a work in progress

ai at work.

You don't have to settle whether AI is good or bad to make a smart call about using it at work. The real questions are about your work, your data, and your values — and those look different for every team.

We don't arrive with a fixed set of values to impose. We work with you to understand what matters to your organization, then find approaches that fit it.

a Built by ONO playbook · work in progress · builtbyono.com

the frame

under what guardrails
does this help the work
without creating risk you can't accept?

Four questions to work through, then what belongs in a policy.

allow it at all?

Usually contested internally.

does it fit our values?

Where the debate happens.

can we keep data secure?

The part worth getting exact.

what tools?

Fewer, properly vetted.

the question

the choice isn't
whether to allow it.

it's already happening

Free ChatGPT, Gemini inside Google. The real choice is sanctioned use with guardrails versus shadow use you can't see.

risk is per-use, not per-tool

Drafting a public blog post and summarizing a confidential case are not the same risk — even in the same app.

Our take, held loosely: a ban you can't enforce tends to push AI use out of sight, where no guardrail can reach it. So we lean toward sanctioned use with clear limits — some uses allowed, some restricted, some off the table.

values

your values lead.

These concerns don't get "solved," and we won't rank them for you. Which ones matter most is your call — naming the one in front of you points to the guardrail it's asking for, and that's where we start.

labor & extraction environmental cost bias copyright vendor politics security exposure

When a value matters to you, we look for a concrete way to honor it — not just a line in a policy. One example: to lower the environmental cost of hosting, we put a recent build in Iowa, on Google Cloud, one of the greener regions on the grid. Small and imperfect, but real — and the kind of solution we'll work with you to find.

data security

the account tier sets
how your data is handled.

Free ChatGPT / Gemini may train on your inputs and retain data. Business / Enterprise / Team tiers can be configured so your data is not used for training and retention is off.

The brand can be identical; the data handling is not. Anything past public data runs on a vetted enterprise tool, not a free consumer login.

the spine of the policy

three tiers.

A starting point, not a verdict — move the lines to fit your work and your values.

🟢 green

Public & non-sensitivePublic info, general knowledge, drafting from non-sensitive material → OK in approved tools.

🟡 yellow

Internal, not identifyingNotes without names, strategy framing, generic Q&A → approved enterprise tool only. No consumer tools.

🔴 red

Never goes into any third-party AIHard stop. Defined on the next slide.

🔴 the red list

what would harm someone —
or the org — if it leaked?

Personal data about clients, customers, or the people you serve
Customer, donor, or contact lists; financials; payroll
Legal strategy, litigation, contracts under NDA — anything privileged
Credentials, security & operational details — infrastructure, access
Health, HR, or other regulated personal data

Assume anything you type could be breached or subpoenaed. That set of data is the Red list — the part worth getting exactly right.

tools

fewer tools, properly vetted.

Pick one primary enterprise/business-tier assistant — no-training, retention off
Evaluate on data terms — candidates like Claude Team and ChatGPT Team/Enterprise
Check AI bolted into tools you already use (Google / Microsoft / Zoom / Notion) — each has its own data terms
Avoid free consumer tiers for anything past Green

Fewer tools means a smaller vetting surface. Built by ONO and Personified can run the vetting on 1–2 finalists.

the policy

keep it to ~2 pages.

put in

Purpose & principles — tie to your org's values
Scope — staff & contractors
The data tiers + the 🔴 Red list
Approved tools + required settings
Human-in-the-loop — you own your output
Disclosure — when clients or partners are told
Bias & accuracy review before anything ships
Quarterly review — this space moves fast

leave out

Every allowed use case — you'll never finish
Brand names as the only rule — name the requirements
A 20-page legal doc nobody reads
Prohibition alone — make the easy path the compliant one

decisions

what to settle.

Agreement on the framing — tiered guardrails, not all-or-nothing
A draft 🔴 Red list, even rough
Vet 1–2 tools on data terms // owner: tbd
Draft a v0.1 policy on this structure // owner: tbd
A revisit date — roughly quarterly

where we've landed, for now

make the compliant
path the easy path.

A ban you can't enforce moves AI use out of sight. A good, guardrailed tool that's actually available removes the reason to work around it. That's where we start — then we shape the specifics around your values and how your team actually works.

a Built by ONO playbook · a living draft · builtbyono.com

ai at work.

under what guardrailsdoes this help the workwithout creating risk you can't accept?

allow it at all?

does it fit our values?

can we keep data secure?

what tools?

the choice isn'twhether to allow it.

it's already happening

risk is per-use, not per-tool

your values lead.

the account tier setshow your data is handled.

three tiers.

what would harm someone —or the org — if it leaked?

fewer tools, properly vetted.

keep it to ~2 pages.

put in

leave out

what to settle.

make the compliantpath the easy path.

under what guardrails
does this help the work
without creating risk you can't accept?

the choice isn't
whether to allow it.

the account tier sets
how your data is handled.

what would harm someone —
or the org — if it leaked?

make the compliant
path the easy path.