Most AI acceptable-use policies were not written for a court reporter. They were written for a careers page, or a security questionnaire, or the legal team at an enterprise customer that wanted to see something on letterhead. The language is broad, the obligations are vague, and the operative verbs are "encourage," "consider," and "where appropriate."
The version that matters is different. It is the one a lawyer can read back into the record, on the day someone alleges that the firm's AI usage harmed them, without flinching.
We have helped firms write both. The difference is not length. The difference is whether the document answers four questions a hostile examiner will ask.
Question one: what data went to what model
A policy that says "employees may use AI tools subject to data classification" is not a policy. It is a sentiment.
The version that holds up names specific models, specific data classes, and specific permissions. Class A data, including client material, may only be processed by Model X running on infrastructure Y. Class B data may use either Model X or Model Z. Public-domain data may use any sanctioned tool on the published list. The list is dated. The list is reviewed quarterly. The list is the operative document.
A reviewer holding the policy and the list can answer "was that prompt permitted" in under a minute. That is the standard.
Question two: who decided, and on what basis
Every AI deployment named on the list has a written justification: what was reviewed, who approved it, when the review took place, what data flow the approval contemplated. The justification is one page. It lives in a known place. It is signed.
An organisation that cannot produce the signed justification has, in effect, no policy. It has a wish.
Question three: what is logged, and for how long
An AI policy without a retention clause is a policy that cannot be enforced. The clause names the logs that exist (prompts, completions, document context, user identity), where they live, who can access them, and how long they are kept.
The honest answer to "how long" is often shorter than people expect. Retention has to balance audit utility against discovery exposure. Six months of structured logs, with named owners and a deletion schedule, is a more defensible posture than three years of unstructured logs nobody is sure how to query.
Question four: what happens when it goes wrong
The policy names a named person who acts when the policy is violated, when a model behaves unexpectedly, or when a regulator asks. The named person has authority to suspend AI access, escalate the matter, and notify clients if required. The chain of command is one sentence and it does not depend on a meeting.
Policies without a named owner are policies that fail under pressure. The chair of an AI governance committee that meets monthly is not an owner; it is a delay.
What the policy is for
The policy is not for the marketing site. It is for the moment, eighteen months from now, when an AI tool surfaces something it should not have, and someone asks the firm: what controls did you have in place?
The honest answer is the four pages above, written before the question was asked. That is what governance looks like.