Responsible Use
AI coding tools raise questions beyond "does it compile" — licensing, accountability, bias, and what you ship to users.
Last reviewed: June 2026
Legal and regulatory guidance evolves. Consult your legal team for binding policy; use Team AI Policy as a starting template.
Developer Responsibilities
| Principle | Practice |
|---|---|
| You own the merge | AI suggests; you approve. Your name is on the commit. |
| Verify everything | Checklist before production |
| Disclose when appropriate | Team norms for ai-assisted PR labels |
| Respect licenses | Copilot and models train on public code — understand org policy |
| Protect user data | Do not paste PII/secrets into prompts |
Bias and Fairness
Models reflect training data biases. Generated code can:
- Use exclusionary examples in docs and variable names
- Assume defaults (names, locales) that exclude users
- Skew toward patterns overrepresented in open source
Review user-facing copy and business logic for fairness — especially hiring, credit, health, and moderation features.
Reference: NIST AI Risk Management Framework for structured risk assessment.
Licensing and IP
Questions to clarify with your employer/legal team:
- Are AI-generated snippets allowed in proprietary code?
- What attribution is required for open-source projects?
- Does your Copilot/enterprise plan include IP indemnity?
Primary sources:
- GitHub Copilot Terms — individual vs business terms, training and suggestions
- GitHub Copilot Trust Center — data handling and enterprise controls
- Anthropic Usage Policy — acceptable use for Claude products
- OpenAI Terms of Use — API and product obligations
When in doubt, treat AI output like code from an unknown contributor — review license compatibility.
EU AI Act (high level)
If you ship AI features in the EU, your product may face transparency and risk-management obligations depending on use case (e.g. employment, credit, law enforcement). Developers should know whether their feature is limited risk (transparency) vs high risk (conformity assessment). Official overview: EU AI Act.
This is not legal advice — route classification questions to counsel.
User-Facing AI Features
If your product uses LLMs:
- Be transparent that responses are AI-generated when users expect it
- Provide escalation to humans for high-stakes decisions
- Log and monitor for abuse (security guide)
- Do not present probabilistic output as guaranteed fact
UX patterns that work
| Pattern | Example |
|---|---|
| Label | "Generated by AI — may contain errors" below the response |
| Confidence | Show when retrieval found no matching docs ("I couldn't find this in your knowledge base") |
| Human escalation | "Talk to support" button on billing, medical, or legal topics |
| Citations | Link to source doc chunks in RAG-powered answers |
| Regenerate / edit | Let users fix bad output without starting over |
Avoid: fake human names, hiding AI involvement in customer support, or presenting guesses as verified facts.
Environmental and Cost Awareness
Large model inference consumes energy. For high-volume features:
- Use smaller models where quality allows
- Cache responses
- Rate limit to prevent waste
See Cost, Latency, and Tokens.
Sample Team Policy Block
Paste into internal docs and customize. Full rollout guide: Team AI Policy.
## AI-Assisted Development Policy
### Approved tools
- Cursor (Business) and GitHub Copilot (Enterprise) for company repositories
- Claude Code only on non-production clones with anonymized data
### Data handling
- Do not paste customer PII, production credentials, or unreleased financials into cloud models
- Use .cursorignore / rules to exclude secrets paths
### Review requirements
- All AI-assisted PRs labeled `ai-assisted`
- Auth, payments, and infra changes require senior reviewer regardless of AI use
- Run lint, test, and build before merge — see Pre-Merge Verification checklist
### Incidents
- If secrets are pasted into a cloud model: rotate credentials within 1 hour and notify security@
Team Norms Checklist
- [ ] Shared AGENTS.md or rules file
- [ ] Required CI before merge
- [ ] Security review for auth/payments changes
- [ ] Document which tools are approved for company code
- [ ] Incident plan if secrets are pasted into a cloud model
- [ ] Published Team AI Policy linked from onboarding