Run: Generative AI Tool Approval Policy

This policy establishes a controlled process for evaluating, approving, renewing, and revoking employee use of generative AI tools. The policy is designed to: - support legitimate business needs; - protect confidential, personal, and regulated data; - reduce legal, operational, and security risk; - help ensure compliance with employment laws, including **Title VII**, the **ADA**, the **FLSA**, the **FMLA**, and the **NLRA**; and - define when employees may use generative AI tools for work-related tasks. This policy is not intended to restrict lawful protected activity, including concerted activity protected by **NLRA Section 7**.

This policy applies to all employees, contractors, interns, temporary workers, and managers who access or use generative AI tools for company business. It applies to: - company-provided AI tools; - third-party AI services used for work; - browser extensions, plugins, copilots, and embedded AI features; - AI features in productivity, recruiting, HR, finance, sales, and customer support systems; and - any employee use of generative AI that involves company data, customer data, employee data, or work product. **California employees:** use of personal data must comply with the **California Consumer Privacy Act (CCPA)** and any applicable California privacy notices. **EU/EEA users:** processing of personal data must comply with the **GDPR** and company-approved data transfer controls.

**Generative AI tool**: A system that creates text, images, code, audio, video, or other content in response to prompts. **Approved tool**: A generative AI tool that has completed company review and has been authorized for a defined use case. **Data classification**: The company’s labeling of information by sensitivity, such as public, internal, confidential, restricted, or regulated. **Business need**: A documented operational reason for using a tool, including expected productivity, quality, customer service, or compliance benefits. **Human review**: Review by a qualified employee before work product is relied upon, published, submitted, or used in decision-making. **Restricted data**: Data that may not be entered into a generative AI tool unless explicitly approved by Legal, Privacy, and Information Security. **Interactive process**: The good-faith process used to evaluate a request for reasonable accommodation under the **ADA**.

Employees may use generative AI tools only when all of the following are true: 1. The tool has been approved for the intended use case. 2. The use is supported by a documented business need. 3. The data to be entered is permitted under the applicable data classification rules. 4. Required training has been completed. 5. A human review is performed where required. 6. The use does not violate law, contract, confidentiality obligations, or other company policies. Approval is limited to the specific tool, use case, user group, and data category reviewed. Approval for one use does not authorize broader use. The company may deny, limit, suspend, or revoke approval at any time based on risk, misuse, legal requirements, vendor changes, security concerns, or changes in business need.

### 1. Request submission Employees or managers must submit a request describing: - the tool name and vendor; - the business purpose; - the data classification involved; - the expected users and volume of use; - whether the tool will be used for HR, recruiting, compensation, scheduling, performance, or other employment-related decisions; - whether the tool will access personal data, confidential data, or regulated data; and - any known vendor terms, retention settings, or training data use settings. ### 2. Review The request must be reviewed by the appropriate approvers based on risk: - **Manager**: confirms business need; - **IT / Security**: reviews access controls, logging, retention, and security posture; - **Privacy / Legal**: reviews data handling, vendor terms, and legal risk; - **HR**: reviews employment-law implications when the tool may affect hiring, discipline, scheduling, pay, leave, accommodation, or performance management. ### 3. Approval criteria Approval may be granted only if the review confirms: - the tool is fit for the intended use; - the vendor terms are acceptable; - the data classification is compatible with the tool’s controls; - the use will not create unacceptable discrimination, wage-and-hour, privacy, or security risk; and - required safeguards are in place. ### 4. Renewal Approvals must be renewed at least every 12 months, and sooner if: - the vendor changes material terms, model behavior, or data use practices; - the business purpose changes; - the data classification changes; - a security incident or complaint occurs; or - Legal, HR, or Security determines re-review is needed. ### 5. Revocation Approval may be revoked immediately if the tool is misused, if the vendor no longer meets requirements, if the use creates legal or security risk, or if the company determines the use is no longer necessary.

### Permitted uses Approved users may use generative AI tools to: - draft internal communications; - summarize non-confidential documents; - brainstorm ideas; - create first drafts of low-risk content; - assist with coding or analysis subject to review; and - support routine administrative tasks. ### Prohibited uses Unless specifically approved in writing, employees must not: - enter confidential, restricted, personal, employee, customer, payment, health, or other regulated data into an unapproved tool; - use AI output as the sole basis for employment decisions; - rely on AI-generated content without human review where accuracy or legal compliance matters; - use AI to create discriminatory, harassing, deceptive, or retaliatory content; - use AI to circumvent wage-and-hour, leave, accommodation, or recordkeeping obligations; - submit company information to a public model that trains on prompts or outputs unless approved; - claim AI-generated work as verified fact without checking it; or - use AI in a way that interferes with protected employee rights under the **NLRA**.

Employees must follow the company’s data classification rules before entering any information into a generative AI tool. - **Public data**: may be used in approved tools. - **Internal data**: may be used only in approved tools with appropriate safeguards. - **Confidential data**: may be used only if the tool and use case are specifically approved by Legal, Privacy, and Security. - **Restricted or regulated data**: may not be entered unless there is explicit written approval and documented controls. Examples of restricted or regulated data include: - Social Security numbers; - bank account numbers; - payment card data; - health information; - immigration records; - background check results; - accommodation requests; - leave records; - compensation data; - disciplinary records; and - protected employee demographic data. Employees must minimize data use, redact where possible, and avoid entering unnecessary personal information.

When generative AI is used in connection with hiring, promotion, scheduling, discipline, performance management, leave, accommodation, or compensation, the following safeguards apply: - A qualified human reviewer must make the final decision. - The tool may not be used in a way that causes disparate treatment or disparate impact on protected classes under **Title VII** or other anti-discrimination laws. - The company must evaluate whether the tool affects exempt/non-exempt classification, overtime, or timekeeping under the **FLSA**. - The company must not use AI to deny or interfere with rights under the **FMLA**. - Requests for accommodation must be handled through the ADA **interactive process**. - Employees may raise concerns about AI-related workplace issues without retaliation. Any manager using AI for employment-related decisions must consult HR before implementation.

- **Employees**: use only approved tools, follow data rules, verify output, and report errors or incidents. - **Managers**: document business need, ensure team compliance, and escalate requests involving higher-risk use cases. - **HR**: review employment-law impacts, oversee training for people-related use cases, and coordinate accommodation or complaint handling. - **IT / Security**: assess vendor security, access controls, logging, retention, and incident response requirements. - **Privacy / Legal**: review data processing, vendor terms, cross-border transfers, and regulatory obligations. - **Procurement**: ensure vendor review and contract terms are completed before purchase or renewal. - **Policy holder**: maintain the policy, coordinate annual review, and approve exceptions where authorized.

The company may monitor the use of approved AI tools to the extent permitted by law and company policy. Violations of this policy may result in corrective action up to and including revocation of access, documented warning, performance improvement plan (PIP), suspension, or termination, depending on the severity of the violation and applicable law. The company will apply this policy consistently and in a manner that does not interfere with protected activity, including lawful concerted activity under the **NLRA**. Employees must promptly report suspected misuse, inaccurate outputs that affect business decisions, privacy incidents, security incidents, or vendor concerns.

Any exception to this policy must be approved in writing by Legal, HR, and Security, or by another designated policy holder, before the exception is used. Exceptions must specify: - the business justification; - the data allowed; - the duration of the exception; - compensating controls; and - the review date. Temporary exceptions should be narrowly tailored and time-limited.

This policy will be reviewed at least annually and updated as needed to reflect changes in law, vendor practices, business operations, or risk profile. The policy holder is responsible for maintaining the current version, documenting revisions, and ensuring that approvals are revalidated when material changes occur.