Modules/Module 6/Lesson 6
Lesson 6 of 6 ~10 min read

Setting Team AI Norms

6.6 — Setting Team AI Norms

A team having a discussion around a table in a modern office

What You'll Learn

AI is already in your workplace, whether you have a policy about it or not. Your team members are using ChatGPT, Claude, Copilot, and other tools — some of them well, some of them in ways that carry real risk. Without clear norms, you get inconsistent quality, potential data breaches, and confusion about what's acceptable.

This lesson will help you build a sensible AI use policy for your team: what to include, how to have the conversation, and what boundaries to set.

Why You Need a Policy

You might think: "We're a small team, we're flexible, we don't need a policy for everything." But an AI policy isn't bureaucracy for its own sake — it's protection for your team and your organisation.

Here's what goes wrong without one:

  • Data leaks. A team member pastes confidential client data into a public AI tool. It's now potentially part of a training dataset, or at least outside your control.
  • Quality inconsistency. Half the team uses AI for first drafts without reviewing them; the other half doesn't use it at all. External communications vary wildly.
  • Legal exposure. AI-generated content used in legally sensitive documents (contracts, regulatory submissions, medical advice) without review creates liability.
  • Copyright and IP risk. AI-generated content may reproduce copyrighted material. Using it without understanding this creates risk.
  • Trust issues. Team members who use AI feel they have to hide it. That's a bad culture.

A clear policy solves all of this — not by restricting AI use, but by framing it constructively.

What to Include in a Team AI Policy

A good AI use policy doesn't need to be long. One to two pages is enough. Here's what to cover:

1. Approved Tools

Which AI tools are approved for work use? This matters because different tools have different data privacy terms.

  • Tools with enterprise agreements (Microsoft Copilot in M365, Google Workspace with Gemini) typically offer stronger data protections
  • Consumer tools (free ChatGPT, Claude.ai free tier) may use your conversations to train future models unless you opt out or use an enterprise plan

Name the tools that are approved, which are approved for which use cases, and which are not permitted.

2. What's Off-Limits to Share

Make an explicit list of information that should never be pasted into an AI tool. At minimum:

  • Full names combined with personal identifiers (personal data under GDPR or similar)
  • Client names combined with confidential project details
  • Unpublished financial data, forecasts, or earnings information
  • Passwords, API keys, or authentication credentials
  • Proprietary code or trade secrets
  • Anything covered by an NDA

The rule of thumb: if you wouldn't email this information to a stranger, don't paste it into an AI.

3. Review Requirements

State clearly that AI-generated content must be reviewed by a human before use. For certain categories (legal documents, financial reporting, customer-facing communications), require sign-off from a named person.

4. Transparency

When should team members disclose AI use? Some organisations require it for external documents; others don't. Make your position clear. There's no universally right answer, but silence creates awkward situations.

5. Quality Standards

AI output is a first draft, not a finished product. Your policy should make clear that the person who sends or publishes something is responsible for its quality, regardless of whether AI helped create it.

Key takeaway: A good AI policy enables your team to use AI confidently, not fearfully. It's a permission structure as much as a restriction.

Examples from Real Companies

Several organisations have made their AI policies public, which gives useful reference points.

A policy document open on a screen

Shopify issued guidance encouraging employees to experiment with AI while being clear that no customer data should be shared with external AI services without approval. They treat AI literacy as a required professional skill.

JP Morgan initially blocked ChatGPT while building an internal, secure AI environment — prioritising data protection over speed of adoption. They've since built proprietary AI tools with robust data controls.

Duolingo publicly discussed using AI for content generation with human review — and was transparent about this in communications, which they found customers responded to positively.

The BBC issued detailed editorial guidelines covering when AI can and can't be used in journalism — distinguishing between research assistance (permitted) and content generation for publication (restricted, requires disclosure).

Common threads in the best policies: they're permissive by default (trust employees), specific about data (clear red lines), and practical (focus on real risks rather than theoretical ones).

How to Have the Conversation With Your Team

A policy handed down without discussion gets ignored. A policy built with input gets followed.

A simple approach:

  1. Start with a team conversation, not a document. Ask: "Who's already using AI tools for work? What are you using them for? What concerns do you have?"

  2. Identify the real risks together. What data does your team routinely work with? What would happen if that data ended up somewhere it shouldn't?

  3. Draft a policy together. Assign one person to write a first draft based on the discussion, then circulate for input. Keep it short.

  4. Normalise AI use. The conversation shouldn't feel like a crackdown. Frame it as: "We want to help you use these tools well."

  5. Review it every 6 months. This space moves fast. A policy from a year ago may already be out of date.

What NOT to Share With AI at Work

It's worth being concrete about this, because the risks aren't always obvious.

Don't share:

  • Customer names + contact details + purchase history (personal data)
  • Full contracts or legal agreements with client names
  • Internal salary information or performance reviews
  • Board meeting minutes or board papers
  • Pending acquisitions, mergers, or investment rounds
  • Security vulnerabilities or system configurations
  • Any information marked "confidential" or "restricted"

What to do instead: Anonymise or generalise before pasting. "Our client in the financial services sector" instead of "Barclays". "Our Q3 revenue is approximately £X million" instead of the exact figure. You often still get 90% of the value from AI while removing almost all the risk.

Practical Tips

  • One-page policy is better than ten pages. Long policies don't get read.
  • Use plain English. "Don't paste client names and confidential project details into ChatGPT" is better than "Prohibited: input of personally identifiable information combined with commercially sensitive data into non-approved large language model interfaces."
  • Include positive examples. Show people what good AI use at work looks like, not just what's forbidden.
  • Designate an AI point person. Someone who stays informed, fields questions, and updates the policy as things evolve.

Key takeaway: AI norms work best when they're clear, collaborative, and built on trust. Set the rules early, before an incident makes the conversation adversarial.

What to Try This Week

If you manage a team or have influence over how your organisation works: schedule a 30-minute team conversation about AI. Not to announce a policy — just to find out what people are already doing and what questions they have. That conversation will tell you exactly what your policy needs to address.

If you're an individual contributor: write down three situations from your own work where you've been unsure whether it was okay to use AI. Bring those questions to your manager or team. Starting the conversation is itself the action.

You've finished all the lessons in Module 6. Take the quiz to test your knowledge →

Previous lessonNext Lesson