Video lesson coming soon
We're filming this one. The full written lesson below is ready to study right now.
A good policy is short, specific, and enabling — not a legal wall of "thou shalt not." It tells people what they CAN do, with which tools, and the few hard lines they must never cross.
What a usable policy covers
- Approved tools + tiers (with data controls) — and which to use for what.
- Hard "never paste" list: customer PII, secrets, unreleased financials, NDA material.
- When human review is mandatory (anything customer-facing or shipped).
- Attribution + ownership — AI-assisted work is still the author’s responsibility.
- Where to share what works — prompts, wins, gotchas.
✕
The data line is non-negotiable
Under DPDP and most contracts, the company is still responsible for personal data even after it’s pasted into a third-party tool. Make the "never paste" list crystal clear and use enterprise tiers with data-use controls for real work.
✓
Enable, then guardrail
Lead with "here’s how to get value safely," not "here’s everything that’s forbidden." A policy people resent is a policy people route around.
Takeaway
Keep the policy short and enabling: approved tools, a hard "never paste" list, mandatory-review cases, ownership, and a place to share learnings.