From social media policy to automated guardrails

Perfect for a 6 minute break •  Written on July 02, 2026 by 
on
Avatar picture of Wim Mostmans

Almost every company has a social media policy, but almost nobody reads it, so it rarely changes how people actually post. This piece looks at why unread policies fall short, especially in regulated industries, and introduces guardrails: real-time, policy-aware checks inside the composer that guide employees as they write, work alongside approval flows, and finally turn a written policy into everyday behavior.

Almost every company has a social media policy. Almost nobody reads it.

When you join a company, it's usually buried somewhere in the onboarding pile. You click through it, say yes, and move on. I have done the same myself more than once. Shamefully, I probably didn't read half the documents I accepted when I was younger. Maybe even less.

And that's not really a moral failure. These things are long, written in careful legal language, and they land on your desk when you already have too many other things to do. Researchers found that people who did open a policy agreed to it in a median of about fourteen seconds, which is obviously not enough to read it. 74% skipped it entirely. Another study estimated that reading every policy and terms document you run into would take around 244 hours a year. So no, people don't read them. They click accept.

Which leaves companies in a slightly awkward spot. They have the policy. They can prove you signed it. But the thing the policy was supposed to do, actually shape how people behave online, never really happens. Having a policy and living a policy are different things.

Why this matters more than it used to

For a long time, this was mostly a theoretical problem. Most employees weren't posting about work anyway, so an unread policy didn't hurt much.

Is your business ready for employee advocacy?

Take the 5-minute Pulse and get your readiness score. See what's working, what's missing, and where the easy wins are — no demo required.

That has changed completely. Your employees are now one of your most valuable and credible channels. People trust a real person more than a logo, and platforms like LinkedIn keep pushing more people-led content. One employee sharing something real often goes further than a month of neat company-page updates. If you want your brand to travel, it usually travels through people.

So now you have more people posting more often about your company. And the unread policy suddenly matters a lot.

In regulated industries, this stops being about reach and starts being about real money. A wrong word in a financial post isn't just a bad look, it can become a fileable offense. Financial firms have paid over three billion dollars in fines since 2021 for communication and recordkeeping failures. In the UK, the regulator has made it clear that a firm is still liable when an employee shares the firm's content on their own personal account, even if the firm didn't write it. In healthcare, one post with an identifiable patient detail is already a HIPAA violation, and nurses have been fired over exactly that. The person deciding whether a post crosses the line is usually the employee writing it, right then, with very little support.

The three ways companies handle this today

When you look at how companies actually manage this, it comes down to three approaches. Each one solves part of the problem and creates a new one.

Approach one: read and accept. This is the default. Write a policy, have everyone accept it, and call it done. We already know why that fails. The policy is real, but it lives in a PDF nobody opens, not in the place where the post is actually written. You have documented the rules. You haven't changed behavior.

Approach two: just wing it. Let people post freely and hope for the best. In a low-risk business you might get away with that for a while. In a regulated one, you're one careless post away from a fine or a headline. That's not really a strategy. It's a bet.

Approach three: the approval flow. Every post goes through a reviewer before it's published. This does work, and plenty of our customers run it that way. The problem is speed. The writer finishes a post, then waits. A manager or compliance reviewer has to read it, send feedback, wait for a fix, and approve it. By the time the post is cleared, the moment has often passed. The safer you make it, the slower it gets.

So you end up choosing between a policy nobody follows, no control at all, or control that slows everything down. None of those is great.

Guardrails: a fourth way

There's a better option, and it's the one we've been building. We call it guardrails.

The idea is simple. Instead of putting the policy in a document at the start, or a reviewer at the end, you put the guidance right inside the composer, at the moment someone writes a post. When a post is written, it gets checked against your company's actual policy. If it's fully compliant, it goes out. If it isn't, the writer gets clear, specific instructions on what to fix, right there, before anything is published.

It's a bit like the car manual versus the seatbelt. Nobody reads the crash-safety chapter in the glovebox. The seatbelt works because it's there when it matters. Guardrails move the policy out of the glovebox and put it where the writing happens.

Why this goes further than blocking a list of words

The obvious way to build something like this is a banned-words list. Block "guaranteed", block "risk-free", block a competitor's name, done. It feels like compliance. Mostly it's not.

We looked at nineteen real enterprise social media policies across banking, insurance, healthcare, pharma, tech, retail, and government. The rules that show up again and again aren't words at all. The most common rule, in 95% of the policies we read, was simply "be respectful". Then: don't share confidential information, add a disclaimer that views are your own, don't speak on behalf of the company unless authorized, use good judgment. Almost none of the most common rules in corporate social media policies can be written as a list of forbidden words.

A blacklist can't tell the difference between "there is no risk" and "our risk management team". Same word, completely different meaning. So it over-blocks, which annoys people with false alarms, and under-blocks, which means it misses the actual problem. It's also easy to work around. Change a word, rephrase the sentence, and you're through. And when it does catch something, all it says is no. It never tells you how to fix it.

Real policies are about meaning and intent, not vocabulary. "Don't give financial advice." "Always include a risk disclosure." "Don't disclose anything that could identify a patient." None of those is a word you can ban. They are rules you have to understand.

That's the real shift. Guardrails don't match words, they interpret the post against your policy the way a human reviewer would. They understand context, so they catch the implied promise, the unbalanced claim, the identifiable detail that a list would sail straight past. And instead of a blunt block, they hand the writer a specific fix: add a risk disclosure here, remove this client's name, rephrase this claim. Banning words and detecting phone numbers is the floor. Understanding the policy is the point.

It works with your approval flow, not against it

If you already run an approval flow, this isn't a rip-and-replace. In a lot of regulated businesses you're legally required to keep a human in the loop, and you should. Guardrails don't remove that reviewer. They make that person's job faster and lighter.

Here is how they fit together. Guardrails run first, at the moment of writing. They catch the obvious, high-volume issues before a post ever reaches a human: the missing disclaimer, the banned term, the clear policy breach. The writer fixes those on the spot. By the time a reviewer sees the post, the easy stuff is already handled.

That changes what the reviewer's day looks like. Fewer posts get bounced back for the same obvious corrections over and over. The queue moves faster because most posts arrive already clean. And the reviewer gets to spend their judgment on the genuine edge cases, the nuanced calls that actually need a human, instead of acting as a very expensive spellchecker. Every post also carries a record that an automated check ran, which is a much stronger position with a regulator than "we emailed everyone the policy back in 2022."

I spoke with a head of social at a large financial firm who put it well. Her number one piece of advice for anyone running employee content in a regulated industry was to get to know your compliance team and show them you won't add to their pile. That's exactly what this does. It takes work off the reviewer's plate instead of adding oversight on top of it.

And you can dial it however you need. Guardrails only, for low-risk content that doesn't need a human. Guardrails plus approval, for the regulated stuff. Soft warnings that guide without blocking, for everything in between. It's a layer you tune to your risk, not a switch you flip.

So what

A social media policy read once and forgotten is just training. And we know how training goes: most of it's gone within a month. A check that fires the moment you hit post is something else entirely. It's guidance at the exact point of decision, which is the one place decades of behavioral research says actually changes what people do.

Your employees are going to keep posting, and you want them to. That's the whole value of employee advocacy. The job isn't to slow them down or lock them out. It's to get out of their way while quietly making sure nobody drives off the edge. That's what guardrails are for.

You already wrote the policy. This is how you finally get people to live it.

Is your business ready for employee advocacy?

Take the 5-minute Pulse and get your readiness score. See what's working, what's missing, and where the easy wins are — no demo required.