A good AI acceptable use policy (AUP) is what keeps employees productive with AI tools without exposing the organization to data leaks, copyright problems, or regulatory penalties. But many policies are written quickly and miss whole categories of risk. The AI Acceptable Use Policy Scorer reads your existing policy and tells you which best-practice topics it covers and which are absent.
How it works
The tool checks your pasted policy text against ten weighted benchmark areas drawn from common AI governance frameworks: data handling rules, defined permitted uses, explicitly prohibited uses, disclosure obligations, mandatory human review of outputs, intellectual property treatment, security and shadow-tooling controls, vendor training opt-out requirements, enforcement consequences, and policy scope and ownership.
Each area is detected through keyword and phrase patterns. The higher-risk areas — data handling, permitted and prohibited uses, and human review — carry more weight, so a policy that nails the fundamentals scores well even if it skips a minor section. The result is a 0–100 coverage score and a checklist showing exactly which sections are present.
The ten benchmark areas explained
Understanding what each area covers helps you write better policy, not just score better:
Data handling — What categories of data may employees paste or upload into AI tools? Client data, personal data, and confidential business information each need explicit treatment, including whether they are permitted at all and under what controls.
Permitted uses — A list of the specific tasks employees may use AI for (drafting, summarising, coding assistance, etc.). Without this, employees interpret “AI is allowed” very broadly.
Prohibited uses — Explicit restrictions are just as important as permissions. Common prohibitions include using AI for final employment decisions, generating content that misrepresents the organization, and processing special-category data.
Disclosure obligations — When must employees tell a client, colleague, or customer that AI was involved? Ambiguity here creates reputational and legal risk, especially in regulated industries.
Human review — A requirement to review AI output before it is relied upon, published, or sent externally. This is the single most important control for output quality and accuracy.
Intellectual property — Who owns AI-generated content? Can employees submit AI output as their own work in patents, publications, or client deliverables?
Security and shadow tooling — Controls on which tools are approved, how to handle unapproved “shadow AI,” and the security review process for new AI products.
Vendor training opt-out — Whether the organization has opted out of having its data used to train the AI provider’s models, and which tools carry this protection by default.
Enforcement — Concrete consequences for policy violations. Without this, the policy has no teeth.
Scope and ownership — Which employees, contractors, and third parties does the policy cover? Who is responsible for maintaining and updating it?
Tips and notes
Use the score as a drafting checklist rather than a grade. The most frequently missing sections are vendor training opt-out, disclosure rules, and concrete enforcement consequences. Adding clear wording for those three closes most gaps.
Because the tool matches topics rather than judging quality, a confident-sounding policy can still score poorly if it never names a topic — and a checked item still needs review by someone who knows your obligations. All analysis happens in your browser, so you can safely score internal policies that have not been published.