Writing an AI Policy for Your Small Business (With a Simple Template Outline)
Why every small business with employees needs a one-page AI policy, what it should say, and a plain-English outline you can adapt in an afternoon.
If anyone in your business uses AI tools, and statistically, someone already does, whether you know or not, you need an AI policy. Not a 40-page legal document. One page, in plain English, that answers the question every employee quietly has: “Am I allowed to use this, and how?”
Why bother?
Three reasons, all practical:
- It ends the secret usage problem. Without a policy, employees use personal AI accounts quietly and inconsistently, the worst possible arrangement for data protection (see Is AI Secure?). A policy plus sanctioned tools brings it into the open.
- It protects you when things go wrong. If a client asks “how do you use AI with our information?”, or an insurer or regulator asks the same, “here’s our written policy” is a strong answer. Silence isn’t.
- It speeds adoption up, not down. Counterintuitive but consistently true: people use AI more once they know the rules, because permission is explicit and the fear of doing something wrong is gone.
What a one-page policy needs to say
Here’s the outline I use with clients, adapt freely:
1. What we allow (and encourage)
Name the approved tools and account types, e.g. “Our business ChatGPT/Claude/Copilot accounts. Not personal accounts, for work tasks.” Say plainly that using them for drafting, summarising, research and admin is encouraged.
2. What must never go into AI tools
Your short forbidden list. Typically:
- Customer/client personal data, unless the specific tool has been cleared for it
- Passwords, keys, and financial account details
- Anything covered by an NDA or client confidentiality agreement
- (Regulated firms add sector specifics, legal, financial services)
3. The human-check rule
Nothing AI-drafted goes to a customer, gets published, or informs a significant decision without a person reviewing it and taking ownership. AI drafts; humans approve.
4. Honesty rules
When to disclose AI use if asked (answer: honestly, always), and any cases where you choose to disclose proactively.
5. Who to ask
One named person for “can I use it for this?” questions. In a small business, this is usually the owner or manager, the point is that asking is easy and encouraged.
6. Review date
AI changes fast. Date the policy and revisit it every six months.
Getting from outline to adopted
Writing the page is the easy half. What makes a policy real:
- Introduce it in person, not by email attachment. Fifteen minutes at a team meeting, framed as “here’s what you can do” rather than a list of threats.
- Pair it with proper accounts. A policy that says “don’t use personal accounts” only works if business accounts exist. Policy and setup are two halves of one move.
- Pair it with basic training. Rules make sense when people understand the tools. This pairing is exactly why the AI Essentials Workshop includes a ready-to-adopt policy as a standard deliverable, the discussion happens with the whole team in the room, and the policy lands as agreed ground rules rather than an edict.
An afternoon of work, one page of rules, and one of the most common sources of small-business AI risk is handled. If you’d like the policy done alongside everything else, it’s included in both the workshop and any implementation project, or start with the free AI Opportunity Review and the report will tell you what your business actually needs.