the future state.
Step 2: Classify Your Data
Work with IT and legal to classify the types of data your team handles. This is the foundation of the Green-Yellow-Red framework. For each data type, determine:
- Can it go into consumer AI tools? (e.g., ChatGPT, Claude free tier)
- Can it go into enterprise AI tools? (e.g., M365 Copilot, Azure OpenAI)
- Should it stay out of AI entirely?
If your organization already has a data classification system (many do for compliance reasons), use it. Don’t create a parallel system. Map AI usage to the existing classifications.
Step 3: Write One Page, Not Thirty
The most effective AI policies I’ve seen fit on a single page. They include:
- Purpose: Why this policy exists (one sentence)
- Scope: Who it applies to and which tools it covers
- The classification table: Green, Yellow, Red with examples relevant to your team
- The gray area process: What to do when you’re not sure (who to ask, how quickly they’ll respond)
- Review date: When the policy will be updated
That’s it. Supporting documentation, tool-specific guidance, and detailed examples can live in appendices or a wiki. But the core policy should be short enough that people actually read it.
Step 4: Address the Gray Area
This is where most policies fail. They cover the obvious cases but leave people stranded when something doesn’t fit neatly into Green, Yellow, or Red.
Build a simple decision process:
- If you’re not sure, assume it’s Yellow
- Ask your manager or designated AI policy contact
- Expect an answer within one business day (not two weeks)
- If the answer is “I don’t know either,” escalate to IT/legal
Fast response times matter. If people have to wait a week for an answer, they’ll stop asking and start guessing. That’s worse than having no policy at all.
Step 5: Set a Review Cadence
AI tools and capabilities change fast. A policy written in January 2025 may not address tools that exist in July 2025. Set a quarterly review cycle at minimum.
At each review:
- Are there new tools people want to use?
- Have any Yellow items proven safe enough to move to Green?
- Have any incidents or near-misses revealed gaps?
- Has the organization adopted new enterprise AI tools that change the landscape?
Five Common Mistakes
1. Writing Policy in a Vacuum
If legal and IT write an AI policy without talking to the people who actually use AI, the policy will be impractical. It’ll either prohibit things that are clearly safe or fail to address the actual risks people encounter.
Fix: Include practitioners in the drafting process. At minimum, survey the teams who use AI and incorporate their input.
2. Making It Too Long
A 30-page AI policy is a policy nobody reads. I’ve seen organizations produce comprehensive AI governance documents that sit unread on SharePoint while employees make up their own rules.
Fix: One-page core policy. Supporting documentation in appendices. If someone can’t understand the basics in two minutes, it’s too complicated.
3. Not Providing Examples
“Use good judgment with AI tools” is not a policy. People need concrete scenarios: “You can use AI to draft a meeting agenda. You cannot paste customer names into ChatGPT.” Specific examples remove ambiguity.
Fix: Include 3-5 concrete examples for each classification level, using scenarios your team actually encounters.
4. Not Updating It
A 2023 AI policy doesn’t account for tools and capabilities that exist in 2026. The field is moving too fast for static policies.
Fix: Quarterly reviews. Assign an owner. Put the review on the calendar.
5. Banning Everything
This is the most common mistake, and the most counterproductive. When organizations ban all AI use, people don’t stop using AI. They use it secretly, with no guardrails and no guidance. That’s far more dangerous than a well-managed policy that allows appropriate use.
Fix: Start with what’s safe (Green), be clear about what’s not (Red), and provide a path for everything in between (Yellow).
The PM’s Role
You don’t have to be the CISO or the VP of IT to make this happen. As a PM, you can:
Champion practical policy within your team. Even if your organization doesn’t have a formal AI policy yet, you can establish guidelines for your project team. Document what’s allowed, what’s not, and who to ask when it’s unclear.
Document your own AI usage as a model. In my “PM Who Uses AI Daily” post, I shared exactly how I use AI and where I draw lines. That transparency gives others a framework to follow. Be the example.
Bring stakeholder management skills to the table. AI policy requires balancing the concerns of legal (risk), IT (security), leadership (efficiency), and end users (productivity). That’s stakeholder management. PMs do this every day.
Facilitate the conversations. Legal wants to minimize liability. IT wants to control access. End users want tools that make them productive. These groups rarely talk to each other about AI in a structured way. A PM can facilitate that conversation, find the common ground, and turn it into actionable policy.
Getting Started
You don’t need executive sponsorship to start. Here’s what you can do this week:
Day 1: Document your own usage. Write down every AI tool you use, what you use it for, and what data goes into it. Be honest. This becomes your personal Green-Yellow-Red list.
Day 2: Talk to your team. Have a 15-minute conversation about AI usage. Ask what tools people are using, what concerns they have, and what guidance they wish they had. You’ll learn more in that conversation than in any policy document.
Day 3: Draft a one-page team policy. Using the Green-Yellow-Red framework and what you learned from your team, create a simple, one-page policy for your project team. Include specific examples relevant to your work.
Day 4: Share it. Send the draft to your team and your manager. Ask for feedback. Iterate.
Day 5: Put a review date on the calendar. Set a 90-day reminder to review and update. AI is moving fast. Your policy should keep pace.
If your organization creates a formal AI policy later, great. Your team’s work becomes input into that process. If they don’t, at least your team has clear, practical guidance.
The Bottom Line
AI policy isn’t about control. It’s about clarity.
People want to do the right thing. They want to use AI productively without putting their organization at risk. What they need is practical guidance that tells them: this is safe, this isn’t, and here’s who to ask when you’re not sure.
The organizations that get this right will have teams using AI effectively and safely. The organizations that get this wrong—either by banning everything or by having no policy at all—will have teams using AI anyway, just without guardrails.
As a PM, you have the skills to build the policy that works. Stakeholder management, risk assessment, facilitation, documentation—these are PM skills. Use them.
Don’t wait for someone else to figure this out. Start with your team. Start with one page. Start this week.
Related Posts
- I’m a PM Who Uses AI Daily—Here’s What I’ve Learned
- Your First Week Using AI as a Project Manager
- 5 PM Tasks AI Actually Does Well (And 5 It Doesn’t)
- AI Won’t Replace Project Managers—But PMs Who Use AI Will Replace Those Who Don’t
- AI Ethics for PMs—The Dilemmas Nobody’s Talking About
Good policy doesn’t restrict people—it empowers them. The best AI usage policy isn’t the one that covers every possible scenario. It’s the one that’s clear enough, short enough, and practical enough that people actually follow it.