What is an AI usage policy for a CRE firm? It is a written governance document that defines which AI tools employees may use, what data they may put into them, when human review is required, and how the firm stays compliant with confidentiality, fair housing, and emerging AI laws. As AI moves from a few power users to the whole team, a CRE firm without a usage policy is relying on individual judgment to protect confidential deal data, which is a risk no serious shop should accept. This is the governance layer that sits alongside the rest of your AI commercial real estate stack.
Key Takeaways
- An AI usage policy is the firm-wide rulebook: approved tools, prohibited data, human-review checkpoints, and compliance guardrails in one document.
- The most important section is data classification, defining what deal, tenant, and investor data may never be entered into a consumer AI tool.
- Fair housing and anti-discrimination rules apply to AI used in tenant screening and marketing, so the policy must address them directly.
- Colorado's first-in-nation AI Act was repealed and replaced in 2026, so a durable policy should rest on principles, not a single shifting statute.
- A policy only works when paired with training and enforcement; a document nobody reads changes no behavior.
What an AI Usage Policy Is, and Why a Roadmap Is Not Enough
An AI usage policy governs behavior, while an implementation roadmap sequences adoption, and a firm needs both. The roadmap answers when and how the firm will deploy AI; the policy answers what employees may and may not do with it once it is in their hands. Confusing the two leaves a dangerous gap, because a firm can be well into its rollout with no written rules on what data goes into which tool.
If you have not yet planned the rollout itself, our AI implementation roadmap for CRE firms covers that sequencing. This article is about the rules that govern day-to-day use. The two work together: the roadmap gets AI into the firm responsibly, and the usage policy keeps it there safely. A good policy is short enough to be read, specific enough to be followed, and durable enough to survive the next tool the team adopts.
Section 1: Approved Tools and Access Tiers
The first section of any AI usage policy lists which tools are approved and which tier of each tool is required, because the gap between consumer and enterprise versions is where most data risk hides. Free consumer accounts of many tools may use inputs to improve models, while enterprise and business tiers contractually do not, and that distinction should be written into the policy in plain language.
Name the approved tools explicitly, for example Claude, ChatGPT Enterprise, Microsoft 365 Copilot, and Gemini, and state that only the approved enterprise or business tier of each may be used for firm work. Require that any new tool be vetted before adoption, following the kind of checklist in our guide on how to vet AI tool security before sharing confidential deals. The policy should also designate an owner, a partner or operations lead, who maintains the approved list so it does not drift as new products launch.
Section 2: Data Classification and Confidentiality
The core of the policy is data classification: a simple tiering of information that tells every employee what may and may not be entered into an AI tool. Without it, a well-meaning analyst can paste a confidential rent roll into a consumer chatbot and never realize they created exposure. A four-tier scheme is enough for most CRE firms.
- Public: Marketing copy and published market data, which may be used in any approved tool.
- Internal: General research and non-sensitive drafts, allowed in approved enterprise-tier tools.
- Confidential: Rent rolls, offering memoranda, models, and deal terms, allowed only in approved enterprise tiers with no training on inputs.
- Restricted: Personally identifiable tenant information, limited partner details, and anything under NDA, which require explicit approval and may be prohibited from AI tools entirely.
Spelling out where rent rolls, LP commitments, and tenant personal data sit on this scale is the single most protective thing a CRE AI policy can do. It turns an abstract worry into a clear rule any employee can follow. If you want help building this classification into a policy your team will actually use, The AI Consulting Network specializes in exactly this.
Section 3: Human Review and Accountability
The policy must define where human review is mandatory, because AI produces confident output that can be wrong, and some CRE work is too consequential to ship unchecked. The rule of thumb is simple: anything that informs a financial decision, goes to a third party, or carries legal weight requires a named human to review and approve it before it leaves the firm.
In practice, require sign-off on AI-assisted underwriting, investment committee materials, anything sent to lenders or investors, and any tenant-facing communication. Make accountability explicit by recording who reviewed and approved each item, so the firm can stand behind its work. The principle is that AI is a drafting assistant, not a signer; a person always owns the final output. This keeps the speed benefit of AI while preventing an unverified number or a hallucinated claim from reaching a partner, a lender, or an investment committee.
Section 4: Compliance Guardrails for Fair Housing and AI Law
The compliance section addresses the legal exposure unique to real estate, starting with fair housing. Any AI used in tenant screening, marketing, or resident communication can create discrimination risk, even unintentionally, so the policy must require fair-housing review of those uses. Our guide on AI and fair housing compliance screening details the high-risk areas to govern.
On AI-specific law, the landscape is shifting, which argues for principles over a single statute. Colorado enacted the first comprehensive United States state AI law, SB 24-205, but the state repealed and replaced it in 2026 with SB 26-189, a narrower disclosure-and-rights framework for automated decision-making technology that is set to take effect January 1, 2027, with enforcement contingent on rulemaking (Source: Colorado General Assembly, SB 24-205). Rather than chase each change, anchor the policy to durable principles, transparency, human oversight, non-discrimination, and data protection, that map to recognized frameworks like the NIST AI Risk Management Framework. A policy built on principles survives the next legislative reversal.
Rolling It Out: Training and Enforcement
A policy changes behavior only when it is paired with training and enforcement, because a document filed away on a shared drive protects nothing. Roll it out with a short session that walks the team through the data tiers and the review rules using real examples, not abstractions, so people recognize the situations they will actually face.
Keep it alive with light enforcement: a named owner, a quick refresher when a new tool is approved, and a simple way to report uncertainty without blame. Review the policy quarterly, since both the tools and the law move fast. Firms that want help drafting, rolling out, and maintaining an AI usage policy their whole team will actually follow can reach out to Avi Hacker, J.D. at The AI Consulting Network, which specializes in exactly this kind of governance work.
Frequently Asked Questions
Q: What is the most important part of a CRE AI usage policy?
A: Data classification. A simple tiering of information, from public to restricted, tells every employee what may and may not be entered into an AI tool. It is the rule that prevents a confidential rent roll or LP detail from being pasted into a consumer chatbot.
Q: Does the Colorado AI Act still apply to my CRE firm?
A: Not in its original form. Colorado repealed SB 24-205 and replaced it with SB 26-189, a narrower automated-decision-making disclosure framework set to take effect in 2027, with enforcement contingent on rulemaking. Because the law is shifting, base your policy on durable principles rather than one statute.
Q: When should a CRE firm require human review of AI output?
A: Whenever the output informs a financial decision, goes to a third party, or carries legal weight. That includes AI-assisted underwriting, investment committee materials, lender and investor communications, and tenant-facing messages. A named person reviews and approves before it leaves the firm.
Q: How long should an AI usage policy be?
A: Short enough to be read and specific enough to be followed, often just a few pages. It should cover approved tools and tiers, data classification, human-review rules, and compliance guardrails, then rely on training and a named owner to keep it current.