How long does drafting take?

About 4–6 weeks of working sessions, plus 2–3 weeks of Legal and Security review. Faster is possible with a tight scope; slower is wise if you operate in multiple regulated industries.

Can we just adopt a template and call it done?

Templates are useful for sequence and section structure. They cannot make organization-specific calls. Plan to use a template for ~30% of the work and your own judgment for the rest.

What if our Legal team doesn't have AI experience?

Most don't yet. Co-drafting works: Legal owns regulatory mapping, you bring AI-specific expertise on operational sections.

Should the board approve the policy?

Yes — board adoption signals that AI use is a governance matter, not an IT matter. For insurers under IGD-H1, board oversight of the AIS Program is implicit in the bulletin's governance requirement.

How do we test that it actually works?

Spot-check recent AI-touched work for HITL compliance. Run a quarterly anonymous survey on policy clarity. Track incident reports — zero usually means people aren't reporting; 1–3 minor incidents per quarter is healthy.

For Lincoln mid-market leaders

How to write an AI use policy that holds up

A step-by-step approach for mid-market companies that don't have a policy yet, or have one that isn't working. Designed for fast review by Legal, Security, and HR.

Omaha companies asking the same? See the Omaha view →

Text Rosey · Schedule a call →

Definition

Drafting an AI use policy that actually holds up follows a specific sequence. Writing the prose first and figuring out the approved tool list later is exactly how policies become out of date the moment they ship.

**Step 1.** Inventory current AI use. Survey staff anonymously. Map answers to (tool, role, data type). You'll find more shadow AI than expected — Express-Harris 2026 found 38% of companies allow employees to use any AI tools they're familiar with.

**Step 2.** Identify applicable regulators. NAIC + Nebraska IGD-H1 if you write insurance. OCC 2023-17 / FDIC FIL-29-2023 if you bank. HIPAA Security Rule + Section 1557 if you touch PHI. NITC 8-609 if you contract with the State of Nebraska — common for Lincoln-based firms. Pull each rule's actual text.

**Step 3.** Build the approved tool list jointly with IT and Security. Per tool: data residency, retention, training-data opt-out, enterprise tier, BAA status, SOC 2 / SOC 1 reports.

**Step 4.** Define prohibited data. PII / PHI / attorney-client / source code / donor records / regulator-flagged categories. Be specific.

**Step 5.** Define human-in-the-loop requirements per workflow. Customer-facing output? HITL. Consequential decisions (hiring, lending, claims)? HITL plus bias-mitigation per Section 1557.

**Step 6.** Define escalation. Single named role, single channel, response SLA.

**Step 7.** Attestation + training. Policy without attestation isn't a policy.

**Step 8.** Review cadence. Quarterly minimum, specific calendar dates, a named owner.

Common follow-up questions

How long does drafting take?: About 4–6 weeks of working sessions, plus 2–3 weeks of Legal and Security review. Faster is possible with a tight scope; slower is wise if you operate in multiple regulated industries.
Can we just adopt a template and call it done?: Templates are useful for sequence and section structure. They cannot make organization-specific calls. Plan to use a template for ~30% of the work and your own judgment for the rest.
What if our Legal team doesn't have AI experience?: Most don't yet. Co-drafting works: Legal owns regulatory mapping, you bring AI-specific expertise on operational sections.
Should the board approve the policy?: Yes — board adoption signals that AI use is a governance matter, not an IT matter. For insurers under IGD-H1, board oversight of the AIS Program is implicit in the bulletin's governance requirement.
How do we test that it actually works?: Spot-check recent AI-touched work for HITL compliance. Run a quarterly anonymous survey on policy clarity. Track incident reports — zero usually means people aren't reporting; 1–3 minor incidents per quarter is healthy.

Sources

Only 49% of organizations have AI use policies — The State of AI in HR 2026, SHRM (Society for Human Resource Management), 2026
Of organizations with AI policies, only 25% feel those policies are 'future-proof' — The State of AI in HR 2026, SHRM (Society for Human Resource Management), 2026
Only 36% of companies provide a list of approved or preferred AI tools — 8 in 10 Employees Say They Need AI Training — After Their Companies Already Rolled Out the Tools, Express Employment Professionals (Harris Poll fielding), 2026
38% of companies allow employees to use any AI tools they're familiar with — 8 in 10 Employees Say They Need AI Training — After Their Companies Already Rolled Out the Tools, Express Employment Professionals (Harris Poll fielding), 2026
Insurers must develop, implement, and maintain a written AI Systems (AIS) Program for the responsible use of AI systems making or supporting decisions related to regulated insurance practices — Model Bulletin on the Use of Artificial Intelligence Systems by Insurers, National Association of Insurance Commissioners (NAIC), 2023
Section 1557 prohibits discrimination through the use of patient care decision support tools, including AI/clinical algorithms — Section 1557 Final Rule — Nondiscrimination Through Patient Care Decision Support Tools, HHS Office for Civil Rights, 2024

Answer

AI use policy template walkthrough

Answer

what an AI policy actually is

Answer

shadow AI explained

Service

approved AI tool list and policy

Service

AI literacy for mid-market staff

Answer

AI governance defined

→ Start here

Text Rosey to begin.

Rosey is our executive-assistant bot. Text the number below — she'll ask two questions, offer three calendar slots, and put a 30-minute call on Jim's calendar.

Text Rosey · Schedule a call →

or call 415 481 2629

How to write an AI use policy that holds up

Definition

Common follow-up questions

Sources

Related

Text Rosey to begin.