June 17, 2026

AI Acceptable Use Policy (AUP) Template for SMBs: What to Include, What to Leave Out

This article has been written by Tim Hickle

An AI Acceptable Use Policy, or AUP, is the document that tells employees which AI tools they can use, on which data, with what controls, and what happens when the rules are broken. A good SMB AUP is short, plain-English, tied to concrete examples, and revisited every month based on real-world usage. The AUP is the cornerstone artifact of an AI governance program — and it is the first deliverable the VCAIO produces inside a TaaS engagement. 


How MSPs Ship an AI Acceptable Use Policy in Phase 1 of TaaS 

For MSPs, the AUP is often the easiest first deliverable to ship in a new TaaS engagement — and the easiest one to ship badly. A bad AUP is long, written in legal English, and disconnected from the tools employees actually use. It gets signed during onboarding and then ignored. 


A good SMB AUP includes seven sections. 


  1. Approved tools list. Named tools, with the categories: approved, conditional, blocked. Include the consumer alternatives explicitly — if Claude is approved but Claude.ai personal accounts are blocked, say so. 
  2. Allowed data classifications by tool. Map each approved tool to the data sensitivity tiers it can handle (Public, Internal, Confidential, Restricted, Regulated). Be specific. 
  3. Prohibited use cases. Not what's allowed — what's not. Examples: pasting client contracts into consumer chat, using AI to write performance reviews without disclosure, generating customer-facing content without human review. 
  4. Disclosure rules. When employees must say AI was involved — for example, in customer communications, legal filings, or vendor proposals. 
  5. Incident response. What to do when a sensitive document is exposed to a non-approved tool. Who to call. How fast. 
  6. Training requirement. What training is mandatory, on what cadence. Tied to the Copilot 101/102/201/202 curriculum or equivalent. 
  7. Review cadence. When the AUP gets revisited (every Council, fully rewritten annually). 

What to leave out: vague principle statements ("we use AI responsibly"), references to laws the SMB doesn't operate under, and clauses copied from someone else's AUP without testing against the client's actual workflows. The AUP should be three to five pages, not twenty. 


The TaaS phasing is built around the AUP lifecycle. Phase 1 produces the first draft against the client's stated policies and observed environment. Phase 3 revises it once Copilot Quick Wins have shipped and actual usage patterns have emerged. Every Monthly AI Council reviews the AUP against new tool categories, new shadow AI findings, and new employee questions. 


What Makes an AI Acceptable Use Policy Real for SMB Employees 

For SMB leadership, the test of whether you have a real AUP is whether your employees can summarize it from memory. If they cannot, the AUP is not operating — it is a compliance prop. 


Three things make an AUP operative inside an SMB: 


  • Specific tools, not categories. Naming ChatGPT, Claude, Copilot, Gemini, and Perplexity individually is more useful than "generative AI tools." Employees know the products, not the categories. 
  • Concrete examples. "Don't paste a signed contract into ChatGPT" lands. "Don't process Restricted-classification data with unapproved tools" doesn't. 
  • A visible owner. The AUP should name the VCAIO (or the equivalent role) as the responsible person. When employees have a question, they need a name to ask. 

The AUP is the single most important governance artifact your AI practice produces. It is also the artifact most likely to drift, because the AI landscape moves faster than the policy review cycle. The discipline of revisiting the AUP every month in the AI Council is what keeps it real. 


How Lemhi Standardizes AI Acceptable Use Policy Delivery for MSPs 

Lemhi standardizes the AUP delivery so every TaaS client gets a current, environment-matched policy without the MSP rewriting from scratch. 


  • AUP template library. Standardized templates the VCAIO tailors to the client's tool inventory and data classifications. Phase 1 ships the first draft inside the engagement charter. 
  • Phase 3 revision flow. Once Copilot Quick Wins ship and real-world usage data emerges, the platform surfaces the gaps for the VCAIO to address in the revised AUP. 
  • Council integration. The Monthly AI Council includes a standing AUP review block. New tool categories, new shadow AI findings, and new employee questions all feed the next revision. 
  • Sensitivity-label and conditional-access coordination. The Continuous Scanner detects misalignments between the AUP and the technical environment, surfacing them to the PSA queue for remediation. 
  • Training tie-in. The AUP feeds the Copilot 101/102/201/202 curriculum, so what employees are taught matches what the policy requires. 
  • 

The AUP works because the practice runs it. Lemhi sells the practice. 


Field Notes

Build the AI service line your clients are already asking for.

Every week, we send practical guidance for MSPs turning AI from scattered conversations into a repeatable managed service. No hype. No generic AI takes. Just the operating playbook.

AI Transformation as a Service VCAIO playbooks MSP-ready sales motions
Subscribe to Field Notes

For MSP leaders building the next recurring revenue category.

Frequently Asked Questions

AI Acceptable Use Policy FAQ

Practical answers for MSPs helping SMBs define approved AI tools, data rules, disclosure requirements, enforcement, shadow AI response, and ongoing AUP review.

What is an AI Acceptable Use Policy?

An AI Acceptable Use Policy is a document that defines which AI tools employees can use, on what data, under what conditions, and what happens when rules are broken. It is the cornerstone artifact of an AI governance program.

How long should an SMB AI AUP be?

An SMB AI AUP should usually be three to five pages: long enough to be specific, but short enough that employees can actually read and apply it.

What sections should be in an SMB AUP?

An SMB AUP should include an approved tools list, allowed data classifications by tool, prohibited use cases, disclosure rules, incident response, training requirements, and review cadence.

When should we write our first AUP?

The first AUP should be written inside Phase 1 of TaaS, before tools are widely deployed. The first draft is intentionally provisional, and Phase 3 revises it against observed real-world usage.

Who writes the AUP?

The VCAIO drafts the AUP with input from HR, legal, IT, and the executive sponsor. The AI Council approves it.

How often should we revise the AUP?

The AUP should be reviewed every Monthly AI Council and revised when a tool category shifts, a shadow AI finding requires a new rule, or annually at minimum.

Do we need an AUP if we only use Microsoft Copilot?

Yes. Even single-tool environments have edge cases, including agent usage, sensitivity-label handling, customer-facing content, and employees with personal AI accounts. The AUP covers the edges.

What's the difference between an AUP and an AI policy?

Functionally, they are similar. AUP emphasizes the user-behavior dimension, while AI policy sometimes implies a broader governance framework. Lemhi uses AUP because the term aligns with HR and IT vocabulary.

Can we copy an AUP template and use it as-is?

No. The template is a starting point. The client's tool inventory, data classifications, and regulatory exposure shape the final document.

How does the AUP relate to shadow AI?

The AUP names the tools that are approved, conditional, or blocked, including the consumer alternatives that show up in shadow AI inventories. Without the AUP, shadow AI categorization is informal.

How is the AUP enforced?

Sensitivity labels and conditional access policies block high-classification data from non-approved tools. The Continuous Scanner detects violations. The VCAIO surfaces patterns to the Council. HR handles individual cases.

Does the AUP need legal review?

For most SMBs, yes, particularly the disclosure, incident response, and training-requirement sections. The VCAIO coordinates with the client's HR and legal contacts.

How does the AUP coexist with the VCISO's security policies?

The AUP focuses on AI-specific behavior, while the VCISO's policies cover broader security posture. Where they overlap, such as data classification and sensitivity labels, the VCAIO and VCISO coordinate.

Should the AUP cover customer-facing AI content?

Yes. Disclosure rules for AI-generated customer communication should be explicit. Many regulators are now requiring disclosure for AI in customer-facing channels.

How is AUP compliance measured?

AUP compliance is measured through observability, surveys, and incident counts: which tools employees actually use, what employees report, and AUP violations surfaced by the Continuous Scanner. The Council reviews all three.

Where can I learn more?

Lemhi publishes AUP templates, the AUP revision cadence, and Council review guidance as part of the TaaS practice. Sign up for Field Notes to get the weekly playbook.

The MAGIC Framework

Scale AI transformation across your entire book of business.

Most MSPs are stuck selling AI as scattered projects, Copilot rollouts, or one-off workshops. The MAGIC Framework gives you a repeatable path to package, sell, deliver, and manage AI Transformation as a Service across your client base.

Map the opportunity Align the business Govern the rollout Implement the roadmap Continuously prove value
See the MAGIC Framework

For MSPs ready to turn AI demand into a managed service motion.

< Older Post