Ever heard of Acceptable Use Policy (AUP)? If not, we can help you understand what it is!
An Acceptable Use Policy (AUP) is a set of rules and guidelines established by a network or system administrator that defines how users can properly use digital resources, such as computer networks, websites, and information systems.
AUPs ensure the ethical and responsible use of resources, protect data, prevent legal liability, and maintain productivity by outlining expectations and prohibiting the misuse of the organization’s IT assets.
In this blog, let’s discuss Alex, the IT manager at a mid-market company with about 1,200 employees, and how he built a practical, employee-friendly AUP that the employees would actually follow.
Alex knew that his team had an AUP in place. In fact, it was buried somewhere in the HR handbook, a 12-page document of dense legal language that no one had ever looked at in years.
Meanwhile, Alex’s reality was very different. The marketing department had subscribed to five design teams without informing the IT department. On the other hand, the finance team was testing a SaaS expense app that had not undergone the security review process by the legal team. At the same time, engineers were pasting snippets of source code into ChatGPT.
Alex had no problems with the employees using tools that boosted their productivity, but without any visibility, every new tool created new layers of security, compliance, and financial risks. So, what was the biggest challenge? No one had read the current AUP. It was just deeply buried in a handbook, becoming irrelevant and outdated. It was written in a way that made IT look like gatekeepers rather than partners.
For Alex, the challenge was quite evident: if he wanted employees to respect and follow the rules, he needed an AUP that they would actually follow.
Download the AUP Quick-Start Checklist and audit your policy in minutes.
Why an AUP matters more than ever in a SaaS-heavy world
In Alex’s hybrid company, the old device-focused AUP was no longer enough. All the office operations were conducted across a mix of personal laptops, corporate devices, SaaS platforms, and cloud-based tools. Without the new guidelines, the organization was exposed.
- Shadow IT was rampant: A recent Gartner survey found that 41% of employees purchase technology without IT’s knowledge or involvement. Alex witnessed this firsthand; in his company, his SaaS discovery tool flagged over 70 apps that were being used without IT knowledge and approval.
- Hybrid work blurred device boundaries: Employees used personal tablets to access sensitive SaaS platforms. Without policy clarity, security risks multiplied, getting out of hand.
- AI tools introduced new risks: When Samsung engineers accidentally leaked source code into ChatGPT, Alex’s leadership team got concerned and asked questions like: “Could that happen here?”
- Compliance pressure was mounting: The finance and HR team procured tools directly, but Alex’s IT team was still accountable during audits.
For Alex, an updated AUP wasn’t just about maintaining control over the apps employees used—it was about setting expectations early, reducing firefighting, and creating guardrails that employees could live with.
What makes an AUP actually work (and what usually fails)
Let’s understand what makes an AUP actually work and what usually fails. From Alex’s situation, the difference between an effective and a useless AUP came down to tone and relevance.
Here’s what works
1. Clear, simple language that any employee could read.
An effective AUP should use clear, simple language that the employees easily understand. Let’s consider this example.
Instead of “Employees must refrain from using unauthorized SaaS deployments that do not comply with SOC 2 or ISO 27001, Alex, the IT manager, can rewrite it as: “Don’t use apps that the IT department hasn’t approved. If you’d like to try something new, please use the request form.”
This simple change in language can help non-technical staff in other departments, such as HR and Finance, actually understand the rule and follow it.
2. Collaborative tone, showing IT as a partner.
When one of the members in the marketing team wanted to test a new SEO tool, Alex did not brush off the idea by saying, “Policy forbids unapproved SaaS.”
Instead, his AUP included a clause like: “Employees are encouraged to explore new tools. Please make sure all trials are routed through IT so we can ensure data security and negotiate better licensing terms.”
This actually positions IT as an enabler, not a blocker.
3. Concrete examples, like “Yes: Slack (approved) / No: Discord (not approved).”
In the AUP, Alex’s team decided to add “Do vs Don’t” examples side-by-side throughout the policy. For example:
- ✅ Yes: Use Zoom or Teams for video calls (approved).
- ❌ No: Use FaceTime or Discord for company meetings (not approved).
Ambiguity was reduced by adding side-by-side examples throughout the AUP, making sure employees could no longer claim that they “didn’t know” which tools were allowed.
4. SaaS-specific clauses for cloud apps and browser extensions.
Instead of only focusing on devices, Alex made sure to include SaaS-era details in the AUP, like:
“All browser extensions must come from the approved list. Tools like Grammarly (approved) are fine, but coupon extensions like Honey are not.”
This was critical after he discovered a sales rep had installed a shopping extension that captured browsing data on CRM logins.
5. Role-based guidelines, recognizing different team needs.
Alex had to work with department heads to tailor examples:
- Finance could only use IT-approved expense apps to ensure audit trails.
- Developers had explicit rules on open-source library use.
- The marketing folks could request creative tools, but had to route them through IT.
By respecting role differences, Alex was able to avoid the all-too-common complaint that IT policies discourage innovation.
Here’s what doesn’t work
1. Legal jargon that employees ignored.
The old AUP contained lines like: “Employees are not allowed to engage in unauthorized data exfiltration or dissemination of proprietary assets via unvetted digital conduits.” This statement itself seems a little difficult to understand. Turned out, not a single employee outside of IT was able to understand what that meant. Therefore, it is important not to use technical terminology that employees can’t understand.
2. Blanket “don’t misuse IT resources” rules with no context.
When Alex joined the company, the existing AUP had a vague catch-all line included in it. It was something like: “Do not misuse IT resources.” Alex and other employees assumed it only meant “do not download movie torrents.” As a result, SaaS sprawl went on without being checked.
3. Device-only focus, ignoring SaaS and AI tools.
Before Alex joined the company, everyone was following the 2016 AUP, which only mentioned laptops and mobile phones but contained no information on SaaS or generative AI. This gap meant employees felt free to paste sensitive data into LLM tools like ChatGPT and Google Gemini. When Alex joined the company, he made sure to update the AUP, including clear AI usage rules in it.
4. One-size-fits-all policies that slowed innovation.
In the past, the Sales and Engineering teams had identical restrictions that slowed innovation for them. Engineers were only allowed to install testing tools, whereas Sales could not trial productivity apps. The outcome? Both teams turned to Shadow IT, bypassing IT controls completely. Alex fixed this problem by tailoring role-based guardrails.
Alex’s takeaway: Witnessing the entire situation, Alex came to the conclusion that policies fail not because employees want to break rules; they fail because the rules are written in ways that don’t make sense in the real world. By adding clarity and examples and offering flexibility in the new AUP, Alex helped teams trust it, not ignore it.
How to Build an AUP in 5 Steps
Let’s understand how you can build an AUP in 5 simple steps:
1. Define what acceptable means for your company
The first step is to define what the word “acceptable” means for your organization. Alex began by defining what the company wanted employees to do–not just what to avoid.
- Encouraged: Use Slack or Teams for internal messaging.
- Not allowed: Use WhatsApp or Discord for work communication.]
He also went on to include language that was specific to SaaS and AI. For example, he added: “All tools used for company work, including SaaS apps, browser extensions, and AI assistants, must be visible to IT and comply with company standards.”
2. Break it down by role or department
Instead of working on a one-size-fits-all document, Alex decided to work with department heads to tailor guidelines, like:
- Finance → Expense reporting apps required IT vetting for compliance.
- Engineering → Open-source libraries needed a license review.
- Marketing → Design subscriptions had to go through IT to avoid duplicate spend.
This role-based approach helped employees enhance their productivity while providing complete visibility to IT.
3. Address modern risks (shadow IT, AI, browser apps)
Alex paid attention to the modern risks hitting his company at the current time, such as:
- Unapproved SaaS installs: Employees couldn’t expense apps without IT’s knowledge.
- AI usage: He set boundaries on the AI use: no customer data or proprietary code in ChatGPT.
- Browser extensions: Tools like Grammarly and Honey were explicitly covered, since they could capture sensitive keystrokes.
4. Make it easy to read, share, and reference
It is always recommended to make your AUP easy to read, share, and reference. Alex already had an idea that the employees wouldn’t be able to read a dense PDF. Therefore, he decided to reformat the AUP in the following way:
- Use short sections with plain language.
- Include examples: “✅ Slack (approved) / ❌ Discord (not approved).”
- Add a searchable intranet page with role-specific quick guides.
Now, instead of being buried, the AUP was visible and accessible to everyone in the company.
5. Train and reinforce (not just publish)
In the end, Alex was able to build reinforcement into workflows:
- Onboarding: New hires signed off during setup.
- Quarterly refreshers: Employees got short reminders about SaaS usage.
- Offboarding: Employees who left the company lost SaaS access as part of the process.
- Monitoring: Alex used SaaS discovery tools to detect new apps, so IT could review them before they became compliance risks.
Almost 49 percent of the surveyed corporate risk and compliance professionals said standardizing risk and compliance frameworks across their organization helped them reduce the complexity and cost of the risk and compliance process.
Bonus: Shadow IT-specific AUP section
Alex realized it was a good idea to include a dedicated section only for Shadow IT. The section included:
- Tools requiring IT approval → CRMs, AI assistants, expense software.
- Trial procedure → Employees could request SaaS pilots through IT, which ensured security and tracking.
- AI guidelines → Employees could test AI, but proprietary data was off-limits.
- Blocking policy → Tools detected but not approved could be blocked by IT.
This way, employees felt they had a pathway to try new tools, rather than sneaking them in.
Clarity protects everyone
It was a breakthrough moment for Alex when he realized that a good AUP doesn’t lock employees down—it actually frees them up. With clear guidelines outlined in the AUP, they can innovate safely, without letting IT play the role of a gatekeeper.
Instead of chasing Shadow IT across the company, Alex was building a culture of shared responsibility.
In the end, his simple message to leadership said it all:
“An AUP isn’t about IT control. It’s about clarity that protects everyone—employees, data, and the business.”
Frequently asked questions
1. What is an Acceptable Use Policy (AUP)?
It’s a set of IT usage guidelines that defines what employees are allowed (and not allowed) to do with company tools.
2. Why is an AUP important for mid-sized companies?
With the proliferation of SaaS and hybrid work, AUPs help mid-sized companies reduce Shadow IT, compliance risks, and wasted spend.
3. Should an AUP include SaaS and AI tools?
Yes, device-only policies are becoming outdated. Therefore, SaaS and AI usage must be addressed directly in the AUP.
4. How do I make my AUP easier to follow?
You can make your AUP easier to follow by using simple language, role-specific rules, and real-world examples instead of technical jargon.
5. Can browser tracking help enforce an AUP?
Yes. Browser-level visibility enables IT to identify unapproved tools early on without resorting to heavy-handed policing.
