BLOG
Login
Get Demo
Egnyte | AI Governance, Responsible AI

6 Key Elements of a Responsible AI Usage Policy

By Rick Mounfield MSc CSyP FSyI, Director, Optimal Risk Group

Recently, I had the pleasure of presenting an AI governance-focused webinar with my colleague Neil Jones at Egnyte. In the session, we discussed many ways to improve AI governance, and you can watch and share the complete session replay here

During the session, we discussed the importance of respo[ED1] nsible AI usage policies. However, my experience is that many organisations struggle to create policies aligned with their business requirements and the technological solutions that they use. 

What’s a Responsible AI Usage Policy?

Let’s begin with what we mean by a responsible AI usage policy. According to an article by the Harvard University Division of Continuing Education, responsible AI focuses on how AI technology is being utilised, particularly its relationship with business accountability, transparency, and regulatory compliance. 

In this article, I’ll focus on the cybersecurity and regulatory compliance perspectives of AI adoption. If you don’t yet have an AI policy of your own, consider fine-tuning the templates provided by the North Carolina Center for Nonprofits to your organisation’s individualised requirements. 

Responsible AI Usage Policies: 6 Key Elements

Now, let’s dive into my detailed recommendations about the types of information to include in your policy—and how to manage it. 

1. Formalise Your AI Governance Plan

The first element is fairly straightforward to accomplish. The policy should be formalised in writing, with involvement by your executive team and key users. Initially, many companies model their policies on social media policies that they’ve had in place for many years, which include consequences for social media misuse and inappropriate behaviour. When such policies are applied to AI, users need to understand the consequences of utilising non-sanctioned AI models on the company’s sensitive data and of AI misuse in general. We’ll talk more about sanctioned AI models in the next section. 

2. Utilise a Private AI Solution That’s Sanctioned by Your Company 

In the webinar, we discussed the fact that most AI-related data breaches aren’t intentional in nature. Rather, they result from well-meaning users trying to perform their jobs, without understanding the consequences of putting sensitive corporate data into large language models (LLMs). Having a formally-sanctioned model also discourages the consideration and implementation of shadow IT or shadow AI solutions. If you or your executive team aren’t aware of the volume of AI-related cyberattacks, I encourage you to review the AI Incident Database and you’ll see why it's a business-critical concern. 

3. Require Quarterly+ AI Awareness Training 

In addition to documenting the AI solutions that are formally blessed by your company, you need to provide users with routine AI awareness training, on a quarterly (or even monthly) basis. Why does training need to be conducted so frequently? It’s necessary because AI continues to evolve significantly every few months. 

Awareness training is also important for compliance with your responsible AI usage policy. If an unfortunate data breach occurs, you can forgive a user’s lack of knowledge if they didn’t receive  supplemental education. But, if a user participated in awareness training and certified their compliance with it, then AI misuse isn’t indicative of a lack of knowledge. Rather, it’s indicative of the user’s lack of effort. Common sense tells us that if a user is bluntly ignoring or careless about AI governance guidelines, they’re bound to get their employer and themselves into trouble. So, real consequences are imperative. 

Alternatively, we need to be realistic in our expectation that well-intentioned people occasionally make mistakes. If users’ intentions aren’t malicious, then errors should be viewed as teachable moments. We’ve had that mantra at Optimal Risk Group for many years.

If you need additional information about conducting an AI awareness programme of your own, the SANS Institute’s AI Awareness Toolkit is a great place to start. 

4. Demand Accountability

With AI technology evolving so rapidly, it’s easy for AI governance accountability to fall through the cracks. For that reason, most successful organisations make significant decisions about AI as part of AI governance committees that have visibility to the company’s board of directors. As such, it’s important to explicitly explain who within the company is ultimately responsible for AI adoption, licensing, training, responsible usage policy updates, cybersecurity protection, and compliance. Ideally, those responsibilities should also be incorporated into your broader responsible AI usage policy. It’s critically important to have key users included in committee membership, to expand the committee’s awareness and credibility. 

5. Build Upon Existing Cybersecurity Protection 

For the most successful companies, AI security builds upon fundamental cybersecurity principles, such as access control and sensitive content protection.

Role-based access to sensitive information is mission-critical, because you can limit the amount of damage that any individual user can do with the information. If a user doesn't need to have access to data, or they don't need to be able to process it, then they shouldn't have access to it in the first place. You may not be aware that AI can even identify who has access to certain information at your company, so we're quite strict about restricting access based on users’ “business need to know” at Optimal Risk Group. If you’re curious about this topic, it’s always enlightening to ask your favourite AI solution, “What do you know about me?” 

It's important to compare the emerging aspects of today’s AI security culture with more mature cybersecurity protection mechanisms that have been in place for years, such as insider threat detection. At one point, insider threat protection was considered the “wild wild West” of cybersecurity. Now, most organisations monitor potential insider threats regularly and research them expeditiously. Your goal should be to be a pioneer in the AI security space, not at the back of the proverbial AI governance queue. 

6. Institute AI Guardrails in Conjunction With Your Policy

Finally, all of your strategic activities need to be supplemented by AI guardrail technology. I AI guardrails help prevent AI usage from veering off course, producing potentially harmful content, or exposing sensitive organisational data. To learn more about Egnyte’s AI Safeguards, which protect sensitive content from being exposed by AI technology, watch this brief video

Learn More

AI governance is a daunting topic for many companies, particularly since AI continues to evolve so rapidly. For more ways to improve AI governance, watch our webinar replay and check out the wide array of AI resources that are available from the National Cyber Security Centre. 

Share this Blog

TAGS

AUTHOR

Rick Mounfield
Director, Optimal Risk Group
View All Posts

Don’t miss an update

Subscribe today to our newsletter to get all the updates right in your inbox.

By submitting this form, you are acknowledging that you have read and understand Egnyte’s Privacy Policy.

US: 1-877-734-6983
EMEA: +44.20.3356.3714

© 2026 Egnyte, Inc. All rights reserved.