Does a small business actually need an AI policy?

If your team uses AI tools for any client-facing work - writing, research, analysis, reporting - yes. You need it for three reasons: to protect yourself if AI output causes a client problem and you need to show you had proper oversight processes in place; to protect client data if someone on your team pastes something they shouldn't into a public AI tool; and increasingly because clients and procurement teams are starting to ask whether you have one. A one-page policy takes 30 minutes to write and provides significant cover. Not having one is a much harder position to defend.

What if my team is just me?

Still worth writing, for two reasons. First, it disciplines your own use - a policy forces you to think through what's appropriate for your business and your clients rather than making ad hoc decisions. Second, it becomes a document you can share with clients who ask about your AI use, without having to explain your position from scratch each time. Keep it short: a one-page document covering approved tools, data rules, and your review standard is enough.

Can I just copy a policy from the internet?

You can use a template as a starting point, but you should adapt it to reflect your actual tools, your sector, and your specific client obligations. A generic policy that says 'use AI responsibly' isn't useful to anyone - it doesn't tell your team what they can and can't do. The more specific your policy is about which tools are approved, what data can't go into them, and what review standard applies to outputs, the more useful and defensible it is.

How do I handle team members who resist using AI?

A policy should govern use, not mandate it. Don't write a policy that requires people to use AI - write one that tells people how to use it safely when they do. Resistance usually comes from anxiety about job security or uncertainty about what's expected. Address those directly in your rollout: be clear that AI is a tool, not a replacement, and that you're not tracking whether people use it. The most effective thing is leading by example - use AI visibly yourself and talk openly about what you use it for and what you don't.

How often should I update the policy?

Quarterly is the right cadence for most small businesses in 2026 - AI tools are evolving fast enough that a policy written six months ago may no longer cover the tools people are actually using. The minimum: review whenever a significant new tool is adopted, whenever a client contract includes specific AI terms, and whenever there's a meaningful change to OpenAI, Anthropic, or Google's data handling policies. Keep a version number and date on the document so everyone knows which version is current.

What if a client contract includes a no-AI clause?

If you've signed a contract with a no-AI clause, that clause governs for that engagement. Your internal policy should include a line noting that client contract terms take precedence over general permissions - and your team should be aware they need to check before using AI tools on any engagement with an existing contract. If you rely on AI tools professionally, it's worth reviewing no-AI clauses before signing rather than after.

AI governance

How Do I Write an AI Policy for My Team?

A plain-English policy template for small businesses. What to include, what to ban, and how to roll it out.

Book a discovery call

AI governance

How Do I Write an AI Policy for My Team?

A plain-English policy template for small businesses. What to include, what to ban, and how to roll it out without scaring your team.

Book a discovery call Client disclosure guide

1 pagehow long a small business AI policy needs to be - longer doesn't mean more protection

5sections every policy needs: purpose, approved tools, data rules, output standards, prohibited uses

30 minto adapt the template below to your specific business and team

2026the year procurement teams and enterprise clients started routinely asking for supplier AI policies

What this guide covers

A complete AI use policy for a small business fits on one page. It needs to be specific enough that people know what they can and can't do, and short enough that they'll actually read it. This guide walks through the five sections every policy needs, the specific prohibitions that matter most, how to roll it out without resistance, and a copy-paste template you can adapt in 30 minutes.

Most AI policy guides are written for legal teams in large enterprises. This one is written for a business owner who uses AI themselves and wants to give their team of 2-20 people clear, practical guidance - not a 40-page governance document that nobody will read.

The goal of the policy is simple: make it clear what's allowed, prevent the specific misuses that create real risk, and give everyone a consistent position when clients ask about AI. Nothing more complicated than that.

What to include

Five sections every policy needs

Each section has a different job. The purpose and scope section creates context. The approved tools list creates accountability. The data rules create the most important protection. The output review standard addresses professional liability. The disclosure position ensures consistency with clients.

Purpose and scope

Sets context so people understand why the policy exists - not as a control mechanism but as a way to protect the business and its clients.

Who the policy applies to (employees, contractors, freelancers)

Which activities it covers (client work, internal work, or both)

What happens if the policy isn't followed

When it was last reviewed and who owns it

Example wording

This policy applies to all team members and contractors of [Business Name] when using AI tools in connection with their work. It is reviewed quarterly.

Approved tools

Prevents people from using AI tools with inadequate data handling without realising it. Also sets a baseline for what the business has assessed and approved.

List every approved tool by name (ChatGPT Team, Claude Pro, Copilot for Microsoft 365, etc.)

Note the approved use cases for each (writing, research, coding, analysis)

State that unlisted tools require approval before use

Include a process for requesting a new tool to be reviewed

Example wording

Approved tools: ChatGPT Team (writing, research, drafting), Claude Pro (analysis, long-form writing). Tools not on this list require approval from [role] before use on client work.

Data rules

The most important section for client protection and regulatory compliance. Generic 'be careful' language doesn't work - people need specific, concrete rules.

Personal data of clients, staff, or third parties - never input without explicit legal basis

NDA-covered material - check the NDA before inputting anything covered by it

Financially sensitive information - no internal forecasts, management accounts, or client financial statements

Commercially sensitive information - pricing models, strategic plans, M&A-related material

Material covered by legal privilege

Example wording

Do not input: personal data of any individual, NDA-covered material, internal financial data, client financial statements, or any material you would not be comfortable appearing in a data breach.

Output review standard

AI output must be reviewed before it is used, particularly in client-facing work. This section defines what 'reviewed' means in practice.

All AI-generated content used in client deliverables must be reviewed and approved by a named team member

Factual claims, statistics, and references must be independently verified

Legal, financial, or regulatory statements must be reviewed by the relevant qualified person

The review standard for internal use may be lighter but should still exist

Example wording

AI-assisted content in client deliverables must be reviewed by the responsible team member before submission. Factual claims and statistics must be verified against source material.

Client disclosure position

Gives the whole team a consistent answer to 'did you use AI on this?' and prevents inconsistency across different client relationships.

Your default position on disclosing AI use proactively vs on request

How to handle a direct client question

What to do if a client contract includes AI restrictions

Where to find your standard disclosure language

Example wording

Our position: we use AI tools as part of our standard process. All work is reviewed and approved by a qualified team member. If a client asks directly, answer honestly and specifically. Client contract AI clauses take precedence over this policy.

What to ban

Seven specific prohibitions

"Use AI responsibly" is not a useful policy. These are the seven prohibitions that actually protect your business and clients - each with a plain explanation of the risk it addresses.

Inputting personal data of clients, staff, or third parties into public AI tools

UK GDPR requires a lawful basis for processing personal data. Uploading someone's name, email, health information, or financial details to a third-party AI tool without their knowledge almost certainly doesn't have one.

Using AI output in client deliverables without human review

AI produces plausible but sometimes incorrect content. Publishing AI output without review creates a professional liability risk - and damages trust significantly if a client catches an error you didn't.

Using AI tools not on the approved list for client work

Unapproved tools may have inadequate data handling for your sector. You can't manage a risk you don't know about.

Claiming AI-generated content is human-written when directly and sincerely asked

This is a misrepresentation risk. There's a meaningful difference between not volunteering information and actively lying when asked. The second creates genuine legal and reputational exposure.

Using AI to make autonomous decisions affecting individuals without human review

Decisions about hiring, credit, performance, or similar matters that significantly affect a person require human oversight under UK GDPR's Article 22.

Using AI on any engagement where the client contract restricts AI use

Breaching a contract clause, however small the breach seems, creates liability and relationship risk that significantly outweighs any efficiency gain.

Inputting legally privileged or NDA-covered material without legal advice

Uploading privileged communications to a third-party platform may waive privilege. NDA terms vary - check before inputting.

Rollout in 5 steps

How to roll out without scaring your team

The most common rollout mistake: emailing the policy document with no context. People read "AI policy" and immediately think either "they're tracking what I'm doing" or "they're replacing me". Neither is helpful. These steps change that framing before it takes hold.

Share a draft before it's final

Send the draft to your team and ask two questions: 'Is anything here unclear?' and 'Is there anything you think we've missed?' This is not a consultation exercise - you're the decision-maker. But people who helped shape the document are more likely to follow it.

Even if you don't change a word based on feedback, the act of asking changes how the policy is received.

Run a 30-minute session explaining why

Don't just send the document. Run a short session where you explain the three or four reasons the policy exists: protecting client data, managing professional liability, maintaining consistent standards, and meeting client expectations. People follow rules they understand - not ones handed down without context.

Address the job security question directly even if nobody asks it. 'This is about how we use AI, not whether we use it, and it's definitely not about replacing anyone.'

Publish it somewhere permanent and findable

Not email. Put it in your shared drive, Notion, or intranet - wherever your team looks for reference documents. Link to it from your onboarding checklist. If people can't find it when they need it, it doesn't exist.

Set a quarterly review reminder

Add a recurring calendar event for a 20-minute policy review every three months. AI tools change faster than annual reviews can keep up with. The review should check: are the approved tools still current? Has anything changed in our clients' requirements? Are the data rules still appropriate?

Lead by example

Talk openly about how you use AI in your own work. What you use it for. Where you don't trust it. Where it's saved you time. Normalising visible, thoughtful AI use is more effective at building a good AI culture than any policy document.

Free template

Copy-paste AI policy template

Fill in the bracketed sections with your specifics. The whole document should fit on one or two pages. Don't add length for the sake of it - a short, specific policy that people read is more effective than a comprehensive one that nobody opens.

AI Use Policy - Small Business Template

Copy, paste into a Google Doc or Word file, fill in the brackets, and share with your team

AI USE POLICY
[Business Name]
Version [1.0] | Last reviewed: [Month Year] | Owner: [Role]

────────────────────────────────────────────

1. PURPOSE AND SCOPE

This policy sets out how team members and contractors of [Business Name] may use AI tools in connection with their work. It applies to all AI-assisted activities including writing, research, analysis, design, and coding.

The purpose of this policy is to protect our clients, our business, and the people who work with us - not to restrict the use of tools that genuinely help us do good work.

This policy was last reviewed [Month Year]. Questions should be directed to [Role/Name].

────────────────────────────────────────────

2. APPROVED TOOLS

The following AI tools are approved for work purposes:

- [Tool name] — approved for: [writing / research / analysis / coding / design]
- [Tool name] — approved for: [writing / research / analysis / coding / design]
- [Tool name] — approved for: [writing / research / analysis / coding / design]

Tools not on this list require approval from [Role] before use on client work or work involving client data. To request approval for a new tool, contact [Role/email].

────────────────────────────────────────────

3. DATA RULES

Do not input the following into any AI tool, approved or otherwise:

- Personal data of any individual (clients, staff, leads, third parties) without a clear lawful basis
- Any material covered by a non-disclosure agreement — check the NDA before inputting
- Legally privileged communications or documents
- Internal financial data (forecasts, management accounts, pricing models)
- Client financial statements or commercially sensitive data
- Any material you would not be comfortable seeing in a data breach disclosure

If you are unsure whether material is safe to input, do not input it. Ask [Role] first.

────────────────────────────────────────────

4. OUTPUT REVIEW STANDARD

AI tools produce plausible but sometimes incorrect content. All AI-assisted output must meet the following standard before use:

Client deliverables: All AI-assisted content in client-facing documents must be reviewed and approved by the responsible team member before submission. Factual claims, statistics, and references must be verified against source material.

Legal, financial, or regulatory statements: Must be reviewed by [a qualified person / legal counsel / the account lead].

Internal use: AI-assisted internal documents should be reviewed before sharing, though the standard may be lighter than for client work.

────────────────────────────────────────────

5. CLIENT DISCLOSURE POSITION

Our default position: we use AI tools as part of our standard workflow. All deliverables are reviewed and approved by a qualified team member before submission.

If a client asks directly whether AI was used on a specific piece of work, answer honestly and specifically about your role in producing the work.

If a client contract includes restrictions on AI tool use, those terms take precedence over this policy. Check contracts before using AI on any new engagement.

Standard disclosure language: [Paste your disclosure wording here, or reference the document where it can be found]

────────────────────────────────────────────

6. PROHIBITED USES

The following are never permitted regardless of context:

- Inputting personal data of any individual into a public AI tool without a lawful basis
- Using AI output in client deliverables without human review
- Using AI tools not on the approved list for client work
- Actively claiming AI-generated content is human-written when sincerely and directly asked
- Using AI to make decisions affecting individuals (hiring, credit, performance) without human review
- Using AI on an engagement where the client contract restricts AI use
- Using AI to impersonate another person

────────────────────────────────────────────

7. QUESTIONS AND UPDATES

Questions about this policy: contact [Role/Name] at [email].

To suggest an update or flag a tool not on the approved list: [process or contact].

This policy is reviewed quarterly. The current version is always available at [location].

This template is a starting point, not legal advice. If your business operates in a regulated sector (financial services, healthcare, legal, HR), or if your client contracts include specific AI obligations, review the policy with a legal professional before publishing it. The data rules section in particular may need to be more detailed for regulated activities.

Need more than a template?

We help small businesses build AI governance frameworks that work in practice

Beyond the policy document, we work with businesses on approved tool selection, staff training, client disclosure language, and sector-specific compliance considerations. If you're in a regulated industry or work with enterprise clients who are asking harder questions about your AI governance, talk to us.

Book a discovery call AI Consultancy service

Common questions

FAQs

Get in touch