The risk isn't the chatbot. It's the calc someone pasted into it.
Picture a 35-person civil and structural firm. A junior EIT is behind on a retaining-wall submittal, so they drop the load assumptions and a half-finished spreadsheet into a public chatbot to "sanity check the moment." The output looks clean. It flows into the package. Six weeks later it's behind a P.E. stamp, on a permit set, with a professional's license attached to a number nobody re-derived by hand.
That is the scenario your acceptable-use policy exists to prevent — not the marketing intern using AI to tidy a proposal cover letter. The two are not the same risk, and a policy that treats them the same will be ignored on both ends.
The adoption pressure is real and worth meeting. The RSM middle-market AI survey, the San Francisco Fed small-business AI analysis, and the OECD SME AI adoption report all land on the same point: smaller firms get value when they pair the tools with workflow ownership, not when they ban them or unleash them. For an engineering shop, "workflow ownership" has a specific meaning — it means the policy maps cleanly onto your existing review hierarchy, the same chain that ends at whoever's seal goes on the sheet.
Draw the line at the stamp, not the tool
Most firms write the policy around the software — "Copilot allowed, ChatGPT free tier not." Wrong axis. The line that matters in engineering services is the deliverable's relationship to the seal. Sort every task into three buckets and the policy writes itself:
Green (assist freely): proposal and SOW language, RFI and submittal-log formatting, meeting and field-note summaries, spec-section boilerplate cleanup, code-section lookups treated as a starting point. None of this carries an engineering judgment that ends up sealed.
Yellow (assist, then a named human re-derives): drafting a calc narrative, summarizing a geotech report, flagging spec conflicts, first-pass QA checklists against a code section. AI can produce it; the engineer of record re-derives or re-verifies it and that verification is logged. The AI output is an input to judgment, never the judgment.
Red (do not put in any AI tool, approved or not): client CAD/BIM models and proprietary details, raw structural or geotechnical calculations, sealed or sealable deliverables, client-confidential site data, anything subject to ITAR or a project NDA. The reason is blunt: an AI tool will happily return a confident wrong number, and in this trade a confident wrong number is a life-safety and liability event, not a typo.
Anchor that classification in real frameworks so it survives a client audit. The NIST AI Risk Management Framework gives you the map-measure-manage structure; CISA's AI Data Security Best Practices covers how project data can leak through prompts, retention, and training. Before any assistant touches a client file, read the vendor's own terms — Microsoft 365 Copilot's privacy and data controls and OpenAI's enterprise privacy commitments tell you whether your inputs train a model. Treat those controls as the floor that lets something move from Red to Yellow — never as a permission slip to skip review.
Make it one page your PMs will actually use
A policy nobody reads protects nobody. Cut it to a single page the project manager pins next to the QA checklist: the three buckets above, the approved-tool list with versions, the named reviewer per discipline, the one sentence that says the engineer of record owns every output behind their seal, and the escalation path when someone's unsure which bucket a task lives in. Add a quarterly look at the exceptions log — the Yellow tasks that got re-derived tell you where to invest in better tooling or training next.
Start narrow. Turn on AI for the Green column first — proposals, field-note summaries, submittal logs — and let your team feel the time savings on work that carries no liability. That builds trust faster than any all-hands memo, and it earns you the credibility to hold the Red line hard.
To pressure-test whether your project data is even clean enough for the Yellow column, run the SMB AI readiness assessment, then use the 90-day implementation plan to sequence the rollout, reviewer training, and the first pilot worth measuring.
