RiskTemplates · The Daily Brief Sunday, May 24, 2026

RiskTemplates.

Wire
MAY 21 Community Federal Savings Bank Hit With OCC Consent Order: What Wise, Revolut, and Crypto.com's Sponsor Bank Failure Means for Fintech Compliance MAY 21 NYDFS Part 500 Enforcement in 2025-2026: What $25 Million in Fines Reveals About What Regulators Actually Check MAY 15 SEC's Final Judgment Against Black Hawk's Robert Newell: How a $37M Cannabis Fund Became a Ponzi Case Study MAY 14 SEC Adani $18M Settlement: When Anti-Bribery Disclosures Become Securities Fraud MAY 13 SEC and DOJ Charge 21 in BigLaw M&A Insider Trading Ring — What the Document Management Trail Tells You MAY 12 OCC Consent Orders: From Issuance to Termination — A Practitioner's Walkthrough MAY 21 Community Federal Savings Bank Hit With OCC Consent Order: What Wise, Revolut, and Crypto.com's Sponsor Bank Failure Means for Fintech Compliance MAY 21 NYDFS Part 500 Enforcement in 2025-2026: What $25 Million in Fines Reveals About What Regulators Actually Check MAY 15 SEC's Final Judgment Against Black Hawk's Robert Newell: How a $37M Cannabis Fund Became a Ponzi Case Study MAY 14 SEC Adani $18M Settlement: When Anti-Bribery Disclosures Become Securities Fraud MAY 13 SEC and DOJ Charge 21 in BigLaw M&A Insider Trading Ring — What the Document Management Trail Tells You MAY 12 OCC Consent Orders: From Issuance to Termination — A Practitioner's Walkthrough

Template Guide GenAI AUP Template Guide

Generative AI Acceptable Use Policy Template Guide

How to build a Generative AI Acceptable Use Policy for employees: data classification × tool tier matrix, approved tool list, pre-approved use cases, low-touch employee intake form, vendor due diligence, detection, and AI incident response.

Built for financial services risk teams Practitioner methodology Updated May 2026
Buy now — $79 → View template details

◆ Quick answer

A GenAI Employee AUP should include a Data Classification × Tool Tier matrix, an Approved Tool List with vendor DD status (DPA, SOC 2, BAA, training opt-out), 15+ Pre-Approved Use Cases, a low-touch Employee Use Case Intake Form with cascading auto-routing, Prohibited Uses (PII into consumer tools, MNPI anywhere, credentials), Output Handling Rules by output type, and an AI Incident Response Runbook.

Guide vs. template

This guide explains what belongs in the template. The paid template gives you the editable working files so you're not rebuilding from a blank page.

Paid template includes

  • 13-tab Excel workbook (60 formulas, 3 data validations, 9 conditional formatting groups)
  • Data Classification × Tool Tier Matrix — Public / Internal / Confidential / Restricted mapped to Consumer / Enterprise / Prohibited
  • Approved Tool List — 10 starter entries with vendor DD status (DPA, SOC 2, BAA, training opt-out, data residency)
  • 15 Pre-Approved Use Cases — the productivity payoff (employees self-serve common patterns)
Buy $79 View details

What is this template for?

A Generative AI Acceptable Use Policy is the framework compliance, IT, and AI governance leads use to govern employee use of GenAI tools (ChatGPT, Claude, Microsoft Copilot, Google Gemini, GitHub Copilot, and AI features embedded in third-party SaaS) — separately from production AI/ML systems that go through the model risk management framework. The useful version is data-classification-led (Public / Internal / Confidential / Restricted), tool-tiered (consumer / enterprise / prohibited), and includes a pre-approved use cases list so employees self-serve common patterns. A low-touch employee intake form auto-routes anything new (new tool, new use case, new data class) without bottlenecking on compliance for every prompt.

◆ Audience

Who needs this.

  • Your employees are already using ChatGPT or Copilot and you need a structured framework — not a ban that pushes use underground.
  • Your existing AI policy was built for production model risk (SR 11-7 / interagency 2026 MRM / NIST AI RMF) and doesn't cover employee-facing GenAI tools.
  • You want a Pre-Approved Use Cases list so employees self-serve common patterns instead of bottlenecking on compliance for every prompt.
  • You need a Vendor DD Register documenting DPA / SOC 2 / training opt-out / BAA status for each approved tool.
  • You have a shadow AI problem and need detection (DLP, browser allow-list, shadow AI scanning) plus a non-punitive intake culture so employees self-report.

◆ Implementation roadmap

How to roll this out.

01

Align Data Classification Matrix with your existing Information Classification Policy

Owner · AI Governance Lead with CISO + Privacy

Output · Four-class matrix (Public / Internal / Confidential / Restricted) mapped to tool tiers; employees know which tier they can use for which class

02

Populate Approved Tool List with your organization's actual enterprise tenants and contract details

Owner · IT + AI Governance Lead

Output · Tool list with vendor DD status (DPA, SOC 2, BAA, training opt-out) per tool; consumer tools restricted to personal use with Public data only; prohibited tools (local LLMs, AI browser extensions, etc.) explicitly listed

03

Customize Pre-Approved Use Cases (15+ common patterns) so employees self-serve

Owner · AI Governance Lead with business leads

Output · List of common patterns (drafting emails, code review, summarizing public docs, etc.) each marked Permitted / Conditional / Prohibited with output handling required and owner identified

04

Roll out the Use Case Intake Form for new tools / use cases / data classes

Owner · AI Governance Lead + HR

Output · ~5-minute structured form with 18+ data validation dropdowns; cascading auto-routing formula produces Approved / Conditional / Route to Vendor DD / Escalate / Declined

05

Configure Detection & Monitoring with IT Security (DLP, browser allow-list, shadow AI scanning) and stand up the AI Incident Response Runbook

Owner · IT Security + AI Governance Lead + CISO

Output · DLP rules covering known AI domains; managed-browser allow-list; quarterly shadow AI scan; IR runbook with 8 incident types and severity-tiered response (intake culture for shadow AI; discipline reserved for prohibited uses)

◆ Ready to use it?

Download the GenAI Employee AUP Kit.

Use the guide to understand the structure, or buy the editable template to move faster.

Buy now — $79 → View product details

◆ FAQ

Frequently asked questions.

How is a GenAI Employee AUP different from a model risk management policy?

MRM governs production AI/ML systems that produce outputs used in business decisions — credit scoring models, fraud detection, AML monitoring. Those systems go through validation, governance committees, monitoring per SR 11-7 / the 2026 interagency revised MRM guidance / NIST AI RMF. The GenAI Employee AUP covers the layer above MRM: ChatGPT, Claude, Copilot, Gemini, and AI features embedded in third-party SaaS — employee-facing tools that sit in front of every desktop. Two distinct policies; complementary, not duplicative.

Won't employees just go around the policy?

They will if the policy is a ban or makes every prompt require permission. The fix is the Pre-Approved Use Cases list — 15+ common patterns (drafting emails, summarizing public docs, code review, etc.) are pre-approved so employees self-serve. The intake form is only for new tools, new use cases for approved tools, or new data classes — ~5 minutes, structured questions, auto-routing. Detection (DLP + browser allow-list + shadow AI scanning) backstops the policy. Shadow AI incidents are handled as intake events — non-punitive — to surface unmet needs and add them to the Pre-Approved list.

Which data classes can go in which AI tools?

Public data may be used in any approved tool tier (including consumer tools used on personal accounts). Internal and Confidential data may only be used in Enterprise tools (with no-training opt-out and DPA in place). Restricted data (MNPI, PHI, credentials, attorney-client privileged) is generally prohibited in any AI tool; specific exceptions require pre-approval. The matrix is the load-bearing piece of the policy — what you input determines what tier of tool you can use.

Does this cover the Colorado AI Act, EU AI Act, and similar state laws?

The kit's Prohibited Uses include AI-only adverse-action decisions about customers without meaningful human review — an approach informed by ECOA, FCRA, the Colorado AI Act (revised effective date June 30, 2026 — verify current status with counsel), and other emerging state-law frameworks under which AI-driven decisions about consumers generally call for meaningful human review. For EU AI Act exposure, additional review with EU counsel is recommended; the framework is structurally compatible but does not include EU-specific compliance attestations.

Immaterial Findings · Newsletter

The brief, in your inbox.

Enforcement of the week, a framework breakdown, and the prompts that are actually worth running. Delivered to your inbox. Free.