IndustriesWorkPlaybookHow it worksAboutBook a systems auditBring us your idea

AI policy for a small business: what to include

Straight answer

A small business AI policy needs to cover what tools are approved, what data must never be put into them, when human review is required, who is accountable, and what to do when something goes wrong. Keep it to a page in plain language. A short policy people actually read beats a long one that sits ignored.

Information current as at 5 July 2026

An AI policy sounds like something only big companies need, but a short one protects a small business from the everyday mishaps that cause real harm: the confidential file pasted into a free tool, the customer sent AI output nobody checked. It does not need to be long or legalistic. It needs to be clear, and it needs to be read.

Plain English
Acceptable use
The rules on what staff may and may not do with a tool.
Approved tools
The specific AI tools the business has vetted and permits staff to use.
Disclosure
Being open, where it matters, about when AI was used to produce something.
Accountability
Naming who is responsible for a tool and for what it produces.

Why a small business needs one at all

Without any policy, every staff member makes their own quiet decisions about which tools to use and what to put into them, and some of those decisions will be poor. Someone pastes a client contract into a free tool to summarise it; someone sends a customer an AI-drafted reply that nobody read; someone connects a tool to data it should never have touched. A one-page policy is not bureaucracy, it is a set of clear boundaries that lets people use AI confidently without stumbling into the mistakes that cause real damage. The absence of a policy is itself a policy: everyone does whatever they like.

The essentials to include

A useful policy covers a handful of things. Which tools are approved, so people are not each choosing their own. What data must never be put into any AI tool, naming the sensitive categories plainly: customer personal data, payment details, confidential contracts, anything you would not want to leak. When human review is required before AI output is used, especially anything reaching a customer or your books. Who is accountable for each tool and for its output, so a name sits behind every use. And what to do when something goes wrong, so a mistake is reported and fixed rather than hidden. That is most of it.

No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Keep it short and plain

The single biggest mistake is length. A ten-page policy full of legal phrasing gets skimmed once and ignored forever, which means it protects nobody. Aim for a page, written the way you would explain it to a new hire over coffee. Use plain do and do not statements. If a rule cannot be stated in a sentence, it is probably too complicated to be followed. The goal is a document people actually remember when they are about to paste something risky into a tool, not one that impresses a lawyer and sits unread in a folder.

Keep it alive

An AI policy is not a document you write once and file. The tools change, your uses grow, and the risks shift, so the policy has to be revisited, quarterly is a reasonable rhythm for a small business. When you approve a new tool, add it. When you discover a new risk, name it. When a rule proves unrealistic and people are quietly ignoring it, fix the rule rather than pretending it works. A living, short, honest policy that reflects how the business actually uses AI is worth far more than a polished one that describes a world that no longer exists.

Common questions

Questions, answered

Do I really need an AI policy if I only have a few staff?
Yes, and arguably more so, because in a small team a single careless paste of confidential data can cause outsized harm. It need not be formal; a one-page set of clear do and do not rules is enough. The point is that everyone shares the same boundaries rather than each guessing what is acceptable.
What is the most important rule to include?
A clear statement of what data must never be put into AI tools: customer personal data, payment details, confidential contracts, anything you would be alarmed to see leak. This single rule prevents the most common and most damaging everyday mistake. Everything else in the policy matters, but this is the one that stops real harm.
How long should the policy be?
One page, in plain language. A long, legalistic policy gets ignored, which means it protects nobody. Write it the way you would explain the rules to a new starter over coffee, using simple do and do not statements. If a rule cannot be said in a sentence, it is probably too complicated for people to actually follow.
Should we tell customers when we use AI?
Where it matters, yes. If AI drafts something a customer relies on, or handles their query, honesty about that builds trust rather than eroding it, and hiding it risks the opposite when discovered. You need not label every minor internal use, but be open where a customer would reasonably want to know. Disclosure is a judgement worth making deliberately.
No pressure
Show us what you built.

If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.

Start here

Two doors. Same senior team.

Whether you can name exactly what you want built, or you just know something is leaking, the next step is the same conversation.