← All Policies

Public Policies

AI Tool Usage Policy

How Tech Garrison staff may and may not use AI tools when handling client information, writing code, and producing client-facing work.

AI Tool Usage Policy

Effective Date: April 15, 2026 Applies To: All employees, contractors, and vendors using AI tools on behalf of the company

Overview

Generative AI tools are productive, but they are also data egress points. Anything pasted into a third-party AI service may be retained, logged, or used to train future models. This policy governs which tools are permitted and what data may be shared with them.

When in doubt: paste nothing, ask first.

Approved Tools

Only AI tools that have been reviewed and added to the approved list may be used for work involving company or client data. The current approved list is maintained in the internal knowledge base.

  • Approved tools have documented data retention terms, tenant isolation, and either a signed DPA or enterprise contract where client data is involved.
  • Personal accounts on consumer-tier AI products are not approved for client work, even if the underlying model is the same.
  • Requests to add a new tool go to IT Security with a business justification.

Prohibited Inputs

The following must never be pasted, uploaded, or referenced in prompts to any AI tool — approved or not — unless the tool is explicitly certified for that data class:

  • Client credentials, API keys, tokens, or secrets of any kind
  • Tenant IDs, user principal names, or other identifiers that link to a specific client
  • Client PII, PHI, or financial records
  • Contents of client mailboxes, SharePoint sites, or document stores
  • Internal credentials, network diagrams, or IP ranges
  • Contents of security incidents, breach notifications, or legal matters

If an AI tool would be useful for one of these tasks, redact first or use an approved tenant-bound deployment.

Acceptable Use

AI tools are appropriate for:

  • Drafting emails, documentation, and runbooks using generic or redacted examples
  • Explaining error messages and unfamiliar code when the snippets do not contain secrets or client identifiers
  • Generating boilerplate scripts and configuration templates for review
  • Summarizing public vendor documentation

All AI-generated output intended for clients — scripts, reports, emails — must be reviewed by a human before delivery. The person who sends it owns it.

Client-Facing AI Work

When deploying AI tools into a client environment on their behalf (Copilot rollouts, custom agents, AI-assisted workflows):

  • The client’s own tenant and data-handling terms govern, not ours.
  • Default to the most restrictive configuration and relax only with written client approval.
  • Document what data the tool can access, what it logs, and who can see the logs.
  • Never enable a feature that sends client data to an external service without the client understanding and approving it in writing.

Incident Reporting

If you accidentally paste prohibited data into an AI tool, report it immediately. This is treated as a data exposure incident, not a personal failure — fast reporting limits the blast radius.

IT Security Contact: security@techgarrison.com After-Hours: (253) 341-4233

Policy Compliance

Violations may result in disciplinary action and, where client data is involved, client notification per our contractual obligations. Staff are responsible for knowing which tools are approved before using them.

Last reviewed: April 2026 — IT Security