Blog
AI Policy Templates

AI Acceptable Use Template: General LLM Usage

By
Repacket Staff
February 10, 2025
5 min read

Large Language Model (LLM) Usage Policy

Policy Owner: [Role/Department]
Last Updated: [Date]
Version: [X.X]

1. Purpose and Scope

1.1 Purpose
This policy establishes governance requirements for all Large Language Model (LLM) usage within [Organization Name]. It defines mandatory controls for preventing unauthorized data disclosure, managing LLM service access, and ensuring secure deployment of LLM technologies.

1.2 Scope
This policy applies to:
a) All employees, contractors, consultants, temporary workers, and other workers at [Organization Name]
b) All LLM interactions conducted through organization networks or resources
c) Both approved enterprise LLM services and public LLM platforms
d) All data processed through or submitted to LLM services

2. Authorized LLM Service Usage

2.1 Approved Services
The following LLM services are authorized for organizational use:
a) [Service 1] - Approved for [specific use cases]
b) [Service 2] - Approved for [specific use cases]
c) [Service 3] - Approved for [specific use cases]

Access to all other LLM services is expressly prohibited unless authorized in writing by [authorizing authority].

2.2 Service Access Requirements
All LLM service access must adhere to the following requirements:
a) Authentication through organization single sign-on (SSO)
b) Network access via Repacket’s monitoring proxy
c) Multi-factor authentication for all service accounts
d) Use of organization-provided credentials only

2.3 Access Management
[Department/Role] shall maintain:
a) Current registry of authorized users and access levels
b) Documentation of all access approvals
c) Quarterly access review and recertification
d) Immediate access termination upon role change or departure

3. Data Protection Controls

3.1 Mandatory Monitoring
All LLM interactions must route through Repacket’s monitoring proxy, which shall:
a) Scan all inputs in real-time prior to LLM submission
b) Block transmission of detected sensitive data
c) Log all scanning activities for audit purposes
d) Alert security personnel of blocked transmissions

3.2 Data Classification Requirements
The following data classifications are established for LLM usage:
a) Prohibited Data: May never be submitted to LLMs

  • Personal Identifiable Information (PII)
  • Protected Health Information (PHI)
  • Payment Card Information (PCI)
  • [Organization-specific prohibited data]

b) Restricted Data: Requires explicit approval and masking

  • Internal business metrics
  • Project codenames
  • [Organization-specific restricted data]

c) Permitted Data: May be submitted with standard controls

  • Public information
  • General business queries
  • [Organization-specific permitted data]

3.3 Data Masking Procedures
When business needs require sharing restricted data:
a) Submit written request to [security team] detailing:

  • Business justification
  • Data elements requiring masking
  • Duration of need
  • LLM service to be used
    b) Implement approved masking patterns via Repacket
    c) Document all masked data transmissions
    d) Review compliance quarterly

4. Security Controls

4.1 Network Security Requirements
All LLM traffic must:
a) Route through Repacket’s secure proxy
b) Use encrypted connections (minimum TLS 1.2)
c) Originate from authorized network segments
d) Pass through standard security controls

4.2 Authentication Standards
Users must:
a) Use SSO for service access
b) Enable MFA on all accounts
c) Use organization-managed credentials
d) Follow password complexity requirements
e) Change credentials every [timeframe]

4.3 Session Management
All LLM sessions must:
a) Timeout after [X] minutes of inactivity
b) Require reauthentication after timeout
c) Maintain audit logs of session activity
d) Terminate upon detection of suspicious activity

5. Acceptable Use Requirements

5.1 Permitted Uses
LLM services may be used for:
a) Business-related research and analysis
b) Code development and review
c) Content creation and editing
d) Approved customer service activities
e) [Other approved uses]

5.2 Prohibited Activities
The following activities are strictly prohibited:
a) Sharing any prohibited or restricted data
b) Bypassing Repacket’s monitoring controls
c) Using unauthorized LLM services
d) Sharing access credentials
e) Processing regulated data without approval
f) [Other prohibited activities]

6. Incident Response

6.1 Incident Classification
LLM security incidents shall be classified as:
a) Critical: Confirmed sensitive data exposure
b) High: Attempted sensitive data transmission
c) Medium: Unauthorized service access
d) Low: Policy violation without data risk

6.2 Response Requirements
For all incidents:
a) Initial response within [timeframe] of detection
b) Incident documentation including:

  • Date and time of incident
  • Users involved
  • Data involved
  • Actions taken
    c) Root cause analysis
    d) Corrective action implementation
    e) Incident review by [authority]

7. Compliance and Enforcement

7.1 Monitoring Requirements
[Security Team] shall:
a) Review Repacket monitoring logs daily
b) Conduct monthly usage pattern analysis
c) Perform quarterly compliance assessments
d) Report violations to [authority]

7.2 Enforcement
Policy violations will result in:
a) First occurrence: Written warning
b) Second occurrence: [Specific consequence]
c) Third occurrence: [Specific consequence]
d) Critical violation: [Specific consequence]

8. Training and Awareness

8.1 Required Training
All users must complete:
a) Initial LLM security training before access
b) Annual security awareness refresher
c) Policy update training as needed
d) Incident response training

8.2 Training Documentation
[Department] shall maintain:
a) Training completion records
b) Competency assessments
c) Policy acknowledgments
d) Refresher scheduling

9. Policy Administration

9.1 Review and Updates
This policy shall be:
a) Reviewed quarterly by [owner]
b) Updated based on risk assessments
c) Distributed to all affected personnel
d) Approved by [authority]

9.2 Exception Management
Policy exceptions:
a) Must be requested in writing
b) Require approval from [authority]
c) Must be documented and tracked
d) Expire after [timeframe]
e) Require periodic review

[Organization Name] reserves the right to modify this policy at any time. Questions about this policy should be directed to [contact information].

Last reviewed: [Date]
Next review due: [Date]

Table of contents

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Share this post
Insights
5 min read

The Security Paradox: Why Large Organizations Struggle Despite Abundant Resources

Large organizations face a security paradox: substantial resources but persistent vulnerabilities. This analysis examines seven critical pain points—from organizational silos and technical debt to identity sprawl and alert overload—revealing how organizational complexity, not resource constraints, undermines security effectiveness despite dedicated teams and million-dollar budgets.
Read more
Insights
5 min read

Small Business Security: Fighting Very Real Threats with Very Limited Resources

Small organizations face a dangerous mismatch: combating sophisticated cyber threats with minimal resources. This analysis examines six critical security pain points—from single points of failure and default configurations to shadow IT and failed recovery capabilities—that put small businesses at risk despite their IT teams' best efforts.
Read more
Insights
5 min read

The Uncomfortable Middle: Security Challenges Faced by Mid-Size Organizations

Mid-size organizations face unique security challenges: caught between enterprise-level threats and limited resources. This analysis examines seven critical pain points—from staffing constraints and tool proliferation to compliance burdens and cloud security gaps—that create persistent vulnerabilities despite security teams' best efforts.
Read more
Repacket // Get Started

Set up your customized Repacket instance

Schedule time with our team and speak with our founders about how Repacket can fit your organization's specific needs!

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.