AI Policy Template for Small Business
A short, practical AI use policy template you can adapt for your team. Covers data, review, and escalation.
This is a simple, practical AI use policy for small teams. Adapt it to your situation and post it where your team can reference it. The goal is not a legal document. It is a clear shared understanding of how AI should and should not be used in your business.
Purpose
This policy establishes how [Business Name] uses AI tools to support our work while protecting our clients, our team, and our reputation. AI should increase our capacity to serve clients well, not introduce risk through sloppy use or unchecked outputs.
This policy applies to all team members, contractors, and anyone using AI tools on behalf of the business.
Approved AI Tools
The following AI tools are approved for business use:
- [List your approved tools, e.g., ChatGPT team account, Claude for Business, Copilot, your custom-built agents]
- [Note any approved use cases for each tool]
All other AI tools require written approval before any business use. Personal accounts on consumer AI platforms should not be used for client work.
Data Classification and Handling
Before using AI with any business data, classify the data:
Restricted Data (never paste into AI):
- Full names combined with contact information
- Social Security numbers, tax IDs, or financial account numbers
- Medical or health information
- Passwords, credentials, or security keys
- Client financial details, contracts, or legal correspondence
Internal Data (use caution, strip identifiers):
- General business data without PII
- Aggregate reports without individual names
- Process descriptions without client details
Public Data (generally safe):
- Publicly available information
- General industry research and benchmarking
When in doubt, ask [designated person] before using data with AI.
Human Review Requirements
AI outputs must be reviewed by a human before they are sent externally, published, or used to make decisions. This includes:
- Any communication drafted by AI that will be sent to a client or prospect
- Any content that represents the business publicly
- Any data entry or record update that affects client files or financial records
- Any pricing, contractual, or legal information
Reviewers are responsible for ensuring outputs are accurate, appropriate, and consistent with our voice and standards.
What AI Must Not Do
Without explicit written approval from [owner name], AI tools must not:
- Send any communication externally without human review
- Access or modify client data outside the scope of a defined workflow
- Make promises, commitments, or contractual representations on behalf of the business
- Respond to media, public forums, or regulatory inquiries
- Replace a human decision on hiring, firing, pricing, or legal matters
- Be used to generate content that will be published without disclosure that AI was involved
Reporting Issues
If an AI tool produces an output that is wrong, harmful, or suspicious, do not share it. Flag it immediately to [designated contact]. Include:
- What tool you were using
- What data you provided
- What the output was
- Why it was concerning
If you discover that restricted data was accidentally shared with an AI tool, notify [designated contact] immediately so we can assess and mitigate.
Post this policy where your team can reference it regularly. Review it quarterly or whenever your AI tool set changes. The goal is a shared understanding, not compliance theater.
Ready to explore what AI can do for your business?
Book a focused 20-minute call. We will look at your specific workflows and identify the highest-ROI opportunities.
Book an AI Strategy Call