June 14, 2023

How to Write a Corporate Policy for ChatGPT

ChatGPT the consumer application and its colleague technologies are governed by terms of use that may impact your use or your company's use of it. We explore how to navigate those terms with policies and vendor management.

How to Write a Corporate Policy for ChatGPT

Sleek v2.0 public release is here

Lorem ipsum dolor sit amet, consectetur adipiscing elit lobortis arcu enim urna adipiscing praesent velit viverra sit semper lorem eu cursus vel hendrerit elementum morbi curabitur etiam nibh justo, lorem aliquet donec sed sit mi at ante massa mattis.

  1. Neque sodales ut etiam sit amet nisl purus non tellus orci ac auctor
  2. Adipiscing elit ut aliquam purus sit amet viverra suspendisse potent i
  3. Mauris commodo quis imperdiet massa tincidunt nunc pulvinar
  4. Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti

What has changed in our latest release?

Lorem ipsum dolor sit amet, consectetur adipiscing elit ut aliquam, purus sit amet luctus venenatis, lectus magna fringilla urna, porttitor rhoncus dolor purus non enim praesent elementum facilisis leo, vel fringilla est ullamcorper eget nulla facilisi etiam dignissim diam quis enim lobortis scelerisque fermentum dui faucibus in ornare quam viverra orci sagittis eu volutpat odio facilisis mauris sit amet massa vitae tortor condimentum lacinia quis vel eros donec ac odio tempor orci dapibus ultrices in iaculis nunc sed augue lacus

All new features available for all public channel users

At risus viverra adipiscing at in tellus integer feugiat nisl pretium fusce id velit ut tortor sagittis orci a scelerisque purus semper eget at lectus urna duis convallis. porta nibh venenatis cras sed felis eget neque laoreet libero id faucibus nisl donec pretium vulputate sapien nec sagittis aliquam nunc lobortis mattis aliquam faucibus purus in.

  • Neque sodales ut etiam sit amet nisl purus non tellus orci ac auctor
  • Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti
  • Mauris commodo quis imperdiet massa tincidunt nunc pulvinar
  • Adipiscing elit ut aliquam purus sit amet viverra suspendisse potenti
Coding collaboration with over 200 users at once

Nisi quis eleifend quam adipiscing vitae aliquet bibendum enim facilisis gravida neque. Velit euismod in pellentesque massa placerat volutpat lacus laoreet non curabitur gravida odio aenean sed adipiscing diam donec adipiscing tristique risus. amet est placerat in egestas erat imperdiet sed euismod nisi.

“Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum”
Real-time code save every 0.1 seconds

Eget lorem dolor sed viverra ipsum nunc aliquet bibendum felis donec et odio pellentesque diam volutpat commodo sed egestas aliquam sem fringilla ut morbi tincidunt augue interdum velit euismod eu tincidunt tortor aliquam nulla facilisi aenean sed adipiscing diam donec adipiscing ut lectus arcu bibendum at varius vel pharetra nibh venenatis cras sed felis eget dolor cosnectur drolo.

ChatGPT is fun.

But there are trade-offs, particularly as it pertains to confidentiality, privacy and cybersecurity. As an individual, you have to assess those risks for yourself. As a business, you have to account for your employees, their awareness and the company’s risk tolerance.

Basically, you need an approach, a process and a policy. You might already have data classification and risk assessment policies, but those won’t be enough because of vendor risk.

First, let’s make an important distinction between the consumer tools released by OpenAI, Bing, Google and soon many others from the APIs these same companies are releasing. I won’t get too technical but using the APIs is just not as easy as using the consumer tools, such as ChatGPT, Bard, BingChat and DALL-E, etc. So, you could have multiple policies!

Second, there are different terms of use depending on which one you use, consumer tool or API. For example, the terms of use for ChatGPT state that OpenAI (the company behind ChatGPT) may use your inputs for training purposes. The terms for the APIs, however, say that they do not use your inputs for training.

This distinction makes it much more challenging to write a comprehensive policy because it requires so much explanation.

As we all know, people don’t like to read long policies.

Finally, you cannot look internal without looking external. Are your vendors using Generative AI? In this guide, I will walk through how you should frame your Generative AI policy. For each policy point I make below, I will offer corresponding questions you should be asking your vendors.

  1. The Confidentiality Problem. If you want to write a policy on Generative AI, you have to address the elephant in the room upfront and first. Do you want to ban all use? Or are you going to allow use but ban employees from inputting any confidential and/ or proprietary information? Is there any room for exception? Simply banning employees from inputting confidential or proprietary information may be easiest, both in terms of administration as well as comprehension. You should use your data classification policy, which likely has 3-4 definitions of what data is considered “public” and what data is considered “confidential” or “restricted” or “internal use only.” If so, it should be fairly easy to cross-reference that policy in this all-out ban. For example, “employees may not use Generative AI to input any confidential, restricted or internal use only data. See our Data Classification policy.” Tip: don’t forget to also cross reference your Acceptable Use policy.

For your vendors, you need to ask them if they have a Generative AI policy and if so, does it prevent employees from inputting confidential or proprietary information? Are there any exceptions to the rule?

  1. The Accuracy Problem. If you have read my posts on LinkedIn then you know I often talk about “garbage in, garbage out” with respect to training A.I. I usually like to spin this in a more positive direction and will use the “good data in, good data out” phrase instead. I do that because we use A.I. at ClearOPS. When it comes to large language models, however, I think the GIGO phrase is more appropriate because OpenAI and other companies took the approach to sweep wide and then filter out the bad stuff. At ClearOPS we took the opposite approach, which was to be very selective in what we collected. I personally think this is a better way, but that’s my bias. Anyway, their approach means that the output is not accurate. The A.I. combines information it scraped in unexpected, sometimes laughable, sometimes hurtful, ways. Plus, the current amount of disinformation on the internet is exacerbated by the tool itself because it “learns” to make stuff up.
  2. So your policy needs to address this as well. Assuming you told your employees they could use Generative AI for non-confidential inputs, then you have to also tell them that any output must be checked and verified for accuracy. This requirement may be particularly important if the output is code.

For your vendors, you need to ask them how they are verifying the output of any Generative AI used for creating code that is then put into production. You likely already ask them about their code review process and whether they follow OWASP Top 10. If not, now is a good time to add that to your vendor questionnaire.

  1. The Legality Problem. The Copyright Office, so far, has determined that an output by A.I. is not copyrightable. So, if you are allowing the use of Generative AI, your policy should include a provision about this important topic. There are a couple of examples I can give about why this is important. If the company is subject to a transaction, such as M&A or a financing, and the due diligence discovers that your code is not copyrightable, then you may suffer a loss to the value of the business or worse (assuming the code is an important part of the consideration). Another problem would be that someone else might sue your company for copyright infringement of their work that was the output you used. Again, this is only a problem if you decide to allow the use of Generative AI in your policy, but if you do, you may want to consider prohibiting the use of output for commercial purposes.

For your vendors, you have already asked if they have a Generative AI policy, which is most important to assess this risk. I think the biggest risk your vendors pose to you here is if you have asked them to do work for you that uses Generative AI and you need ownership to those deliverables. Likely, this is a contract requirement over a vendor due diligence question.

In putting together your policy, there are opportunities here for providing examples, FAQs and checks and balances. For example, if you permit the use of Generative AI in your business, perhaps you have a carve-out where confidential information may be used as input if the corresponding Generative AI license terms assert that the data is not used. Or maybe you determine that, for example, you trust Microsoft and you have read their terms, so they are the exception to the rule (I am not expressing an opinion here).

A tangent to this confidentiality problem is also the security issue. OpenAI relies on open source code, which caused them to already suffer a security incident. Therefore, you may want to ask your vendors which Generative AI providers are permitted. A note about that is that most companies rely on open source software these days so while that incident was bad, it is not uncommon. It is their response that matters and, as you can see, they did show that they have an incident response process, which is likely already a question on your security questionnaire. Course, adding questions about the use of open source and how the code is checked makes a lot of sense given this incident.

Maybe they used ChatGPT ;)

Finally, all policies have a consequences provision. Typically, it allows the company to warn or even fire the employee. I would submit that that is harsh in this context and to think outside the box. For example, if an employee inputs confidential information into ChatGPT, let them know about OpenAI’s opt out process so they can fix it. Or, if you want to check how much of the output is generated by the AI for purposes of copyright protection, check out I always think empowering employees is better than scaring them.

My parting words are to keep in mind that, as with any new technology, we want to keep these policies short, concise, easy to read and not too scary that they stymie innovation.

I, for one, love ChatGPT and we are leveraging the technology at ClearOPS. Wouldn’t it make security questionnaires and vendor management, dare I say, fun?

You’re the best,


P.S. ClearOPS is a tech startup company on a mission to bridge the gap between privacy and security empowering all businesses to build responsibly. We are intent on building an ethical A.I. company. If you support our mission, please subscribe and share.

About the author

I consider myself an advocate for human rights with a passion for every person's right to privacy, but I also hate inefficiency

Subscribe to our newsletter

Thanks for subscribing to our newsletter
Oops! Something went wrong while submitting the form.
Subscribe To Our Newsletter - Sleek X Webflow Template