Your Sentiment Tool Screened Out Anxious Candidates, and EEOC Called

A 14-person AI agency in Austin built a sentiment analysis tool for a staffing firm. The tool was designed to gauge candidate enthusiasm during interviews. Within three months, the staffing firm had quietly repurposed the tool to screen out candidates who showed signs of depression or anxiety. When a rejected candidate filed a complaint with the EEOC, the staffing firm pointed the finger at the agency. The agency had no acceptable use policy. No documentation limiting how the tool could be deployed. No contractual language restricting the use case. The resulting legal fight cost $340,000 in legal fees and destroyed the agency's reputation in the HR tech vertical they had spent two years building.

That story is not unusual. It is becoming the default outcome for agencies that ship AI systems without defining how those systems can and cannot be used. An acceptable use policy is not a nice-to-have governance artifact. It is the document that separates your agency from liability when a client does something reckless with the technology you built.

Why AI Acceptable Use Policies Are Non-Negotiable

Traditional software acceptable use policies focus on things like not using the service for spam or not reverse-engineering the code. AI acceptable use policies need to go much further because AI systems have capabilities that traditional software does not.

AI systems make decisions about people. A recommendation engine decides what someone sees. A scoring model decides who gets approved. A classification system decides which category someone falls into. Each of these decisions can cause real harm if the system is misused.

AI systems can be repurposed. A model trained for one purpose can often be applied to a different purpose with minimal modification. Your client might take a customer segmentation model and use it for credit scoring without telling you. Without an AUP, you have no contractual basis to object.

AI systems generate outputs that look authoritative. When an AI system produces a score, a classification, or a recommendation, the recipient often treats it as objective truth. If a client uses your system's outputs to make high-stakes decisions you never intended, the consequences can be severe.

Regulatory pressure is increasing. The EU AI Act, state-level AI regulations in the US, and sector-specific rules are all creating obligations around how AI systems can be used. Your AUP is your first line of defense in demonstrating that you took those obligations seriously.

The Anatomy of an AI Acceptable Use Policy

Your AUP needs to cover seven areas. Skip any one of them and you leave a gap that a creative client or an aggressive opposing counsel can exploit.

Permitted Uses

Start with a clear, specific list of what the AI system is designed and authorized to do. Be precise.

• Name the use case. Do not say "customer analytics." Say "analyzing purchase history data to generate product recommendations for display on the client's e-commerce platform."
• Name the data types. Specify exactly which data categories the system is authorized to process. If you built it for transaction data, say so. Do not leave room for someone to feed it biometric data.
• Name the decision context. Clarify whether the system's outputs are intended as suggestions for human review or as automated decisions. This distinction matters enormously under most AI regulations.
• Name the user population. Specify who is authorized to operate the system and who the system's outputs are intended to affect.

Prohibited Uses

This section is where most agencies fail. They either leave it out entirely or make it so vague that it is unenforceable. Your prohibited uses section needs to be explicit about the categories of misuse you are guarding against.

High-risk decision-making without human oversight. If you built a recommendation system, prohibit using it as the sole basis for decisions that materially affect individuals, such as employment, credit, insurance, housing, or law enforcement decisions, unless you specifically designed and validated it for that purpose.

Protected class discrimination. Prohibit using the system to discriminate on the basis of race, gender, age, disability, religion, national origin, sexual orientation, or any other protected characteristic. Be specific that this applies both to intentional discrimination and to using the system in ways that produce discriminatory outcomes.

Surveillance and tracking. Unless your system was specifically designed for security monitoring with appropriate safeguards, prohibit using it for employee surveillance, individual tracking, or behavioral monitoring without consent.

Deception and manipulation. Prohibit using the system to generate misleading content, create deepfakes, impersonate individuals, or manipulate people into actions they would not otherwise take.

Data scope expansion. Prohibit using the system to process data types or data sources that were not included in the original specification and validation.

Redistribution and resale. Prohibit the client from providing the system or its outputs to third parties for their independent use, unless your contract specifically allows it.

Data Requirements

Your AUP should specify the data governance requirements that the client must meet when providing data to your system.

• Data quality standards. Specify minimum data quality requirements. If the client feeds garbage data into your system, the outputs will be garbage, and they will blame you.
• Data consent and authorization. Require the client to confirm they have legal authorization to use the data for the specified purpose. This protects you if the client feeds your system data they should not have.
• Data retention and deletion. Specify how long data will be retained within the system and what happens to it after the engagement ends.
• Data locality requirements. If the system processes data in specific jurisdictions, specify where data can and cannot be stored or processed.

Output Limitations

AI systems produce outputs. Your AUP needs to set boundaries around how those outputs can be used.

• No output as ground truth. State explicitly that system outputs are probabilistic and should not be treated as verified facts without human validation.
• No output redistribution without context. If the client shares system outputs with third parties, require them to include appropriate context about the system's limitations and confidence levels.
• No output in regulated filings. Unless your system was specifically validated for regulatory reporting, prohibit using its outputs in regulatory filings, legal proceedings, or official records without independent verification.

Monitoring and Compliance

An AUP is only as good as your ability to detect violations. Build monitoring requirements into the policy.

• Usage logging. Require the client to maintain logs of how the system is used, including who accessed it, what data was processed, and what decisions were made based on its outputs.
• Periodic review. Reserve the right to conduct periodic reviews of how the system is being used.
• Incident reporting. Require the client to notify you within a specified timeframe if they discover the system producing unexpected or harmful outputs.
• Audit cooperation. Require the client to cooperate with audits if you have reason to believe the AUP is being violated.

Consequences of Violation

Spell out what happens when the AUP is violated. This is not about being punitive. It is about having contractual mechanisms to protect yourself.

• Notice and cure period. Give the client a reasonable window to correct unintentional violations. Seven to fourteen days is typical.
• Suspension rights. Reserve the right to suspend access to the system if you identify a serious violation that could cause immediate harm.
• Termination rights. For material or repeated violations, reserve the right to terminate the engagement immediately.
• Liability shift. State clearly that the client assumes all liability for any harm resulting from use of the system in violation of the AUP.
• Indemnification. Require the client to indemnify you against claims arising from their violation of the AUP.

Updates and Amendments

AI regulation and best practices are evolving rapidly. Your AUP needs a mechanism for updates.

• Regulatory updates. Reserve the right to update the AUP when new regulations take effect that affect how the system should be used.
• Technical updates. Reserve the right to update the AUP when system capabilities change in ways that affect appropriate use.
• Notice requirements. Specify how much advance notice you will give before AUP changes take effect. Thirty days is standard.
• Client acknowledgment. Require clients to acknowledge AUP updates in writing.

Building Your AUP: The Practical Process

You do not need to start from scratch for every client. Build a template and customize it for each engagement.

Step One: Risk Assessment

Before writing the AUP, assess the specific risks associated with the system you are building.

• What decisions will this system influence? Map every decision point downstream of the system's outputs.
• Who could be harmed? Identify every individual or group that could be negatively affected if the system is misused.
• What is the worst realistic misuse scenario? Think about what a motivated, unethical actor could do with this system.
• What regulations apply? Identify every regulation that could apply based on the data types, the industry, the jurisdiction, and the use case.

Step Two: Stakeholder Input

Your AUP should not be written by lawyers alone. Involve the people who understand how the system works and how it could be misused.

• Technical team. Your engineers know the system's capabilities and limitations better than anyone. They can identify misuse scenarios that lawyers might miss.
• Delivery team. Your project managers and account managers understand the client relationship dynamics and can flag areas where clients might push boundaries.
• Legal counsel. Your lawyer translates the technical and business requirements into enforceable language.
• Client stakeholders. Getting the client's input during AUP development, rather than presenting them with a finished document, increases buy-in and compliance.

Step Three: Draft and Review

Write the AUP in plain language. A policy that nobody reads because it is impenetrable legal jargon is worse than no policy at all.

• Use short sentences and clear terms. Avoid legal jargon where plain language will do.
• Use examples. For each prohibition, include a concrete example of what it means in practice.
• Use visual organization. Bullet points, headers, and bold text make the policy scannable.
• Include a summary. A one-page summary of the key permitted and prohibited uses gives busy stakeholders the essentials.

Step Four: Integration

Your AUP is useless if it sits in a drawer. Integrate it into your operational workflows.

• Contract integration. The AUP should be incorporated by reference into your master service agreement or statement of work. Make it a contractual obligation, not a suggestion.
• Onboarding integration. Walk the client through the AUP during project kickoff. Get their questions on the table early.
• Training integration. Train the client's team on the AUP before they get access to the system.
• Technical integration. Where possible, build AUP compliance into the system itself. Rate limiting, access controls, data type validation, and usage logging can all enforce AUP requirements automatically.

Common AUP Mistakes to Avoid

Being too vague. "The system should not be used inappropriately" is not an enforceable provision. "The system shall not be used to make automated hiring decisions without human review of each recommendation" is enforceable.

Being too restrictive. If your AUP is so restrictive that the client cannot get value from the system, they will either ignore the policy or stop working with you. Balance protection with practicality.

Treating it as a one-time document. Your AUP needs to be a living document. Review it quarterly. Update it when regulations change. Revise it when you learn about new misuse patterns.

Not getting client sign-off. An AUP that the client never explicitly agreed to is much harder to enforce. Get a signature on the AUP or confirmation that they received, read, and agreed to it.

Not having consequences. A policy without consequences is a suggestion. Make sure your AUP has teeth.

Ignoring the supply chain. If your client is using subcontractors or partners who interact with your system, your AUP needs to cover them too. Require the client to flow down AUP requirements to anyone who touches the system.

AUP Templates by Industry

Different industries have different risk profiles. Here are the key additions you should make for the most common agency verticals.

Healthcare

• Prohibit use for clinical diagnosis without physician oversight
• Require HIPAA-compliant data handling for all protected health information
• Prohibit use for insurance coverage decisions without human review
• Require audit trails that meet healthcare regulatory standards
• Specify data retention periods aligned with medical record requirements

Financial Services

• Prohibit use for credit scoring decisions without fair lending compliance review
• Require audit trails meeting SEC, FINRA, or relevant regulatory requirements
• Prohibit use for insider trading detection without appropriate legal review
• Specify data handling requirements for personally identifiable financial information
• Require model risk management documentation per SR 11-7 or equivalent

Human Resources

• Prohibit use for hiring decisions without adverse impact analysis
• Require human review of any candidate screening or scoring
• Prohibit analysis of protected characteristics or proxies for protected characteristics
• Specify data retention and deletion requirements for candidate data
• Require transparency disclosures to individuals about AI involvement in decisions

Marketing and Advertising

• Prohibit creation of deceptive or misleading content
• Require disclosure when content is AI-generated per FTC guidelines
• Prohibit targeting based on sensitive categories like health conditions, financial distress, or protected characteristics
• Specify data handling requirements for consumer data per CCPA, GDPR, and similar regulations
• Prohibit dark patterns or manipulative design enabled by AI outputs

Measuring AUP Effectiveness

Creating the AUP is step one. Measuring whether it is working is the ongoing commitment that separates governance theater from actual governance.

Compliance rate tracking. Monitor how often clients trigger AUP-related alerts in your logging systems. A high alert rate might mean the AUP is unclear or that a client needs additional training.

Incident tracking. Log every AUP violation, near-miss, and inquiry. Look for patterns that suggest the AUP needs to be updated or that certain clients need more support.

Client feedback. Survey clients annually about the AUP. Are there provisions they find confusing? Are there use cases they want to pursue but feel the AUP prohibits unnecessarily? Use this feedback to improve the policy.

Legal review. Have your attorney review the AUP at least annually, or whenever there is a significant regulatory change in a jurisdiction or industry you serve.

Benchmarking. Compare your AUP against industry standards and competitor policies. Organizations like the NIST AI Risk Management Framework and the Partnership on AI publish guidance that can help you benchmark your approach.

Your Next Step

Pull up your last three client contracts. Look for the section that defines how the client can and cannot use the AI system you delivered. If that section does not exist, or if it is a generic software use provision that does not address AI-specific risks, you have a gap that needs to be closed before your next engagement.

Start with the risk assessment step above. Identify the three highest-risk misuse scenarios for your most recent deliverable. Then draft prohibited use provisions that address those scenarios specifically. That initial draft does not need to be perfect. It needs to exist. You can refine it with legal counsel and iterate based on client feedback. But the first step is having something on paper that you can point to when a client tries to use your system in ways it was never designed for.

The agencies that will thrive in the next phase of AI services are the ones that take governance seriously before they are forced to. Your acceptable use policy is the foundation of that governance posture. Build it now, while you still get to choose the terms.