On this pageAI hiring rules
Topic Practice Note

What company AI acceptable use policies need to cover

A reader who sees that a company AI policy is now a maintained governance system spanning vendor terms, employment law, and internal approvals may choose our managed service to turn that patchwork into one operating policy and review workflow.

Lawyer Harvard Law '18 (J.D.) MIT '13 (S.B.) Former Ropes & Gray (6 yrs) Admitted in NY Last reviewed
More details about this document
Editor
, OpenAgreements editor
Feedback
Report a correction
Errata
View reported errata
License
CC BY 4.0
Authorities relied on
Primary law820 ILCS 42/5; Illinois General Assembly, Public Act 103-0804; NYC DCWP, Automated Employment Decision Tools: Frequently Asked Questions; NYC DCWP, Automated Employment Decision Tools (AEDT); Colorado General Assembly, SB24-205 Consumer Protections for Artificial Intel...; Colorado General Assembly, SB25B-004 Increase Transparency for Algorithmic Sy...; NIST, AI Risk Management Framework; NIST AI RMF Core
CommentaryFisher Phillips, Sneak Peek: Illinois AI Workplace Notice Rulemaking is Coming – What to Expect + Your 5-Step Action Plan; National Labor Relations Board, NLRB General Counsel Issues Memo on Unlawful Electronic Surveillance and Automated Management Practices; National Labor Relations Board, Board Adopts New Standard for Assessing Lawfulness of Work Rules; Wilson Sonsini commentary; Morgan Lewis commentary; Proskauer commentary; Fisher Phillips commentary; American Bar Association, Formal Opinion 512; Orrick commentary; Cooley commentary; Morgan Lewis commentary; Fisher Phillips, Strengthening Your AI Governance with Fisher Phillips’ New AI Policy Templates; GitHub, Playbook series: Creating clear AI policies and guardrails; Fisher Phillips commentary

Which AI hiring and workplace decisions need notices, audits, or appeal rights?

AI use in hiring and workplace decisions now needs a state-by-state policy overlay. Illinois, New York City, and Colorado create different duties for notice, bias audits, human review, correction rights, or appeal paths depending on the tool and decision.

The clearest reason company AI policies no longer fit inside a generic IT-use document is employment law. Illinois now regulates this in two layers. The narrower layer is the Artificial Intelligence Video Interview Act. For Illinois-based roles, employers using AI to analyze recorded interviews must give notice, explain how the system works and what it evaluates, and obtain consent before the interview goes forward.artificial intelligence may be used to analyze the applicant's video interview The broader layer is Illinois Public Act 103-0804, effective January 1, 2026, which prohibits AI use in covered employment decisions when it has a discriminatory effect, bars zip codes as a proxy for protected classes, and requires notice when AI is used for those purposes.

New York City and Colorado push the same point from different angles. NYC Local Law 144 is not about AI in the abstract. It is about automated employment decision tools that substantially assists or replaces discretionary decision-making in hiring or promotion. The FAQ makes clear that the law reaches screening, not just the final hiring decision, and it requires a completed bias audit plus notice 10 business days before using an AEDT. Colorado is broader in structure. SB24-205 imposes reasonable care duties, impact assessments, correction rights, and an appeal path with human review if technically feasible when a high-risk system makes or will be a substantial factor in making, a consequential decision. But SB25B-004 extended those requirements to June 30, 2026, so Colorado is important and, as of April 20, 2026, slightly easy to overstate if the date is omitted.

Fisher Phillips says the proposed IDHR rules would treat AI that influence[s] or facilitate[s] employment decisions broadly enough to cover resume screening, targeted recruiting, video or voice analysis, and third-party data. Those proposals are useful because they show where Illinois may be headed. They are still proposed, not final.

Sources for this answer

Primary law

A.1 820 ILCS 42/5

Supports the cited proposition. (820 ILCS 42/5)

artificial intelligence may be used to analyze the applicant's video interview

See 820 ILCS 42/5.

Primary law

A.4 NYC DCWP, Automated Employment Decision Tools (AEDT)

New York City law mandates that employers must conduct bias audits of automated employment decision tools and provide specific notices to candidates before using such tools in the hiring process.

prohibits employers and employment agencies from using an automated employment decision tool unless the tool has been subject to a bias audit within one year of the use of the tool, information about the bias audit is publicly available, and certain notices have been provided to employees or job candidates.

See NYC DCWP, Automated Employment Decision Tools (AEDT).

Primary law

A.6 Colorado General Assembly, SB25B-004 Increase Transparency for Algorithmic Sy...

Colorado Senate Bill 25B-004 extends the effective date for the algorithmic transparency and consumer protection requirements originally established in Senate Bill 24-205 to June 30, 2026.

The act extends the effective date of the requirements of Senate Bill 24-205 to June 30, 2026.

See Colorado General Assembly, SB25B-004 Increase Transparency for Algorithmic Systems.

Law-firm commentary

A.7 Fisher Phillips, Sneak Peek: Illinois AI Workplace Notice Rulemaking is Coming – What to Expect + Your 5-Step Action Plan

Illinois law requires employers to provide notice to applicants and employees regarding the use of artificial intelligence in employment decisions and mandates the retention of related records for four years.

Under the new law, employers will need to provide notice to applicants and workers if they use artificial intelligence for hiring, discipline, discharge, or other workplace-related purposes.

See Fisher Phillips, Sneak Peek: Illinois AI Workplace Notice Rulemaking is Coming – What to Expect + Your 5-Step Action Plan.

Can using AI to monitor employees violate labor law?

Yes, AI monitoring can become a labor-law issue when surveillance, scheduling, productivity scoring, or automated management chills protected employee activity. The policy should identify labor-sensitive uses, preserve human decision authority, and avoid overbroad monitoring rules.

AI usage policies also became labor-law documents once companies started using AI to monitor productivity, morale, scheduling, and communications. NLRB General Counsel Memo 23-02 says intrusive surveillance and automated management practices can have a tendency to interfere with Section 7 rights. And under Stericycle, Inc., 372 NLRB No. 113 (Aug. 2, 2023), an employer rule that chills protected activity is presumptively unlawful unless the employer can show a legitimate and substantial business interest and the absence of a more narrowly tailored alternative.

Where the firms differ, it is mostly on emphasis. Wilson Sonsini spends more time on external transparency regimes, including the EU AI Act timing and California ADMT rules. Morgan Lewis and Proskauer spend more time on labor relations and the need for genuinely structured human oversight when AI reaches monitoring or bargaining-adjacent workflows. But they are not really arguing about whether companies need AI AUPs. They are arguing about how much of the policy belongs in the general document and how much belongs in use-case-specific appendices.

The fourth consequence is that one company AI policy increasingly turns into several. Hiring tools need notice, audit, explanation, and bias language. AI notetakers need consent, retention, privilege, and internal-versus-external meeting rules. Legal teams need a stricter overlay because confidentiality and professional judgment are different from ordinary employee productivity work. Labor-sensitive uses need explicit statements about monitoring, bargaining, and who retains decision authority.

Colorado, the NLRB materials, Morgan Lewis, and Formal Opinion 512 all assume human review matters. None of them turns the phrase human in the loop into a safe harbor. The unresolved question is when review is meaningful and when it is ceremonial, especially in high-volume hiring, monitoring, or legal workflows.

Sources for this answer

Agency guidance

B.1 National Labor Relations Board, NLRB General Counsel Issues Memo on Unlawful Electronic Surveillance and Automated Management Practices

Supports the cited proposition. (National Labor Relations Board, NLRB General Counsel Issues Memo on Unlawful Electronic Surveillance and Automated Management Practices)

a tendency to interfere with Section 7 rights

See National Labor Relations Board, NLRB General Counsel Issues Memo on Unlawful Electronic Surveillance and Automated Management Practices.

Agency guidance

B.2 National Labor Relations Board, Board Adopts New Standard for Assessing Lawfulness of Work Rules

The NLRB established a new standard in Stericycle Inc. requiring employers to narrowly tailor work rules to avoid chilling employees' Section 7 rights, replacing the previous categorical approach.

the NLRB issued a decision in Stericycle Inc., adopting a new legal standard for evaluating employer work rules challenged as facially unlawful under Section 8(a)(1) of the National Labor Relations Act.

See National Labor Relations Board, Board Adopts New Standard for Assessing Lawfulness of Work Rules.

Law-firm commentary

B.3 Wilson Sonsini commentary

Businesses in 2026 are subject to an increasingly complex and fragmented regulatory landscape for artificial intelligence, characterized by new state-level transparency and safety requirements, heightened federal enforcement, and ongoing legal challenges regarding the scope of state authority.

In 2026, businesses will face an increasingly complex regulatory environment for Artificial Intelligence (AI).

See Wilson Sonsini, 2026 Year in Preview: AI Regulatory Developments for Companies to Watch Out For.

Law-firm commentary

B.4 Morgan Lewis commentary

Employers must implement structured governance frameworks and human oversight when deploying AI in labor relations to mitigate legal risks under the NLRA and other regulatory obligations.

A three-tiered model consisting of human-in-the-loop, human-on-the-loop, and human-in-command provides a practical governance framework

See Morgan Lewis, How AI Will Fundamentally Reshape Work in Labor Relations.

Law-firm commentary

B.5 Proskauer commentary

Employers integrating AI and robotics into the workplace must evaluate their obligations to bargain under the NLRA, ensure compliance with protected employee rights, and conduct hazard assessments to meet OSHA safety standards.

the employer must evaluate whether the integration is a mandatory or permissive subject of bargaining under the NLRA.

See Proskauer, AI At Work: Safety And NLRA Best Practices For Employers.

Law-firm commentary

B.6 Fisher Phillips commentary

Companies utilizing AI notetaking tools face significant legal and compliance risks regarding participant consent, data privacy, and the protection of privileged information.

The complaint alleges the app unlawfully records conversations in popular video conferencing platforms without the consent of all participants.

See Fisher Phillips, New Lawsuit Highlights Concerns About AI Notetakers: 7 Steps Businesses Should Take.

What AI policy rules should in-house legal teams add for privileged work?

In-house legal teams need stricter AI rules than the company-wide baseline. The legal overlay should control privileged inputs, draft legal advice, lawyer review, vendor supervision, and final professional judgment.

For in-house legal teams, the company AUP is only the floor. ABA Formal Opinion 512 says lawyers must understand the benefits and risks associated with the technologies they use, and it says lawyers may not abdicate professional judgment to the tool. The point is not that the legal department needs a different brand of software policy. It is that Model Rules 1.1, 1.6, and 5.3 turn ordinary company guardrails into a stricter workflow for privileged information, draft legal advice, and final legal judgment.

Sources for this answer

What should a company AI acceptable use policy cover for everyday tools?

A company AI acceptable use policy should work as a routing system for tools, data, approvals, and human review. The practical clauses usually cover approved accounts, tool tiers, data boundaries, prohibited uses, verification, training, exceptions, and special-use appendices.

The firms are more aligned than they first appear. Orrick, Cooley, Morgan Lewis, and Fisher Phillips all treat the modern AI AUP as a cross-functional operating document rather than a one-page ban on copying confidential material into chatbots. The consensus structure is recognizable: scope, approved tools, data boundaries, prohibited or elevated-risk uses, human verification, training, and some mechanism for exceptions or higher-level approval.

Orrick is the cleanest statement of the shift. Its November 2024 note says an internal policy needs to tell employees which tools they can use, which account types they can use, who approves tools, and where higher scrutiny applies. The non-obvious point is that Orrick does not start with prompt content. It starts with accounts, approval chains, and business area sensitivity. Peripheral uses like marketing or debugging get one treatment; core proprietary development gets another. GitHub's October 2025 playbook lands in almost the same place from an operator's perspective: start with data classification, then tier tools, then create a sanctioned lane for experimental tools rather than pretending experimentation will stop.

Cooley and Morgan Lewis give the policy its harder edges. Cooley says prompts and outputs are not confidential by default and that companies should think of many public-tool prompts as disclosures to a third party. That moves AI policy out of the realm of etiquette and into trade-secret, patent, privacy, and contract risk. Morgan Lewis then turns that into drafting language: no customer data without written consent, no personal accounts for business use, no PII in ordinary tools, and no invention or proprietary work product without sufficient human involvement, verification, and judgment.

The first consequence is that account choice became a legal term, not just a procurement term. Orrick frames this directly: personal and free accounts rarely carry the protections a company expects, while enterprise tiers often do because they come with negotiated terms or stronger defaults. Cooley describes the same issue from the other end: absent those protections, prompts can look a lot like third-party disclosures, which changes the trade-secret, patent, customer-contract, and privacy analysis at once. A policy that never distinguishes public tools from contracted tools is therefore missing the clause that probably matters most in daily practice.

The second consequence is that data classification and tool tiering became more stable than tool blacklists. GitHub's playbook is notable because it treats a policy as usable only if employees can tell, quickly, which data class belongs in which tool class. NIST's AI RMF reaches the same destination in more abstract language: govern, map, measure, and manage. The practical translation is that an AI AUP now works better as a routing system than as a long list of prohibitions.

The third consequence is that over-restrictive policies seem to fail in a predictable way: they push use off the books. Fisher Phillips says the same thing in the narrower notetaker context when it notes that employees use these tools anyway, even when employers tell them not to. That is why sanctioned experimentation is showing up in serious policy design. A company that writes only do not use AI increasingly creates shadow AI. A company that sanctions approved tools, restricted tools, and experimental tools creates an audit trail and a place for the hard questions to go.

The legal drafting instinct is to define AI broadly so the document survives the next tool cycle. The operational instinct is to name the actual products employees use. The source set points toward a hybrid: broad definitions in the preamble, specific tool tiers in the operating sections. The exact balance remains more practice than law.

Sources for this answer

Law-firm commentary

D.1 Orrick commentary

An effective internal artificial intelligence policy should define authorized account usage, establish clear approval processes for specific use cases, implement risk-based scrutiny for sensitive development areas, and mandate employee training.

it's really important for the policy to instruct employees on what account is okay to use and what account isn't.

See Orrick, Developing an AI Policy for Your Startup.

Commentary

D.2 Cooley commentary

Companies utilizing generative AI for internal business functions face significant legal and operational risks, including potential loss of confidentiality, lack of intellectual property protection for AI-generated outputs, and exposure to third-party infringement claims.

When you submit a prompt on a Generative AI platform, the platform may retain rights to re-use that information or to publish the output.

See Cooley, Top Ten Considerations for Companies Using Generative AI Internally.

Law-firm commentary

D.3 Morgan Lewis commentary

Supports the cited proposition. (Morgan Lewis commentary)

without sufficient human involvement, verification, and judgment

See Morgan Lewis, AI Usage Policies Revisited: Structure, Trends, and Transparency.

Law-firm commentary

D.4 Fisher Phillips, Strengthening Your AI Governance with Fisher Phillips’ New AI Policy Templates

Employers should implement structured AI governance policies to mitigate legal and operational risks associated with the integration of artificial intelligence in the workplace.

Employers need clear, structured AI policies to ensure compliance, risk mitigation, and responsible AI use in the workplace.

See Fisher Phillips, Strengthening Your AI Governance with Fisher Phillips’ New AI Policy Templates.

Commentary

D.5 GitHub, Playbook series: Creating clear AI policies and guardrails

Establishing a clear, tiered AI policy framework based on data classification is essential for organizations to mitigate security risks while enabling employee innovation and safe AI adoption.

By creating clear, practical policies and a framework for tiered tool usage, companies can build the trust necessary to empower employees and safely scale AI adoption.

See GitHub, Playbook series: Creating clear AI policies and guardrails.

Primary law

D.6 NIST, AI Risk Management Framework

The NIST AI Risk Management Framework provides a voluntary, consensus-based structure designed to help organizations manage risks and incorporate trustworthiness into the lifecycle of artificial intelligence systems.

The NIST AI Risk Management Framework (AI RMF) is intended for voluntary use and to improve the ability to incorporate trustworthiness considerations into the design, development, use, and evaluation of AI products, services, and systems.

See NIST, AI Risk Management Framework.

Law-firm commentary

D.8 Fisher Phillips commentary

Companies utilizing AI notetaking tools face significant legal and compliance risks regarding participant consent, data privacy, and the protection of privileged information.

The complaint alleges the app unlawfully records conversations in popular video conferencing platforms without the consent of all participants.

See Fisher Phillips, New Lawsuit Highlights Concerns About AI Notetakers: 7 Steps Businesses Should Take.

Primary law

D.7 NIST AI RMF Core

The NIST AI Risk Management Framework provides a structured, continuous, and multidisciplinary approach for organizations to govern, map, measure, and manage risks throughout the AI system lifecycle.

The AI RMF Core provides outcomes and actions that enable dialogue, understanding, and activities to manage AI risks and responsibly develop trustworthy AI systems.

See NIST AI RMF Core.

Should AI notetakers have their own meeting consent and retention rules?

Yes, AI notetakers should usually be handled in their own meeting-policy module. Their risks turn on participant consent, retention, privilege, training-use, and meeting metadata rather than ordinary prompt hygiene.

Fisher Phillips is where the new special-use modules become visible. Its AI notetaker article treats recording bots as a separate governance problem because consent, retention, privilege, and meeting metadata are different from ordinary prompt risk. The article says many jurisdictions require every participant to consent, and it frames notetaker use as something that increasingly belongs in an explicit policy rather than in a generic software-use paragraph. Its Illinois reporting makes the same broader point for HR workflows: once AI is used to influence employment decisions, notice, posting, recordkeeping, and manager training stop being optional hygiene.

Fisher Phillips is careful about this, and that caution seems right. The Otter.ai case is early. The complaint allegations have not been adjudicated. Still, the combination of consent, retention, training-use, and privilege questions is probably enough that many companies will keep treating notetakers as a separate policy domain rather than a footnote in the general AUP.

Sources for this answer

Law-firm commentary

E.1 Fisher Phillips commentary

Companies utilizing AI notetaking tools face significant legal and compliance risks regarding participant consent, data privacy, and the protection of privileged information.

The complaint alleges the app unlawfully records conversations in popular video conferencing platforms without the consent of all participants.

See Fisher Phillips, New Lawsuit Highlights Concerns About AI Notetakers: 7 Steps Businesses Should Take.

Law-firm commentary

E.2 Fisher Phillips commentary

Illinois law requires employers to provide notice of artificial intelligence use in employment decisions and prohibits the use of AI in a manner that results in discrimination against protected classes.

Illinois employers will need to provide notice to applicants and workers if they use artificial intelligence for hiring, discipline, discharge, or other workplace-related purposes.

See Fisher Phillips, Illinois Employers Using AI for Workplace Purposes Will Soon Need to Provide Notice: 10 Quick Takeaways and 5 Things You Should Do to Prepare.

Law-firm commentary

E.3 Fisher Phillips, Sneak Peek: Illinois AI Workplace Notice Rulemaking is Coming – What to Expect + Your 5-Step Action Plan

Illinois law requires employers to provide notice to applicants and employees regarding the use of artificial intelligence in employment decisions and mandates the retention of related records for four years.

Under the new law, employers will need to provide notice to applicants and workers if they use artificial intelligence for hiring, discipline, discharge, or other workplace-related purposes.

See Fisher Phillips, Sneak Peek: Illinois AI Workplace Notice Rulemaking is Coming – What to Expect + Your 5-Step Action Plan.

How often should global AI acceptable use policies be updated?

Global AI acceptable use policies need dated appendices and scheduled review cycles because external AI rules are changing quickly. A policy that sounds timeless can become inaccurate when state, EU, or agency effective dates move.

The fifth consequence is that global policies age faster. Wilson Sonsini's January 2026 summary treats August 2, 2026 as the operative date for certain EU AI Act transparency and high-risk-system obligations, but it also notes that the European Commission's November 2025 Omnibus proposals could push some high-risk-system applicability later. That means multinational AUPs increasingly need dates, appendices, and review cadences. Timeless prose is attractive. It is also increasingly inaccurate.

As of January 13, 2026, Wilson Sonsini wrote that specific EU AI Act transparency and HRAI obligations would apply by August 2, 2026. In the same alert it noted that Omnibus proposals could move some HRAI timing to December 2027 at the latest. For global AUP drafting, that is not a contradiction. It is the current state of play.

Sources for this answer

Law-firm commentary

F.1 Wilson Sonsini commentary

Businesses in 2026 are subject to an increasingly complex and fragmented regulatory landscape for artificial intelligence, characterized by new state-level transparency and safety requirements, heightened federal enforcement, and ongoing legal challenges regarding the scope of state authority.

In 2026, businesses will face an increasingly complex regulatory environment for Artificial Intelligence (AI).

See Wilson Sonsini, 2026 Year in Preview: AI Regulatory Developments for Companies to Watch Out For.