The 10 Things All Employers Must Include in Any Workplace AI Policy

Whether your organization has deployed a generative AI tool for your employees or hasn’t (yet) hopped on the bandwagon, the time is now for you to create a workplace policy governing the use of the technology. Many organizations are exploring ways their workforces can harness the revolutionary advances in productivity, efficiency, and creativity that generative AI (GenAI) products like ChatGPT, Google’s Bard, or Microsoft’s Bing can bring. And, even if you aren’t doing the same, your employees almost certainly are. But how can you do so in a responsible way? A first step is developing a workplace GenAI policy. Read on for the 10 things you should include.

First Things First: What is GenAI?

Recent advances in GenAI, kicked off most prolifically by the release of ChatGPT and soon thereafter joined by Bard and the reformulated Bing, have captured the attention of a broad audience. Almost immediately, employees and employers alike began thinking about the ways the technology can be used in the workplace, seemingly limited only by our imaginations. How is this different, however, than other forms of AI which have been around for years?

You’ve probably been living and working with some form of AI for some time now. Does your company have any sort of chatbot providing answers to simple questions about where to find a resource? No doubt you have an auto-complete feature when you type into your email platform. Those are all examples of artificial intelligence – just in rudimentary form.

Unlike this prior technology, GenAI is able to generate original human-like output and expressions in addition to describing or interpreting existing information. In other words, it appears to “think” and respond like a human. However, GenAI is limited by the data upon which it was trained, and will not have the judgment, strategic thinking, or contextual knowledge that a human does. These and other technological limitations and risks are why having a sound GenAI policy is so important.

The 10 Components Your GenAI Policy Should Include

While each company should customize a GenAI policy to suit its own needs and priorities, there are 10 topics to consider at a bare minimum. 

1. Outline the Policy’s Purpose and Scope. The first thing your policy should include is a description of its purpose and scope.
   • Generally, the purpose of the policy would be to provide guidelines for the organization’s development, implementation, use, and monitoring of GenAI in the workplace.
   • The scope should clearly tell your employees which areas are covered – and here’s where you need to be very clear. If your organization does not provide any GenAI products for your employees, you still need to make clear that the policy covers the use of any third-party or publicly available GenAI tool, such as ChatGPT, Bard, Bing, DALL-E, Midjourney, and other similar applications that mimic human intelligence to generate answers, work product, or perform certain tasks. And, if you do supply your workers with a GenAI product, you should make sure your policy covers appropriate usage with specific circumstances kept in mind.
2. Maintain Data Privacy and Security. Data privacy and security is a critical component of any GenAI policy, particularly given the strict data privacy laws that exist and are developing across the country (and internationally). Your policy should create safeguards to protect the data inputted into any GenAI technology, addressing data collection, storage, and sharing. At a minimum, you should prohibit your employees from entering private or personal information into any GenAI platform.
3. Uphold Company Confidentiality. You will also want to ensure that your company’s most important data – trade secrets, private information, PII of your employees and other third parties, confidential data, sensitive matters, etc. – are kept far away from GenAI. This will not only help you avoid embarrassing or damaging situations, but could help you uphold and defend the confidential nature of this information if you ever find yourself in trade secrets litigation.
4. Ensure Your Commitment to Diversity is Not Compromised. GenAI has the capacity to provide information that violates not only your company’s strong diversity goals but also legal anti-discrimination standards. For this reason, you should plainly state that information received from GenAI needs to be double-checked using reasoned human judgment to ensure it does not run afoul of your company’s commitment to diversity.
5. Prohibit Employment-Based Decisions Aided by GenAI. Related to the previous point, you should clearly state that GenAI tools should not be used to make or help you make employment decisions about applicants or employees. This includes recruitment, hiring, retention, promotions, transfers, performance monitoring, discipline, demotion, terminations, or other decisions. Of course, if you have deployed a GenAI tool to help you navigate human resources activity, you can allow such use – so long as you are confident that your policies surrounding the use of that specific tool uphold legal principles (including any relevant state laws) and your highest company standards.
6. Prevent Copyright or Other Theft Concerns. The danger always exists that information provided from GenAI platforms (including image generators like DALL-E 2 and Midjourney) could include details from copyrighted or other protected sources. If your employees use a GenAI tool to generate content for company use that happens to include information from a protected source, you could find yourself in legal hot water. Make sure your employees know not to pass off any information or content received from GenAI as their own without double-checking sources. They should use GenAI as an idea generator, not as a replacement for content creation.
7. Outline Best Practices. The inherent limitations related to GenAI in its current form should lead you to outline best practices that should be followed whenever your employees use the technology to aid their work. Some examples:
   • Because GenAI is prone to providing hallucinations and outdated answers, you should require your workers to confirm any information received before relying on it in any capacity.
   • There is always risk of a data breach involving any GenAI provider. While your workers might think they can input any question into the system with complete anonymity, they should be warned to treat any information provided into any GenAI platform as if it will go viral on the Internet –with their name and your company’s identity along with it.
   • Your company’s supervisors should want to know when – and to what extent – GenAI was used to help complete a task. For that reason, you might recommend that employees disclose when they are using the technology and the extent it aided the creation of any content they develop.
8. Be Clear About Consequences. As with any company policy, you should inform your employees that they could face repercussions should they violate any of its tenets. Let them know they could face disciplinary action – up to and including immediate termination, and possibly legal action – should they violate the policy. The policy should also direct employees to report potential violations they learn about to their supervisor or to HR.
9. Include a Disclaimer. Due to the broad reach of the National Labor Relations Act – even over companies that don’t have a unionized workforce – you need to make sure that you offer protections for behavior that has been upheld as protected by the NLRB and courts. Work with your legal counsel to create a disclaimer that clearly states your policy is not intended to interfere with, restrain, or prevent employee communications regarding the rights protected by federal labor law.
10. Input From Across the Spectrum. Finally, make sure you include multi-disciplinary input from stakeholders across the organization to ensure your policy is comprehensive, effective, and realistic. Obvious stakeholders include members of your regulatory, compliance, IT, DEI, and legal departments.

What’s Next?

Once you publish your GenAI policy, your work is not over – it’s just beginning. Besides the all-important work of training your workforce on the policy parameters and ensuring continued and consistent enforcement, you should use the creation of a policy as the right time to establish a framework for GenAI governance and oversight.

Please let us know if you would like a copy of a complimentary GenAI policy provided courtesy of Fisher Phillips LLP.