Member Exclusive: What to include in your generative AI policy

Published on March 28, 2023

As employees seek guidance and reassurance on how generative AI will impact their work, communicators are once again able to provide clarity. Our Think Tank call at the end of February confirmed this, as members shared a litany of creative and fun solutions for integrating programs like ChatGPT into their content creation and ideation process, including one member who had it compose a song for a company hair metal band fronted by a gerbil.

Members of the wider Ragan community are similarly using generative AI to ease employee concerns by teaching them how such tools can streamline workflows, help ideate and outline, while creating more space for their judgment and creativity to shine.

But with new tools and efficiencies come new hazards and potential vulnerabilities. After all, Chat GPT sources its information publicly and openly stores all data you feed it — including confidential and proprietary company information. Just last week, one Twitter user identified a bug that allowed users to see other users’ chat history:

Our members understand the potential security risks that come with this tech. On that same Think Tank call last February, many of you said that employees have been instructed not to use the tool until firm guidelines and policies were in place for this precise reason.

Council member Keith Cronin shared an email from the Security Culture Team at LexisNexis that pointed employees to the parent company’s internal statement on using generative AI, explaining that employees have conditional approval to use the tech while outlining the risks it poses and guidelines to follow:

A recent blog post by law firm Debevoise and Plimpton, LLP explains why implementing policies around using ChatGPT at work minimizes potential risks around quality control, contractual breaches (say an employee unwittingly shares confidential info about a client with the tool ), privacy risks and more.

The post goes on to share some potential procedures that can help enforce your policies around ChatGPT or similar generative AI tools. They include:

  • Designing a risk rating system. This set of criteria can assess whether using ChatGPT is a low, medium or high risk depending on the use case.
  • Using a labeling system. Internally, this would require employees to mark content generated using ChatGPT with a clear label, which can also be shared externally if deemed appropriate.
  • Providing training. Training employees on both acceptable and prohibited uses of the tool is a great way to implement any policies, but it’s important the training be periodic. As these capabilities evolve, the guidance your employees receive on how to engage with it should evolve, too.
  • Monitoring. In certain instances that you are especially high risk, it may be appropriate to deploy monitoring tools (ChatGPT creator OpenAI and others have many) to determine whether information was generated using AI and in violation with company rules. If this is deemed necessary, be sure to let employees know and keep the process transparent.

Remember, these policies may look different for different business functions that have distinct use cases for the tool: An HR team that may use ChatGPT to automate employee self-service or streamline recruiting initiatives, for example, needs to spend much more time from the outset defining parameters and inputs. That may well require a separate piece of written guidance.

The National Institute of Standards and Technology (NIST) recently published its “Artificial Intelligence Risk Management Framework 1.0,” which goes much deeper into how businesses can maintain a risk-averse relationship with AI at every stage in the cycle of use. The below chart shows how AI can be implemented responsibly across all stakeholders of an organization, with “TEVV” referring to “test, evaluation, verification and validation.”

What guidelines are you including in your employee comms around generative AI? Are there any other tactics or systems you’re putting in place to keep track of these tools are being used at work? Let us know!