Creating an AI Policy for Social Media

We’d been talking about creating a formal AI usage policy for a while. Talking, debating, drafting a few notes, then getting distracted by actual client work. You know how it goes.

What finally forced our hand was a major food brand’s RFP. They didn’t just want to know what we’d do for their social media. They wanted to know exactly how we use AI, asking nine specific questions about our capabilities, our process, our safeguards, and our ethics. It was a thorough grilling, and honestly, a useful one. It forced us to articulate something we’d been practicing informally for years but hadn’t written down.

We answered their questions. Then we turned those answers into our first official AI usage policy. Here’s what we learned along the way, and what we think every agency, and frankly every brand evaluating agencies, should be thinking about.

The Most Important Thing We Put in Writing

I could lead with a lot of things. Data security. Client transparency. Content generation guidelines. All of it matters. But if you only take one thing from our policy, it’s this:

If you used AI in a process, you own the output. That means you reviewed it, approved it, and are accountable for it.

AI is not a coworker. It doesn’t have skin in the game. It doesn’t know your client’s brand history, their last crisis, or why a certain word choice is going to land wrong. It generates plausible-sounding content, sometimes brilliantly, sometimes badly, and it has absolutely no stake in the outcome. You do. So you own it.

This sounds obvious until you watch someone copy-paste an AI output into a client deliverable without really reading it. Or use AI to draft a social caption, glance at it, and approve it because it looked fine at first pass. That’s not ownership, that’s delegation to a tool that can’t be held responsible. Our policy says clearly: AI is a starting point or a helpful editor. The human who used it is accountable for what comes out the other end.

How We Think About Client Transparency

This one is more nuanced than it might seem, and I think most agencies are getting it wrong in one of two directions. Either they’re hiding their AI use entirely, which is a bad look when clients find out. Or they’re over-disclosing to the point where every deliverable comes with an AI disclaimer that nobody reads.

Over-disclosure has a real cost. It’s the warning label on a beer that people stopped reading after the second time. When everything gets flagged as AI-assisted, the disclosure loses meaning, and the ones that actually matter get lost in the noise.

Our approach draws a clear line. When AI materially shaped a deliverable (AI-generated imagery in a social post, conclusions an AI reached after analyzing data, a concept that came out of an AI ideation session) we tell clients upfront. They need that information to evaluate the work properly.

When AI is just baked into the tools we use (grammar suggestions in Word, platform bidding algorithms, resizing assists in Adobe) we don’t disclose that as a matter of routine. Doing so would mean disclosing nearly everything we produce, which would quickly train clients to ignore it. What we do commit to: we always answer fully and truthfully if a client asks about AI’s role in any specific deliverable. We are not hiding our use of AI. We are just being thoughtful about what disclosure actually communicates.

The Five Questions We Ask Before Using AI on Anything

One of the things the RFP pushed us to do was create a decision framework for evaluating AI use cases, especially new ones that aren’t clearly covered by existing guidelines. We landed on five questions. I think they’re worth sharing because they apply whether you’re an agency, a brand-side team, or anyone trying to use AI responsibly in a professional context.

1. Is this sustainable? Does using AI here strengthen a long-term process, or does it just create dependency on a tool? Are we building something durable, or applying a temporary fix that creates problems later?

2. Is this optimizing creativity? Did using AI lead to the strongest idea, sharpest strategy, or best expression of the work? Or did it over-polish something that needed human originality and nuance? This is the question most teams skip, and it’s probably the most important one for creative agencies.

3. Is this cost-efficient? Does it meaningfully save time, money, or resources in a way that improves how we work? Not just marginally, meaningfully.

4. Is this reliable? Have we validated the output to make sure it’s correct, dependable, and ready to use without introducing risk? AI sounds confident even when it’s wrong. Verification is not optional.

5. Is our client comfortable with this? Clients have different tolerances for AI use. Some have explicit policies. Some have strong preferences. Some are enthusiastic. We honor wherever they land, not wherever we’d prefer they land.

These five questions don’t make every decision easy, but they make most decisions clear. When an answer is obviously no on any of them, you have your answer.

The Data Security Question Nobody Talks About Enough

Here’s the part of our policy that I think deserves more attention in the industry: you cannot feed proprietary client data, creative briefs, strategies, or anything resembling PII into an AI tool without first understanding what that tool does with your input.

This isn’t theoretical. Most of the major AI platforms, on their free and personal tiers, default to using your inputs to train their models. Here’s where things stand as of mid-2026 (though these policies change, so always verify before you start):

ChatGPT (OpenAI): Free, Plus ($20), and Pro ($200) tiers all use your inputs for model training by default. You can opt out under Settings > Data Controls > Improve the Model for Everyone (turn it off).

Claude (Anthropic): This one changed in late 2025. Anthropic shifted to an opt-out model, meaning if you didn’t actively respond to their policy change notification, your default became consent to training. Free, Pro ($20), and Max ($100) tiers all use inputs for training unless you opt out under Settings > Privacy > Help Improve Claude (turn it off).

Gemini (Google): Free and Advanced tiers default to using inputs for model training. You can opt out through Gemini Apps Activity, but note that your conversation history will no longer be available to you if you do. That trade-off may make Gemini the wrong tool for client-related work regardless of the setting.

Copilot (Microsoft): The consumer and personal tiers now train on your inputs by default following a policy change in spring 2026. M365 Copilot for business is a different story: enterprise contracts prohibit training use. If your team is using personal Copilot accounts for client work, that’s a problem worth addressing.

The rule in our policy is simple: never input client confidential information into any AI tool without first knowing which version you’re using, verifying its data policy, and opting out of training where available. When in doubt, ask before you use it.

Why We Wrote This Down

Having a written AI policy isn’t just about being able to answer RFP questions (though it helps with that). It’s about giving your team a clear framework so they’re not making individual judgment calls in a vacuum on every AI decision. It’s about being the kind of agency that has thought seriously about this, not just adopted every new tool because it was available.

Our policy ends with a note that I think is the most honest thing in it: AI capabilities are changing faster than any policy document can keep up with. When a new use case isn’t covered, apply the five questions and use good judgment. When in doubt, ask.

That’s probably the best AI policy any of us can have right now. Write down what you know. Build in a decision framework for what you don’t. And stay humble about how fast the ground is shifting.

If you’re a brand evaluating agencies on their AI practices, the questions in that RFP were excellent ones. I’d encourage you to keep asking them.