Secure AI Use Starter Kit
Your AI policy, rollout plan, and comms—ready to ship Monday.
Your First Week
| Day | Action | Owner | Time |
|---|---|---|---|
| Monday | Read the Acceptable Use Policy. Get CEO/legal sign-off. | Security lead | 1 hour |
| Tuesday | Announce policy to all-hands. Send Email #1. Share Risk Framework with team leads. | Security lead + comms | 30 min |
| Wednesday | Hold manager training session (use the Playbook Week 1 guidance). | Security lead | 1 hour |
| Thursday | Start posting Slack/Teams messages (see message pack). | Comms + IT | 10 min |
| Friday | Collect early questions. Publish FAQ in policy doc. | Security lead | 1 hour |
What You're Shipping
| File | Use It For | Who Reads It |
|---|---|---|
| 01-AI-Acceptable-Use-Policy | The headline deliverable. Print it, hand it out, cite it. | Everyone |
| 02-30-Day-Rollout-Playbook | Your week-by-week game plan. Run it like a campaign. | Security lead + managers |
| 03-AI-Risk-Framework | Classify AI use in 4 tiers. Use this to make approval decisions. | Security lead + team leads |
| 04-Manager-Rollout-Emails | Send these 3 emails. Customize the dates and tool names. | Managers (to their teams) |
| 05-Slack-Teams-Pack | 15 ready-to-paste messages. Drip them over 30 days. | Comms + IT |
| 06-Exec-Summary-One-Pager | Show this to the CEO or board. It's the 5-minute version. | Executives |
How to Customize (2 Minutes)
Find and replace these tokens in every file:
{{company}}→ Your company name{{approvedAiTool}}→ The primary tool you're endorsing (e.g., "Claude API" or "ChatGPT Pro")
That's it. Everything else flows from those two choices.
Success Metrics (30 Days)
- Week 1: 100% of managers trained
- Week 2: All teams know the 4-tier framework
- Week 3: Enforcement begins; track how many exceptions you grant (should be <5)
- Week 4: Measure: "How many teams are using approved tools?" Goal: 80%+
FAQ
Q: Do I have to agree with the defaults? A: No. Each policy statement has a "How to customize" note explaining the reasoning. Change what doesn't fit your org. Just document why.
Q: What if someone violates the policy? A: See the Acceptable Use Policy → Enforcement section. First offense is retrain + audit. Second is escalation.
Q: Can we add more approved tools? A: Yes. Follow the vendor evaluation process in the Risk Framework. Security + legal sign-off required.
Q: This is too strict / too loose. A: The defaults are opinionated for the 50–500 person company. Adjust tier assignments, not the framework.
Next Steps
- Customize the tokens ({{company}}, {{approvedAiTool}})
- Get executive sign-off on the policy
- Load this into your change management system (if you have one)
- Run Week 1 of the Playbook on Monday
Questions? See the "How to customize" section at the end of each file.
Good luck. You've got this. 🚀