Writing an AI Policy for Your Small Business: A Step-by-Step Template

Why your small business needs an AI policy

If your business uses any AI tool, ChatGPT, Microsoft Copilot, Grammarly, an AI-powered accounting tool, you need an AI policy. Not a fifty-page governance framework. A one-to-two page document that answers four questions is sufficient, defensible, and genuinely useful.

Without a policy, every person in your business makes their own decisions about AI use. Some will accidentally share client data with AI systems that store it for training. Some will publish AI-generated content without checking it. Some will rely on AI outputs that are wrong. A brief, clear policy prevents the most common problems.

The four things your AI policy must cover

1. Which tools are approved: List the AI tools your business permits for work use, and establish a default - "other AI tools require approval from [name] before use." This matters because AI tools vary significantly in how they handle data. Without an approved list, employees use whatever is convenient, including tools with poor data practices.

2. What data can and cannot be entered: This is the most important section. Specify clearly what must never be entered into AI tools: client names and contact details; financial account information; employee personal data; confidential business information; anything subject to confidentiality obligations. Be specific. "Confidential information" is too vague, list the categories and give examples.

3. Quality checks on AI outputs: AI-generated content must be reviewed before use. AI tools produce plausible-sounding but incorrect information. Any output shared externally, with clients, published online, submitted to regulators, must be checked by a human who takes responsibility for its accuracy.

4. Who is responsible: Name a person responsible for the AI policy, who updates it, answers employee questions, and handles incidents. For most small businesses, this is the owner. Naming a person creates accountability and a clear escalation path.

A template you can adapt

[BUSINESS NAME] AI USE POLICY | Effective: [DATE] | Next review: [DATE + 6 months]

Approved tools: The following AI tools are approved for work use: [list]. Other tools require approval from [name] before use.

Data rules: Never enter into any AI tool: client names, contact details, or account information; employee personal information; our pricing, contracts, or business strategy; information received under a confidentiality obligation. When in doubt, do not enter the information. Ask [name] first.

Quality checks: All AI-generated content must be reviewed for accuracy before use. You are responsible for any work you submit - "the AI wrote it" is not an acceptable explanation for errors.

Client disclosure: If you use AI to assist in client work, inform your manager. We [will/will not] disclose AI use to clients. [Specify your approach.]

Problems and questions: Contact [name] immediately if something goes wrong involving AI: data entered incorrectly, incorrect AI output shared externally.

After you have a policy

Tell your team about it. A five-minute conversation is more effective than distributing a document and hoping people read it. Review it every six months. AI tools change fast, and your policy should change with them. Do not let perfect be the enemy of done. A simple, implemented policy is infinitely more valuable than an elaborate one nobody reads.