// BLOG
Personal AI Policy
Most people using AI professionally have no written policy for it.
I do. I published it this week.
Not because someone asked me to — because writing it forced me to answer questions I'd been leaving implicit:
- What data am I actually comfortable putting in a cloud AI?
- When do I disclose AI involvement in my work?
- Where's the line between AI assistance and AI dependency?
The short version of what I landed on:
- Four data tiers. Cloud AI stops at Tier 2. Local LLM for confidential work. Hard wall for employer and client data — no exceptions for convenience.
- One framework: Delegation, Description, Discernment, Diligence — four questions before every AI task.
- One disclosure standard: proactive. If AI touched a deliverable, I say so.
Writing it didn't change what I was doing. It made what I was doing legible — to myself, and to anyone I work with.
Full policy at matlock.ca — curious how others in IT and security are thinking about this. Do you have something written down, or are you running on implicit rules?