Most legal teams know they need an AI use policy. The harder problem is everything that has to happen before, during, and after the drafting. Who owns it. Who signs off. How you train people on it. And how you keep a static document from becoming the thing nobody reads.
This How to Contract webinar was hosted by Mariette Clardy-Davis, Assistant Vice President and Assistant General Counsel at Primerica, with panelists Melissa Vierling, Assistant General Counsel at Primerica, Kimberley Odums, Senior Counsel for Intellectual Property and Artificial Intelligence at IEEE, and Andrea Peters, Senior Counsel and Global Head of Compliance at Interface. All three have built policies from scratch inside very different organizations, and they talked about what worked, what they would do differently, and where most legal teams get stuck.
The conversation covered the three phases of an AI policy lifecycle. The creation phase, where teams decide whether they need a policy and who should be in the room. The drafting phase, where six pillars shape what the document needs to cover. And the operational phase, where the policy either becomes a living document or quietly dies. The panel also worked through audience questions on vendor AI prohibitions, leadership buy-in, training delivery, and how to handle the spectrum from AI refusers to unrestrained super users.
Here are our top ten takeaways from the speakers' comments during the webinar:
Start before you feel ready. Kimberley said you cannot wait until you have all the answers, because AI keeps moving and your people are already using it. Have the conversation sooner than feels comfortable, and be transparent about what you do not know yet. Pull in IT, security, compliance, HR, and outside counsel where it helps. The point is to get a starting point in place that you can iterate on, not to publish something perfect.
Treat shadow AI as a policy problem you already have. Andrea said she realized she had a shadow AI problem before she had a policy problem. People were experimenting on their own without coordination, and one employee had put sensitive information into ChatGPT. That was the trigger. Note-taker bots in meetings have become another fast-moving catalyst because nobody is sure who is listening or where the data goes.
Bring the cross-functional team in early. Legal cannot do this alone. Kimberley brought IT and security in early as co-architects because they know what is actually being deployed across the network. Andrea added that compliance and HR belong in the room from day one, since compliance has to account for regulatory obligations BEFORE you pick a tool, and HR usually ends up enforcing the policy. The business teams also need a voice.
Default to a permissive policy with clear guardrails. Andrea said leadership at Interface was clear they wanted a permissive policy that gave employees broad consent to use AI within guardrails. Companies that issued do-not-use policies a couple of years ago were making a mistake. People will use AI either way, and a prohibition just pushes the activity into the shadows. A permissive policy with clear guardrails earns more compliance than a restrictive one.
Draft against the six pillars. Mariette laid out six categories that a strong AI policy needs to consider. Data integrity, risk and liability, information protection, vendor and tool accountability, human oversight and governance, and adoption culture. These are not a checklist and they are not in a prescribed order. They are the lenses that have to be on the radar of whoever is drafting, whether legal alone or a cross-functional team.
Watch the privilege issue under information protection. Andrea flagged recent case law making it clear that if non-attorney employees start with AI instead of legal to address a legal issue, privilege is probably gone forever. So your policy and your training need to make this explicit. She tells her team it does not cost anything to call legal, but it may cost a whole heck of a lot if you do not.
Build a real vendor tool review process. Andrea said teams tend to write the policy around tools they already know and skip the vendor diligence piece entirely. The tool landscape changes constantly. Your policy needs a process for evaluating new tools, plus questions about vendor AI use baked into your standard new vendor review and contract review checklists. Otherwise someone will sign up for a new AI browser extension and you will not know.
Negotiate AI prohibitions in counterparty contracts. Kimberley said when a vendor or customer contract has a no-AI clause, you have a conversation. Sometimes the counterparty pulled the language off the internet and does not actually care. Sometimes they have a rationale you need to understand. Andrea added that what most counterparties really care about is HOW you use AI, not whether you use it, so offers to use only enterprise tools, not train on their data, and not input their confidential information usually resolve the concern.
Pair the policy with a rapid decision-making mechanism. Kimberley said you can have a beautiful policy and still bottleneck your people if there is no way to get a fast answer on whether a new tool or use case is okay. If someone has to wait three weeks for approval, AI is not making them efficient. Set up a decision tree or council that meets often, so requests do not pile up and people do not back away from AI entirely or use prohibited tools out of frustration.
Operationalization is mostly culture and conversation. Andrea said the teams that adopted well were the ones whose leaders modeled the behavior and used the tools themselves. The teams that struggled treated the policy as a compliance checkbox and moved on. For the spectrum of users, you meet both extremes where they are. Show the AI refuser a use case that saves them twenty minutes on something they already do. Channel the unrestrained super user into being a champion who helps test and vet tools.
Subscribe to Stay in the Loop
Our weekly newsletter pulls together recaps like this one, upcoming How to Contract webinars, and practical insights from the contracts community. Subscribe now so you get the next one in your inbox.
