An AI policy for a RevOps team is a one-page document that specifies which AI tools are approved, what data each tier may touch, which tasks require human sign-off before acting on AI output, and what happens when an AI-assisted action causes an error. Without one, individual reps, ops analysts, and GTM engineers make ad-hoc decisions about what goes into Claude, which CRM data gets sent to a vendor’s AI feature, and who is allowed to act on an AI-generated forecast adjustment. Those ad-hoc decisions aggregate into a compliance and data-security problem before the team realizes they have one.
This page delivers a copyable template. The template is opinionated: it reflects the governance structure that a 10–200 person SaaS company with a 3–10 person RevOps function typically needs. Adjust tier membership and approval thresholds for your actual risk tolerance.
When to use this policy framework
Use this framework when your RevOps function is actively using two or more AI tools with access to CRM, prospect, or customer data, or when the GTM engineering team has started building AI-assisted workflows. A team running only AI writing assistants on non-CRM content can defer formal policy; as soon as AI touches pipeline data, forecast models, customer contact records, or enrichment workflows, the policy needs to exist in writing.
The framework is not designed for regulated industries (finance, healthcare, government) where data handling triggers sector-specific compliance requirements beyond what is covered here. For those, consult your legal and compliance function.
The copyable template
The section below is the policy. Copy it, replace the bracketed placeholders, and have your RevOps lead, CRO, and Security or IT lead sign off. Publish it on your internal wiki and link it from your CRM’s administrator notes.
[Company Name] RevOps AI Use Policy
Version: 1.0
Owner: [RevOps Lead Name], Revenue Operations
Last reviewed: [Date]
Next review: [Date + 6 months]
Approvers: [RevOps Lead], [CRO or VP Sales], [Head of Security or IT]
Section 1 — Scope
This policy applies to all employees and contractors who use AI tools in connection with RevOps functions including pipeline management, sales forecasting, lead routing, data enrichment, outreach sequencing, reporting, and GTM automation. It covers AI features embedded in existing tools (e.g., Salesforce Einstein, HubSpot AI features, Gong AI summaries) as well as standalone AI tools (e.g., Claude, ChatGPT, Gemini, Perplexity) and AI-assisted automation platforms (e.g., Clay, n8n with AI nodes, Zapier with AI features).
This policy does not cover AI tools used exclusively by Engineering for code generation with no access to revenue or customer data, which are governed by [link to Engineering AI policy if separate].
Section 2 — Data classification
| Tier | Definition | Examples |
|---|---|---|
| Tier 1 — Public | Information already publicly available or containing no personal or business-confidential data | Industry research, publicly available company descriptions, generic prompt templates |
| Tier 2 — Internal | Non-public company or operational data that does not contain customer personal data or deal terms | Internal playbooks, anonymized pipeline metrics, product roadmap summaries at the team level |
| Tier 3 — Confidential | Customer contact data, deal terms, ARR figures, forecast numbers, account health scores, customer communication content | CRM records, Salesforce opportunities, Gong call transcripts, email threads with customers, enrichment outputs containing PII |
| Tier 4 — Restricted | Data subject to contractual non-disclosure or regulatory data-handling requirements | Signed NDAs, MSA terms, HIPAA/SOC 2 audit artifacts, security incident details |
Section 3 — Tool approval tiers
Tier A — Enterprise approved. AI vendors with a signed data processing agreement (DPA) or enterprise data terms in place with [Company Name]. Required baseline: (1) contractual commitment that customer and prospect data is not used to train the vendor’s models, (2) tenant isolation confirmed in vendor documentation, (3) current SOC 2 Type II report on file, (4) data residency confirmed for [your primary region, e.g., US or EU]. Tier A tools may access Tier 1 through Tier 3 data. Tier 4 data requires separate written approval from [Head of Security] per use.
Current Tier A tools: [List specific tools, e.g., Salesforce Einstein (enterprise license), Gong (enterprise), Clay (enterprise), Claude Enterprise (Anthropic)]
Tier B — Personal account permitted. AI tools used on personal or free-tier accounts without an enterprise DPA. No Tier 3 or Tier 4 data may be entered, uploaded, or used as context in these tools. Permitted for Tier 1 and Tier 2 data only. Examples of typically Tier B uses: drafting generic outreach templates using made-up example details, researching industry topics with no CRM data attached, generating forecast commentary without specific deal names or ARR figures.
Current Tier B tools: [List, e.g., ChatGPT personal account, Claude.ai free tier, Perplexity personal account]
Tier C — Prohibited. Any tool not on the Tier A or Tier B list. Default state for any unevaluated AI tool regardless of vendor claims. To request evaluation for Tier A status, submit to [RevOps Lead] with a completed vendor security questionnaire.
Section 4 — Allowed and blocked tasks by tier
| Task | Tier A | Tier B |
|---|---|---|
| Drafting outreach sequences (generic templates) | Allowed | Allowed with Tier 1–2 context only |
| Drafting outreach sequences (personalized with contact or deal data) | Allowed | Blocked |
| AI-generated forecast commentary or deal summaries | Allowed | Blocked (no deal names or ARR figures) |
| Enriching contact or account records | Allowed | Blocked |
| Summarizing Gong call transcripts | Allowed (Gong enterprise tier) | Blocked |
| Analyzing pipeline or ARR data | Allowed | Blocked |
| Generating CRM data cleanup scripts | Allowed | Allowed (scripts only, no actual data sent) |
| AI-assisted lead routing rule generation | Allowed | Allowed (with anonymized or synthetic data) |
| Generating internal training materials | Allowed | Allowed with Tier 1–2 context only |
| Acting on AI-generated forecast adjustments | Allowed with human review (see Section 5) | Blocked |
Section 5 — Approval flow for AI-assisted actions
Not all AI-assisted outputs require additional approval before acting on them. The rule is: the higher the reversibility and the lower the audience, the less approval is needed. Specifically:
No additional approval required. AI-drafted email templates reviewed by the sender before sending. AI-generated data cleanup suggestions reviewed by an ops analyst before applying. AI call summaries used to update CRM notes.
Manager approval required before acting. AI-generated forecast adjustments that change a period-level forecast by more than [5]% from the rep-submitted number. AI-generated lead routing rule changes that affect more than [50] accounts. AI-assisted territory or quota model outputs used in a compensation conversation.
RevOps Lead and CRO sign-off required before acting. Any AI-generated analysis used directly in a board-level forecast submission. AI-assisted compensation plan changes. Automated workflows that send outreach to existing customers using AI-generated content without per-message human review.
Section 6 — Data residency and vendor review requirements
Data residency. All Tier 3 and Tier 4 data processed by Tier A tools must remain in [primary region, e.g., the United States / the European Economic Area]. Before approving a new Tier A tool, confirm data residency in the vendor’s DPA or security documentation. Document the confirmation in the Tier A tool registry [link to internal registry].
Vendor review checklist. Before any new AI vendor is added to Tier A, the following must be completed and documented:
- Signed DPA or enterprise data terms reviewed by [Legal or RevOps Lead]
- Confirmed: no model training on customer data (contractual commitment, not just policy claim)
- SOC 2 Type II report reviewed and on file (report dated within 12 months)
- Tenant isolation confirmed in vendor security documentation
- Breach notification terms reviewed: vendor must notify [Company Name] within [72] hours of a confirmed breach affecting our data
- Subprocessor list reviewed for geography-restricted data
This checklist must be completed for every new tool and re-completed at each annual policy review for existing tools. The completed checklist lives in [internal wiki link].
Section 7 — Incident response
When an AI-assisted RevOps action causes a material error — incorrect data sent to a customer, wrong forecast number submitted to the board, unintended outreach sent to an active prospect or customer — the response process is:
- Stop the action if it is ongoing (pause the sequence, reverse the CRM change if possible).
- Notify [RevOps Lead] within 24 hours. If the error affects a customer relationship or a board-reported metric, also notify [CRO] within 24 hours.
- Document what happened, what AI tool was involved, what data was used as input, and what the output was that caused the error.
- Remediate the downstream impact (correct the CRM record, send a correction to the recipient if needed, restate the metric).
- Log the incident in [internal incident log link] and schedule a postmortem if the root cause is a policy gap.
Incidents are reviewed quarterly by [RevOps Lead] to determine if the policy or tool tier assignments require updating.
Section 8 — Training and access
No RevOps team member or contractor receives Tier A tool access for RevOps purposes until they have completed the AI Use Policy training ([link to training module]). Training covers data classification, what may and may not be sent to each tool tier, the approval flow, and how to escalate uncertainty. New-hire completion deadline: 30 days from start date. Annual refresher required for all existing team members.
RevOps Lead maintains the Tier A tool access list and reviews it quarterly. Departed team members have Tier A access revoked within 24 hours of offboarding.
Section 9 — Policy review cadence
This policy is reviewed every 6 months or when a material change occurs, including: a new AI vendor entering the Tier A list, a significant change in the regulatory environment affecting data handling (e.g., new state privacy law, EU AI Act applicability determination), or an incident that reveals a gap. The policy owner [RevOps Lead] is responsible for scheduling and completing each review. Policy changes require sign-off from all three approvers named at the top.
How to operationalize the policy
Publish the policy on your internal wiki and link it from the RevOps team page, the CRM admin notes, and the onboarding checklist for any RevOps hire. Do not leave it in a shared drive folder that nobody links to.
Maintain the Tier A tool list as a live document, not as text inside the policy itself. The tool list changes more frequently than the policy framework. Separating them means you update the list without re-triggering the full approval flow.
Run the vendor review checklist before evaluating any AI tool, not after a vendor pushes to sign. Vendors will agree to add DPA terms during evaluation; they become harder to negotiate once the team has already adopted the tool.
Set a calendar reminder for the 6-month review before you publish the policy. A policy that isn’t reviewed on cadence is not a policy — it is a document that will contradict your actual practices within a year.
The most common failure mode in RevOps AI governance is not malicious misuse — it is individual team members and GTM engineers making reasonable-seeming decisions in the absence of written guidance. “I figured I could paste the Salesforce report into Claude since it’s anonymized” is a Tier 3 data handling decision made without a policy. The policy’s job is to make the right choice the obvious choice, not to prosecute mistakes.
Related
- AI policy for legal teams — parallel framework for the legal function; useful if your RevOps policy needs to align with a company-wide AI governance approach
- GTM engineering — the technical practice that builds AI-assisted RevOps workflows this policy governs
- Data enrichment strategies — enrichment workflows frequently involve AI and Tier 3 data; policy scope applies directly
- Claude — the enterprise AI option that meets Tier A requirements for RevOps use cases