Better Robots.txt

English

Français

English

Français

Appearance

Why your site needs an AI access policy in 2026

Two years ago, the idea that a website needed a formal policy on AI access would have seemed premature. Today, it is overdue. AI systems are the fastest-growing category of web consumers, and the gap between what they take and what site owners knowingly permit is widening every month.

An AI access policy is not a legal document (though it can inform one). It is a clear, published statement of how your site relates to AI systems: what is permitted, what is restricted, and under what conditions. It is the difference between having a position and hoping for the best.

The scale of the problem

Large language models are trained on datasets measured in trillions of tokens. The web is the primary source. Common Crawl alone has archived over 250 billion pages. When an AI company trains a model, it typically uses some combination of licensed data, public domain content, and web-scraped material.

The web-scraped portion is where the tension lives. Most of this content was published by people and organizations who had no idea it would be used to train an AI. They published it for human readers, for search engine discovery, or for their own community. The repurposing happened without notice, without consent, and in most cases without any governance signal from the site owner.

This is not hypothetical harm. Publishers have found their articles reproduced nearly verbatim in AI-generated outputs. Niche experts have discovered their specialized knowledge being served by chatbots without attribution. E-commerce sites have seen product descriptions absorbed into AI shopping assistants that compete directly with the original source.

What an AI access policy does

A formal AI access policy serves three purposes:

It documents your intent. Even if no AI crawler reads your policy file today, having it published creates a timestamped record of your position. If a dispute arises — whether legal, contractual, or reputational — you can demonstrate that your preferences were clearly stated and publicly available.

It informs compliant bots. The AI crawlers that do check governance files (and the number is growing) will find your policy and act on it. GPTBot, ClaudeBot, and Google-Extended already respect robots.txt directives. As the ecosystem matures, more granular policy files will become part of the standard discovery process.

It prepares for regulation. The EU AI Act, Canada's AIDA, and other emerging regulatory frameworks are moving toward requiring AI companies to document their training data sources and respect publisher opt-out mechanisms. A published AI access policy positions your site to benefit from these protections as they come into force.

What an AI access policy should contain

An effective policy does not need to be long or legally complex. It needs to be clear, machine-readable where possible, and consistent with your robots.txt configuration. The core elements are:

Scope of permitted use. State which AI-related activities you allow. Common categories include: training (using content to build or refine AI models), retrieval (fetching content in real time to answer user queries), summarization (condensing your content into shorter outputs), and generation (using your content as a basis for new text).

You might allow retrieval with attribution but prohibit training. You might permit summarization for academic purposes but not for commercial products. The specificity is up to you, but stating your position is what matters.

Per-agent rules. If your policy differs by crawler, state which agents are covered. This should align with your robots.txt configuration. If you block GPTBot in robots.txt but your policy says "AI training is permitted," you have a contradiction that undermines both documents.

Attribution requirements. If you allow AI systems to use your content in some capacity, state whether you require attribution. This is not enforceable through robots.txt, but it creates a documented expectation that AI companies can be held to — especially as regulatory frameworks evolve.

Contact information. Provide a way for AI companies or researchers to reach you if they want to discuss licensing, partnerships, or compliance questions. This transforms your policy from a wall into a door: access is controlled, but not necessarily closed.

How to implement it on WordPress

The implementation is layered, matching the layered nature of the governance problem:

Layer 1: robots.txt. This is the primary published crawl-policy layer. Configure specific user-agent rules for AI crawlers you want to allow or restrict. This expresses intent clearly, but it does not by itself prove compliance or hard enforcement. This is where Better Robots.txt's AI governance module does its primary work.

Layer 2: ai.txt or ai-manifest.json. These files provide structured, machine-readable declarations of your AI usage preferences. They go beyond the binary allow/deny of robots.txt to express nuanced preferences about training, retrieval, and usage conditions.

Layer 3: human-readable policy page. A page on your site (like /governance/ai-usage-policy) that explains your position in plain language. This serves journalists, researchers, legal teams, and anyone who wants to understand your stance without parsing a configuration file.

Layer 4: HTTP headers. For sites that need resource-level control, X-Robots-Tag headers can carry AI-specific directives on individual pages, PDFs, or API endpoints.

Better Robots.txt provides layers 1 and 2 through its configuration interface, and the governance module includes a template for layer 3. Layer 4 requires server-level or plugin-level header configuration.

The cost of waiting

Every month without a published AI access policy is a month where your content is consumed under default-open terms that you did not choose. The content used for training in 2024 and 2025 is already in production models. You cannot retroactively remove it. But you can prevent future extraction, document your position for legal purposes, and align your site with the governance standards that regulators are beginning to require.

The sites that will be best positioned in 2027 and beyond are not the ones that waited for perfect regulation. They are the ones that stated their terms early, implemented technical controls, and built a documented governance posture while the standards were still forming.

An AI access policy is not a luxury for large publishers. It is a baseline for any site that produces original content worth protecting.