Yes, an Acceptable Use Policy will apply to all levels of the organization. All users of an organization’s resources (devices and network) should be expected to use them responsibly, irrespective of their role, title, and position. Any exceptions, for instance, a security red team performing offensive penetration tests, will require an additional policy and scope of work drafted to excuse their violations of the AUP for the given project, in the specified period, and for the specified tasks.