Since the release of ChatGPT in October of last year, the signal to noise ratio re: solid, credible business strategy resources has been daunting. If your organization is still in the mist of a Generative AI sprint to put a baseline company culture and formal policies in place to empower innovation – while mitigating company-wide risk – the Future of Privacy Forum (FPF) is a vetted, sophisticated, and thoughtful resource. And sometimes checklists are good, even if used only to initiate formative conversations and frame core issues for decisionmakers on your team. Find the FPC’s Generative AI for Organizational Use: Internal Policy Checklist here.

With the proliferation of employee use of generative AI tools, this checklist provides organizations with a powerful tool to help revise their internal policies and procedures to ensure that employees are using generative AI in a way that mitigates data, security, and privacy risks, respects intellectual property rights, and preserves consumer trust.

The Checklist draws from a series of consultations with practitioners and experts from over 30 cross-sector companies and organizations to understand current and anticipatory employee use of generative AI tools, benefits and harms, AI governance, and measures taken to protect company data and infrastructure. The conversations focused on any generative AI guidelines, policies, and procedures that had been implemented to govern employees’ use of generative AI tools.

From those discussions, [the FPF researchers and authors] learned that organizations have broadly varied use cases for generative AI and, therefore, significant variation in generative AI policies:

Some organizations have enacted outright bans for generative AI tools without prior approval;

While others have created restrictions for the use of generative AI; and

Others have yet to develop express policies and procedures on employee use of generative AI.

The Internal Policy Checklist for Generative AI is intended to serve as a guidance document no matter what stage of the process an organization is in. It may be used as a starting point to help kick off the development of internal generative AI policies or as a final check to ensure an organization has provided comprehensive and robust guidelines for their teams.

The Checklist provides guidance in four areas:

Use in Compliance with Existing Laws and Policies for Data Protection & Security

Employee Training and Education

Employee Use Disclosure

Outputs of Generative AI

