Governance is the principle. Policy is the paperwork — the actual written rules a firm adopts and a team follows. This is the paste-ready version: four policies every PR firm needs, in language a firm can take, adjust, and put into effect this week.
Quick answer. Four policies cover most of a PR firm's AI exposure: an AI Use Policy, a Client Disclosure standard, an Approved-Tools Register, and a Confidentiality rule. Draft language for each is below. Adapt it to the firm — but don't start from a blank page.
1. AI Use Policy
AI Use Policy. Staff may use firm-approved AI tools to assist with research, drafting, and production. AI-assisted work is subject to the same review and accountability standards as any other work: the staff member who uses an AI tool owns the output, including its accuracy. Every factual claim, quote, and attribution produced with AI must be verified by a person before it leaves the firm. AI tools may not be used to make final decisions on strategy, messaging approval, or client counsel.
2. Client Disclosure Standard
Client Disclosure. This firm uses AI tools to assist with research, drafting, and production across client work. AI is used as a production aid; all strategy, judgment, and final review remain the work of the firm's team. Where a client has its own policy on AI use, that policy governs and takes precedence where it is stricter than this firm's. Clients may request further detail on the firm's AI practices at any time.
3. Approved-Tools Register
Approved-Tools Register. Only the AI tools listed below, on the tiers specified, are approved for client work. Each entry records: the tool name, the approved tier (and why that tier), the type of work it is approved for, and the date last reviewed. Tools not on this register are not approved for client material. Requests to add a tool go to the AI governance owner. (Maintain as a living one-page table.)
4. Confidentiality Rule for AI Tools
AI tool use — client material. Before entering client information into any AI tool: (1) If it is not yet public, do not paste it — genericize it or leave it out. (2) Confirm model-training is turned off on the account. (3) Use the firm's approved team or enterprise accounts, not personal logins. (4) Check the client's own AI policy and follow it where it is stricter. When in doubt, treat the tool as public and leave the sensitive detail out.
How to put them in place
Adopting these is a short project, not a transformation. Approve the four policies, name one owner for them, brief the team once so everyone has read them, and put a quarterly review on the calendar. The tools and their terms move quickly — a policy written once and never revisited goes stale within a year.
