AI Acceptable Use Policy (India)
AI ACCEPTABLE USE POLICY
Company: [Company Name]
Effective Date: [Effective Date] | Policy Owner: [Policy Owner]
This AI Acceptable Use Policy ("Policy") governs the use of Artificial Intelligence tools — including generative AI, large language models, AI-powered coding assistants, image generators, and AI productivity features — by employees and contractors of [Company Name] ("Company"). This Policy is governed by the Information Technology Act 2000 (IT Act), the Digital Personal Data Protection Act 2023 (DPDPA 2023), the Copyright Act 1957, and guidance from the Ministry of Electronics and Information Technology (MeitY).
1. SCOPE
1.1 This Policy applies to all employees, contractors, consultants, and interns of the Company who use AI tools in connection with their work — whether on Company-issued or personally-owned devices (subject to the BYOD Policy).
1.2 'AI tools' include: generative AI platforms (ChatGPT, Claude, Gemini, Copilot, and similar); AI coding assistants (GitHub Copilot, Cursor, Tabnine); AI image and content generators; AI-powered productivity features in office software; and custom or proprietary AI models deployed by the Company.
2. APPROVED AND PROHIBITED AI TOOLS
2.1 Approved Tools: The following AI tools are pre-approved for work use and are covered by data processing agreements that protect Company and customer data: [Approved Tools]. These tools may be used for work purposes subject to the data input restrictions in Section 3.
2.2 Unapproved Tools: AI tools not on the approved list must not be used for work purposes without following the approval process: [Approval Process]. Free-tier consumer versions of AI tools (which may use inputs to train their models) must not be used for work purposes without approval.
2.3 Approval Process for New Tools: [Approval Process]. Approval will consider: data security, DPDPA 2023 compliance, contractual protections, security certifications, and business need.
3. DATA INPUT RESTRICTIONS
3.1 Employees must NOT input the following into any AI tool (including approved enterprise tools, unless specific exceptions are granted): (a) personal data of customers, patients, employees, or other individuals, unless the tool is expressly approved for personal data processing under the Company's DPDPA 2023 data processing framework; (b) confidential business information, trade secrets, or unpublished strategic plans; (c) for employees of listed companies: unpublished price-sensitive information (UPSI) under the SEBI (Prohibition of Insider Trading) Regulations 2015; (d) client confidential information or client data without the client's explicit written consent; and (e) source code or technical architecture that constitutes Company trade secrets, unless using an enterprise AI coding tool covered by a data protection agreement.
3.2 Permitted Inputs: Employees may use AI tools for: (a) drafting, editing, and proofreading of non-confidential content; (b) research and information synthesis from publicly available sources; (c) code generation and review using approved coding AI tools, provided confidential algorithms are not shared; and (d) routine task automation where no confidential data is involved.
4. HUMAN REVIEW AND INTELLECTUAL PROPERTY
4.1 Human Review: [Human Review Required]. AI-generated outputs must not be used verbatim in client deliverables, regulatory filings, court submissions, or other high-stakes documents without review, verification, and editing by a qualified human. AI tools can make factual errors — the employee is responsible for the accuracy of any output they use.
4.2 Intellectual Property: The IP ownership of AI-generated content is uncertain under Indian law (Copyright Act 1957, Section 2(d)(vi)). Employees must: (a) document significant human creative input in AI-assisted work product; (b) disclose AI use in client deliverables where required by contract or professional rules; and (c) be aware that purely AI-generated works may not attract copyright protection.
4.3 Open-Source AI: Employees using open-source AI models must comply with the applicable open-source licence terms, which may restrict commercial use or impose copyleft obligations.
5. PROHIBITED USES
5.1 The following uses of AI tools are strictly prohibited: (a) creating deepfakes or synthetic media of real individuals without their explicit consent (Section 66D, IT Act 2000; privacy rights under Puttaswamy v. Union of India); (b) generating discriminatory, harassing, defamatory, or sexually harassing content; (c) academic or professional fraud — representing AI-generated work as the employee's own original work without disclosure, in violation of professional obligations; (d) using AI to conduct activities that violate applicable law, including the DPDPA 2023, the IT Act 2000, or the Competition Act 2002; and (e) granting AI tools unauthorised access to Company systems, credentials, or databases.
6. TRAINING, ENFORCEMENT, AND REVIEW
6.1 All employees must complete mandatory AI governance training within 30 days of this Policy's effective date and annually thereafter.
6.2 Violations of this Policy may result in disciplinary action, up to and including termination of employment. AI-related security incidents (e.g., inadvertent exposure of personal data through an AI tool) must be reported to IT security ([IT Contact Email]) immediately.
6.3 This Policy shall be reviewed at least annually and updated to reflect developments in Indian AI regulation (including MeitY guidance and the DPDPA 2023 rules), changes in approved tools, and emerging AI risks.
6.4 This Policy is governed by the laws of India and the laws of the State of [Governing State].
Authorised Signatory
________________
Signature
Employee Acknowledgement
________________
Signature
What Is a AI Acceptable Use Policy (India)?
An AI Acceptable Use Policy in India sets out the rules the organisation expects to be followed and the standards against which conduct will be judged.
The rapid proliferation of generative AI tools — including ChatGPT, Microsoft Copilot, Google Gemini, Claude, and hundreds of sector-specific AI applications — has created urgent governance challenges for Indian organisations. Employees routinely input confidential business data, customer personal data, and sensitive professional information into public AI tools, often without understanding the data security, confidentiality, and IP implications. An AI Acceptable Use Policy addresses these risks by establishing clear rules about which AI tools are approved, what data can be input, and how AI-generated outputs should be reviewed and attributed.
The DPDPA 2023 is particularly relevant for AI governance in India. The Act imposes obligations on organisations to confirm that personal data is processed for specified purposes, with appropriate security, and only to the extent necessary. Inputting customer or employee personal data into a public AI tool that stores or trains on user inputs without contractual data protection commitments is a potential DPDPA compliance risk.
An AI Acceptable Use Policy covers the governance framework for AI use: approved tools, prohibited use cases, data input restrictions, human review requirements, IP and attribution rules, and training obligations. It works alongside the company's BYOD Policy, Social Media Policy, and Cybersecurity Incident Response Plan to create a thorough digital governance framework.
The legal framework governing the AI Acceptable Use Policy (India) in India draws on several key statutes and regulatory bodies. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Parties executing a AI Acceptable Use Policy (India) in India should confirm the document reflects current law, including any amendments enacted since the original drafting date. The Indian Contract Act, 1872 sets the foundational requirements.
When Do You Need a AI Acceptable Use Policy (India)?
An AI Acceptable Use Policy is needed by every Indian organisation whose employees use AI tools — which now includes virtually every knowledge-sector organisation in India.
Technology companies, professional services firms, and startups are at the forefront of AI adoption and need clear policies to prevent data leakage through AI tools. Employees in software development, legal services, consulting, finance, and creative industries are heavy users of generative AI tools, and without governance policies, organisations face significant data protection and IP risks.
Organisations in regulated sectors — financial services (RBI oversight), healthcare (data sensitivity), and listed companies (SEBI governance requirements) — need AI governance policies that comply with sector-specific regulatory expectations around model risk management, explainability, and fair use.
Organisations that have adopted enterprise AI tools (Microsoft 365 Copilot, GitHub Copilot, Google Workspace AI features, Salesforce Einstein) need acceptable use policies that specify how these tools should and should not be used, even though enterprise tools provide stronger data contractual protections than public consumer tools.
Organisations processing personal data under the DPDPA 2023 need AI governance policies that address the DPDPA obligations triggered when personal data is processed through AI systems.
Organisations concerned about AI-related cybersecurity risks — including AI-powered phishing attacks, deepfake fraud, and prompt injection vulnerabilities — need AI governance policies that address these risks and are integrated with the Cybersecurity Incident Response Plan.
Parties in India should prepare a AI Acceptable Use Policy (India) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.
What to Include in Your AI Acceptable Use Policy (India)
A thorough AI Acceptable Use Policy for an Indian organisation should contain the following key elements.
Scope and Covered Tools: A clear definition of 'AI tools' covered by the policy, including generative AI, LLM-based assistants, AI coding tools, AI image generators, and AI-powered productivity features. Distinction between approved enterprise AI tools (subject to data processing agreements) and unapproved public AI tools.
Approved and Prohibited AI Tools: A list of approved AI tools (or a procedure for getting approval), and explicit prohibitions on using non-approved tools for work purposes without authorisation.
Data Input Restrictions: Prohibition on inputting into non-enterprise AI tools: personal data (subject to DPDPA 2023), confidential business information, trade secrets, UPSI (for listed companies), client data, and other sensitive information.
Human Review Requirements: Mandatory human review and verification of AI-generated outputs before use in client deliverables, regulatory filings, legal documents, or other high-stakes contexts — consistent with responsible AI principles.
Intellectual Property and Attribution: Rules on ownership of AI-generated outputs, attribution requirements (when and how to disclose AI use), and the process for managing IP uncertainty in AI-assisted work product.
Prohibited Use Cases: Explicit list of prohibited uses including creation of deepfakes, generating discriminatory content, academic/professional fraud, and processing data in violation of DPDPA 2023.
Cybersecurity: Prohibition on granting AI tools access to company systems or credentials without authorisation, and the procedure for reporting AI-related security incidents.
Training and Awareness: Mandatory training on AI governance, DPDPA 2023 implications, and the identification of AI-related risks.
Compliance and Review: Procedure for obtaining approval for new AI tools, annual policy review, and consequences for violations.
Additional compliance elements for a AI Acceptable Use Policy (India) used in India include: Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). The Industrial Disputes Act 1947 and state labour commissioners govern employment disputes. The Information Technology Act 2000 and IT (Reasonable Security Practices) Rules 2011 protect personal data. The Income Tax Act 1961 and Goods and Services Tax Act 2017 govern tax obligations through the Central Board of Direct Taxes (CBDT) and GST Council. Forms-legal.com provides this template as a starting point for India-compliant documentation.
Cite this page
Reference this free template in an article, syllabus, or research note:
Forms Legal. (2026). AI Acceptable Use Policy (India) (India) [Legal document template]. Forms Legal. https://forms-legal.com/india/business/policies/ai-acceptable-use-policy-india
"AI Acceptable Use Policy (India) (India)." Forms Legal, 2026, https://forms-legal.com/india/business/policies/ai-acceptable-use-policy-india.
@misc{formslegal-ai-acceptable-use-policy-india,
author = {{Forms Legal}},
title = {AI Acceptable Use Policy (India) (India)},
year = {2026},
howpublished = {\url{https://forms-legal.com/india/business/policies/ai-acceptable-use-policy-india}},
note = {Free legal document template. Based on Indian Contract Act, 1872}
}Also available for these jurisdictions:
Frequently Asked Questions
India does not yet have a dedicated Artificial Intelligence Act — unlike the European Union's AI Act 2024 — but several existing Indian statutes and emerging regulatory frameworks apply to the use of AI tools in a workplace context. The Digital Personal Data Protection Act 2023 (DPDPA 2023) is the most directly applicable statute for workplace AI use. When employees input personal data of customers, patients, employees, or other individuals into an AI system (whether a generative AI tool like ChatGPT, an AI assistant like Microsoft Copilot, or a custom AI model), the organisation (as 'data fiduciary') is responsible for ensuring that such processing is lawful, secure, and consistent with the specified purpose for which consent was obtained. AI tools that process personal data are subject to DPDPA obligations including consent, purpose limitation, data minimisation, accuracy, and security. The Information Technology Act 2000 (IT Act) and the SPDI Rules 2011 are relevant for AI tools that handle sensitive personal data — financial information, health information, passwords, and biometric data. Section 43A of the IT Act imposes civil liability on body corporates that fail to maintain reasonable security practices in handling sensitive personal data, and AI tools that process SPDI must meet the SPDI Rules' security standards. The Copyright Act 1957 raises significant questions about AI-generated content.
A well-designed AI Acceptable Use Policy for an Indian organisation should explicitly prohibit the following categories of AI use, based on legal obligations, ethical considerations, and data security risks. Input of Personal Data into Public AI Systems: Employees must not input personal data of customers, patients, employees, or other identifiable individuals into public AI tools (such as the free versions of ChatGPT, Claude, Bard/Gemini, or other tools that may use inputs to train their models) without specific authorisation and compliance review. This is because such data input may constitute a breach of the DPDPA 2023 (processing beyond the specified purpose for which data was collected from data principals) and the SPDI Rules 2011 (failure to maintain reasonable security practices for sensitive personal data). Input of Confidential Business Information: Employees must not input trade secrets, proprietary formulas, unpublished financial information, M&A plans, or other confidential business information into public AI tools. Unlike enterprise AI deployments (where data is contractually protected by data processing agreements with the AI vendor), public AI tools typically do not provide contractual confidentiality guarantees for inputs, and inputs may be stored, reviewed by the AI provider's staff, or used for model training.
The intellectual property implications of AI-generated content are among the most complex and actively evolving legal questions in India — and Indian organisations need a clear policy framework for managing AI-generated IP, even as the law continues to develop. Ownership of AI-Generated Works Under the Copyright Act 1957: Section 2(d)(vi) of the Copyright Act 1957 defines 'author' for computer-generated works as 'the person who causes the work to be created.' This provision, originally enacted to address works produced by software (rather than generative AI), is now being interpreted in the context of AI-generated content. The Copyright Office of India's position — consistent with guidance from the US Copyright Office and courts in other common law jurisdictions — is that purely AI-generated works (produced with no or minimal human creative input) may not be eligible for copyright protection. Works that involve meaningful human creative contribution in prompting, selecting, or refining AI outputs may be copyrightable, with authorship vesting in the human who caused the work to be created. For Indian organisations, this means: (a) employees using AI tools to generate content for clients should document the human creative input involved; (b) client contracts should include IP ownership provisions that clearly allocate risk for AI-generated content; and (c) assignments of IP in client work products should confirm the assignor's right to assign, acknowledging the uncertainty regarding AI-generated content.
A AI Acceptable Use Policy (India) does not legally require a lawyer in India, and individuals and businesses may draft and execute the document independently. The Indian Contract Act, 1872 does not mandate legal representation for the creation or signing of this type of document. However, seeking independent legal advice from a qualified India lawyer is recommended for transactions involving substantial financial value, complex regulatory requirements, or cross-border elements where multiple legal jurisdictions may apply. A lawyer can verify that the document complies with all applicable statutory requirements, identify potential risks specific to the transaction, and confirm that the terms adequately protect the interests of all parties involved. The Supreme Court of India has jurisdiction over disputes arising from this type of document, and Registrar of Companies (ROC) may impose additional compliance obligations depending on the nature of the underlying transaction. Professional legal review is particularly advisable where the document will be submitted to government agencies or used as evidence in legal proceedings.
A AI Acceptable Use Policy (India) does not legally require a lawyer in India, though legal advice is recommended. Under Indian law, the Indian Contract Act 1872 governs agreements. The Companies Act 2013 and Registrar of Companies (ROC) regulate corporate documents. The Information Technology Act 2000 governs electronic contracts and data protection. The Consumer Protection Act 2019 provides consumer rights. The Income Tax Act 1961 requires tax compliance. Forms-legal.com provides this template as a starting point — always review with a qualified Indian advocate for significant transactions. Under India law, Indian Contract Act, 1872, parties should seek independent legal advice from a qualified lawyer to confirm compliance with all applicable requirements. Under Indian law, the Indian Contract Act 1872 governs contractual obligations, with Section 10 setting essential requirements for valid agreements. The Companies Act 2013 regulates corporate entities through the Registrar of Companies (ROC) and Ministry of Corporate Affairs (MCA). Forms-legal.com provides this template as a starting point for India-compliant documentation.
This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer
Found an error? Let us knowRelated Documents
You may also find these documents useful:
BYOD Policy (India)
A Bring Your Own Device (BYOD) Policy for Indian businesses compliant with the Information Technology Act 2000, Digital Personal Data Protection Act 2023, and IT (Amendment) Rules 2022. Governs personal device use for work, data protection, device management, and acceptable use requirements.
Social Media Policy (India)
A comprehensive Social Media Policy for Indian businesses compliant with the Information Technology Act 2000, IT (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021, and Digital Personal Data Protection Act 2023. Governs employee personal and professional social media use.
Cybersecurity Incident Response Plan (India)
A comprehensive Cybersecurity Incident Response Plan compliant with the IT Act 2000, CERT-In Directions 2022, and Digital Personal Data Protection Act 2023. Covers incident classification, response teams, notification timelines (6-hour CERT-In rule), containment, and post-incident review.