A small business AI policy needs to cover what tools are approved, what data must never be put into them, when human review is required, who is accountable, and what to do when something goes wrong. Keep it to a page in plain language. A short policy people actually read beats a long one that sits ignored.
Information current as at 5 July 2026
An AI policy sounds like something only big companies need, but a short one protects a small business from the everyday mishaps that cause real harm: the confidential file pasted into a free tool, the customer sent AI output nobody checked. It does not need to be long or legalistic. It needs to be clear, and it needs to be read.
Without any policy, every staff member makes their own quiet decisions about which tools to use and what to put into them, and some of those decisions will be poor. Someone pastes a client contract into a free tool to summarise it; someone sends a customer an AI-drafted reply that nobody read; someone connects a tool to data it should never have touched. A one-page policy is not bureaucracy, it is a set of clear boundaries that lets people use AI confidently without stumbling into the mistakes that cause real damage. The absence of a policy is itself a policy: everyone does whatever they like.
A useful policy covers a handful of things. Which tools are approved, so people are not each choosing their own. What data must never be put into any AI tool, naming the sensitive categories plainly: customer personal data, payment details, confidential contracts, anything you would not want to leak. When human review is required before AI output is used, especially anything reaching a customer or your books. Who is accountable for each tool and for its output, so a name sits behind every use. And what to do when something goes wrong, so a mistake is reported and fixed rather than hidden. That is most of it.
If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.
The single biggest mistake is length. A ten-page policy full of legal phrasing gets skimmed once and ignored forever, which means it protects nobody. Aim for a page, written the way you would explain it to a new hire over coffee. Use plain do and do not statements. If a rule cannot be stated in a sentence, it is probably too complicated to be followed. The goal is a document people actually remember when they are about to paste something risky into a tool, not one that impresses a lawyer and sits unread in a folder.
An AI policy is not a document you write once and file. The tools change, your uses grow, and the risks shift, so the policy has to be revisited, quarterly is a reasonable rhythm for a small business. When you approve a new tool, add it. When you discover a new risk, name it. When a rule proves unrealistic and people are quietly ignoring it, fix the rule rather than pretending it works. A living, short, honest policy that reflects how the business actually uses AI is worth far more than a polished one that describes a world that no longer exists.
If you have made something and it needs to become real, send it over. We will tell you honestly what it needs to be live, safe and yours, whether that is a quick fix you can do or a proper build. No obligation.
Whether you can name exactly what you want built, or you just know something is leaking, the next step is the same conversation.