Blog
AI Policy Templates

AI Acceptable Use Template: General LLM Usage

By
Repacket Staff
February 10, 2025
5 min read

Large Language Model (LLM) Usage Policy

Policy Owner: [Role/Department]
Last Updated: [Date]
Version: [X.X]

1. Purpose and Scope

1.1 Purpose
This policy establishes governance requirements for all Large Language Model (LLM) usage within [Organization Name]. It defines mandatory controls for preventing unauthorized data disclosure, managing LLM service access, and ensuring secure deployment of LLM technologies.

1.2 Scope
This policy applies to:
a) All employees, contractors, consultants, temporary workers, and other workers at [Organization Name]
b) All LLM interactions conducted through organization networks or resources
c) Both approved enterprise LLM services and public LLM platforms
d) All data processed through or submitted to LLM services

2. Authorized LLM Service Usage

2.1 Approved Services
The following LLM services are authorized for organizational use:
a) [Service 1] - Approved for [specific use cases]
b) [Service 2] - Approved for [specific use cases]
c) [Service 3] - Approved for [specific use cases]

Access to all other LLM services is expressly prohibited unless authorized in writing by [authorizing authority].

2.2 Service Access Requirements
All LLM service access must adhere to the following requirements:
a) Authentication through organization single sign-on (SSO)
b) Network access via Repacket’s monitoring proxy
c) Multi-factor authentication for all service accounts
d) Use of organization-provided credentials only

2.3 Access Management
[Department/Role] shall maintain:
a) Current registry of authorized users and access levels
b) Documentation of all access approvals
c) Quarterly access review and recertification
d) Immediate access termination upon role change or departure

3. Data Protection Controls

3.1 Mandatory Monitoring
All LLM interactions must route through Repacket’s monitoring proxy, which shall:
a) Scan all inputs in real-time prior to LLM submission
b) Block transmission of detected sensitive data
c) Log all scanning activities for audit purposes
d) Alert security personnel of blocked transmissions

3.2 Data Classification Requirements
The following data classifications are established for LLM usage:
a) Prohibited Data: May never be submitted to LLMs

  • Personal Identifiable Information (PII)
  • Protected Health Information (PHI)
  • Payment Card Information (PCI)
  • [Organization-specific prohibited data]

b) Restricted Data: Requires explicit approval and masking

  • Internal business metrics
  • Project codenames
  • [Organization-specific restricted data]

c) Permitted Data: May be submitted with standard controls

  • Public information
  • General business queries
  • [Organization-specific permitted data]

3.3 Data Masking Procedures
When business needs require sharing restricted data:
a) Submit written request to [security team] detailing:

  • Business justification
  • Data elements requiring masking
  • Duration of need
  • LLM service to be used
    b) Implement approved masking patterns via Repacket
    c) Document all masked data transmissions
    d) Review compliance quarterly

4. Security Controls

4.1 Network Security Requirements
All LLM traffic must:
a) Route through Repacket’s secure proxy
b) Use encrypted connections (minimum TLS 1.2)
c) Originate from authorized network segments
d) Pass through standard security controls

4.2 Authentication Standards
Users must:
a) Use SSO for service access
b) Enable MFA on all accounts
c) Use organization-managed credentials
d) Follow password complexity requirements
e) Change credentials every [timeframe]

4.3 Session Management
All LLM sessions must:
a) Timeout after [X] minutes of inactivity
b) Require reauthentication after timeout
c) Maintain audit logs of session activity
d) Terminate upon detection of suspicious activity

5. Acceptable Use Requirements

5.1 Permitted Uses
LLM services may be used for:
a) Business-related research and analysis
b) Code development and review
c) Content creation and editing
d) Approved customer service activities
e) [Other approved uses]

5.2 Prohibited Activities
The following activities are strictly prohibited:
a) Sharing any prohibited or restricted data
b) Bypassing Repacket’s monitoring controls
c) Using unauthorized LLM services
d) Sharing access credentials
e) Processing regulated data without approval
f) [Other prohibited activities]

6. Incident Response

6.1 Incident Classification
LLM security incidents shall be classified as:
a) Critical: Confirmed sensitive data exposure
b) High: Attempted sensitive data transmission
c) Medium: Unauthorized service access
d) Low: Policy violation without data risk

6.2 Response Requirements
For all incidents:
a) Initial response within [timeframe] of detection
b) Incident documentation including:

  • Date and time of incident
  • Users involved
  • Data involved
  • Actions taken
    c) Root cause analysis
    d) Corrective action implementation
    e) Incident review by [authority]

7. Compliance and Enforcement

7.1 Monitoring Requirements
[Security Team] shall:
a) Review Repacket monitoring logs daily
b) Conduct monthly usage pattern analysis
c) Perform quarterly compliance assessments
d) Report violations to [authority]

7.2 Enforcement
Policy violations will result in:
a) First occurrence: Written warning
b) Second occurrence: [Specific consequence]
c) Third occurrence: [Specific consequence]
d) Critical violation: [Specific consequence]

8. Training and Awareness

8.1 Required Training
All users must complete:
a) Initial LLM security training before access
b) Annual security awareness refresher
c) Policy update training as needed
d) Incident response training

8.2 Training Documentation
[Department] shall maintain:
a) Training completion records
b) Competency assessments
c) Policy acknowledgments
d) Refresher scheduling

9. Policy Administration

9.1 Review and Updates
This policy shall be:
a) Reviewed quarterly by [owner]
b) Updated based on risk assessments
c) Distributed to all affected personnel
d) Approved by [authority]

9.2 Exception Management
Policy exceptions:
a) Must be requested in writing
b) Require approval from [authority]
c) Must be documented and tracked
d) Expire after [timeframe]
e) Require periodic review

[Organization Name] reserves the right to modify this policy at any time. Questions about this policy should be directed to [contact information].

Last reviewed: [Date]
Next review due: [Date]

Table of contents

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6
Share this post
Insights
5 min read

DocuSign Phishing Advisory (2024-2025)

We're seeing a concerning trend: scammers are now bypassing security by purchasing legitimate DocuSign accounts rather than spoofing them. Here's what you need to know:
Read more
AI Policy Templates
5 min read

Acceptable Use: AI Incident Response Policy Template

Key strategies to enhance your cybersecurity posture.
Read more
AI Policy Templates
5 min read

AI Acceptable Use Template: Customer Facing Policy Template

Key strategies to enhance your cybersecurity posture.
Read more
Repacket // Early Access

Sign Up for Early Access

Sign up for our early access waitlist for Repacket. Current wait time is ~48 hours.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.