Your team is already using ChatGPT. The question is what your policy says about it.

Three forces converging. Cyber underwriters are asking — the 2026 renewal questionnaires from Coalition, Travelers, AT-Bay, and the regional carriers in NC all now include "do you maintain a written AUP governing generative AI?" An honest "no" raises premiums or triggers exclusions.

Regulators are asking — the DoD's CMMC Final Rule (32 CFR Part 170) took effect in late 2025 and the first wave of assessments is hitting in 2026. CMMC L2 expects documented information-handling rules. HIPAA's Security Rule expects documented sanctions. The FTC has signaled AI-enabled deception falls under Section 5. The NC AG has begun referencing AI governance in privacy enforcement letters.

Clients are asking — NC defense contractors are pushing AI use language into subcontractor flow-downs. Triangle hospitals and ACOs are asking their billing vendors whether staff feed PHI to ChatGPT. Law firms are putting AI clauses into vendor contracts that require an AUP and 24-hour incident notification.

If you can't produce a current AUP on request, you lose contracts to the vendor that can.

CMMC Level 2 (CUI). The Regulated row in the classification matrix is explicit: CUI must never enter a Public AI tool, never enter an Enterprise tool without a separate authorization, and only enter an in-house AI tool that has been validated for CUI handling.

HIPAA (PHI). PHI sent to a public AI tool is, in almost every plausible interpretation, an impermissible disclosure under 45 CFR 164.502 unless the vendor signed a Business Associate Agreement. As of mid-2026, consumer tiers of ChatGPT, Claude, and Gemini do not offer BAAs. Some Enterprise tiers do, with negotiated terms.

GLBA (financial data). The FTC's 2023 amendment to the Safeguards Rule explicitly requires written information-security policies. An AUP that names AI tools and classifies financial account data as Regulated is a defensible part of that policy stack.

The template doesn't pretend to be a substitute for a HIPAA Risk Assessment, a CMMC Self-Assessment, or a GLBA Safeguards Program. It is the AI-shaped layer that sits on top of those.

Most owners suspect their team is already using ChatGPT for work. They are right. Industry surveys put usage of personal AI accounts on work devices at 50 to 70 percent. In professional services it is higher.

The wrong response is to ban AI. We've seen owners try. Usage doesn't drop — it moves further into the shadows. People stop telling managers. The "drafted with AI" disclosures stop showing up. The behavior becomes invisible, which is the worst possible state for governance.

The right response is to surface the behavior, approve a corporate-licensed enterprise tool with a no-training agreement, name that tool in the policy, and offer in-house AI for the categories where even the enterprise tier isn't enough. The acknowledgment page in Section 9 is the lever — once an employee signs, two things happen: you get HIPAA-grade workforce-sanction evidence, and the employee is on notice that the company is serious.

This is the question owners get wrong most often. Not IT. Not HR. Not legal. Each owns a piece. None has the whole thing.

• Legal owns the disclosure obligations, the regulator-facing language, and the consequence of breach.
• HR owns the acknowledgment workflow, the disciplinary process, and the training cadence.
• IT or Compliance owns the tool list, the access controls, the DLP and monitoring layer, and the incident triage.
• The owner or executive sponsor owns the strategic Path 1 vs Path 2 conversation: which AI tools the business will license, how much in-house AI to invest in, and which data classes will simply never touch a third-party model.

We recommend the executive sponsor sign as "Policy Owner" on the document so the responsibility is visible. For Petronella vCISO retainer clients, the vCISO program runs this process end-to-end — document, review cadence, incident triage, and periodic re-signing.

The 5-minute version. Download the template. Print the acknowledgment page. Have every employee sign it tomorrow morning. Fill in the nine quick-start fields over lunch. Email the document to the team that afternoon. Defensible bridge while you do the real work.

The 5-day version. Same as above plus: outside counsel half-hour review, 30-minute lunch-and-learn for the team, confirm Enterprise AI tool list and contract status, add the AUP signature to new-hire onboarding.

The 5-week version. Audit current AI usage, inventory tools and contract posture (BAA? DPA? no-training clause?), data-classification workshop, customize the template to your industry, train every employee, set up DLP rules, and stand up at least one in-house AI tool for the Regulated category. Petronella runs this engagement — fixed-fee, scoped at intake, From $9,500 for a single-site SMB under 50 employees. All fixed-fee work paid 100% upfront at contract execution.

Four most common forms of in-house AI we deploy for North Carolina businesses. All governed by the same template-style AUP.

1. In-house chatbots. A ChatGPT-style interface where the model runs on your hardware. Wired into Microsoft Entra so only authenticated employees access it. HR FAQ, IT help-desk first-line, internal sales enablement.
2. Document assistants with retrieval-augmented generation (RAG). Ingest your contracts, SOPs, prior client deliverables, training material. Answer questions with citations. The model sees only your data.
3. Voice agents. Penny — our AI scheduler — is one. Handle inbound calls, qualify, route, book meetings. Runs entirely on private infrastructure when call content can't leave the boundary.
4. Workflow agents. Background systems that read a queue, decide, act, and log everything. Lead triage, CMMC scoping question routing, weekly metric summaries.

The policy and the tool reinforce each other. The classification matrix that says "PHI cannot enter a Public AI tool" maps to "PHI can only be processed by the in-house tool validated for PHI." That cohesion is what makes governance stick.

Yes. Drop your work email and we email the download link. No credit card, no upsell wall, no auto-enrollment in anything. We do offer paid help adopting it (see the 5-week version above) but the template itself is free and remains free.

A policy by itself never satisfies an assessor — they want evidence that the policy is followed. But this template is built to map cleanly into CMMC L2 control families (Media Protection, System and Information Integrity, Configuration Management, Personnel Security). It produces the workforce-sanction evidence and the documented information-handling rules the assessment expects. Pair it with monitoring, signed acknowledgments, and tool inventory and you have most of what an assessor wants on the AI question.

Yes. The classification matrix treats PHI as Regulated, excluded from Public AI tools entirely and from Enterprise tools without a signed BAA. The acknowledgment form produces workforce-sanction evidence HIPAA's Security Rule expects. We recommend pairing this with a HIPAA Risk Assessment if you haven't done one in the last 12 months.

Treat it the way you'd treat refusal to sign any other workplace policy. Standard play: explain the policy, have HR walk them through it, give a few days for questions, and if they still refuse, document the refusal and remove access to company-licensed AI tools. The template includes a graduated response with language.

No. Three problems. First, your team will use mobile data on their phones. Second, AI is embedded in Microsoft Copilot, Google Workspace, and dozens of other tools you need. Third, a firewall block isn't a written policy, and an underwriter, auditor, or regulator is going to ask for the policy. You can block consumer ChatGPT (we recommend it) AND have an AUP that authorizes the enterprise alternatives — that combination is what works.

Generic templates were mostly written before 2024, treat AI as a single category, and don't address Path 1 vs Path 2 (the conversation modern AI use actually requires). This template was built in 2026 by a CMMC Registered Practitioner Organization, with classification language that maps to CMMC L2, HIPAA, and GLBA, and a private in-house AI option that no generic template will mention because most general HR consultants don't deploy in-house AI.

The template's Scope section covers this. Personal AI use on personal devices outside of work is not in scope — except when the activity involves company data, which is the moment it becomes in scope. The acknowledgment page makes clear that pasting company data into a personal account anywhere, at any time, is a policy violation.

At minimum every 12 months. Sooner if you sign a new client contract that requires AI disclosure, sooner if a new AI tool becomes business-critical, sooner if you have an incident. The template has a review-cadence field where you commit to a date. For vCISO clients, we own the review and re-signing cycle as part of the retainer.

From $9,500 for a single-site SMB under 50 employees. Includes current-state AI use audit, tool inventory with contract review, classification workshop, customization of the template, employee training, DLP rule recommendations, and standing up one in-house AI tool. Pricing scales with site count, headcount, and in-house tool scope. All fixed-fee work paid 100% upfront at contract execution. Call Penny at (919) 348-4912 for a scoped quote.

Yes. That's the core of what our AI practice does. We design and operate private, in-house AI — chatbots, document assistants, voice agents, retrieval-augmented systems — on your infrastructure, under your governance, no data ever sees an outside vendor's logs. Examples at petronella.ai. The 5-week engagement above includes scoping for the first in-house tool.