The one-page AI policy every small team needs

By the end of this you'll have the shape of a one-page AI policy your team will actually follow, without a legal department or a forty-page document nobody reads.

The mess

Your team is already using AI, with or without your permission. Someone pasted a client contract into a chatbot to summarise it. Someone drafted a customer email with a tool you have never heard of. None of it is malicious, all of it is invisible, and right now the only rule is whatever each person privately decided was fine. That is not a strategy. That is a leak waiting to be noticed.

The wrong way people solve it

They lurch to an extreme. Some ban AI outright, which does not stop it, it just drives it underground onto personal phones where you have no visibility at all. Others write nothing and hope, treating it as too small to govern until the day a client asks where their data went. Both are the same mistake: pretending a decision has not already been made for you, every day, by everyone.

What a one-page AI policy covers

A useful AI policy answers four plain questions a normal person can follow. What data is fine to put in, and what never leaves our walls. Which tools are approved. What a human must check before AI output goes to a customer or counts as a decision. And what we keep a record of. That is the whole job. If it is longer than a page, nobody reads it, and a policy nobody reads is the same as no policy.

Trigger (someone wants to use AI) → Decision (approved tool? safe data?) → Action (use it on the allowed work) → Human review (before anything customer-facing) → Alert (a near-miss or breach) → Record (what went in, and where).

What I'd write into the AI policy

Three tiers of data: green for anything already public, amber for internal notes that stay inside approved tools, red for client and personal data that never goes into a public model at all. A short list of approved tools, with the no-training setting switched on. A rule that AI never sends a customer message or makes a final call without a person signing off. And one named owner who keeps the page current as tools change. One page, plain language, pinned where the team works.

What can break

A policy so long and lawyerly that everyone ignores it. A ban that pushes usage somewhere you cannot see. Approved tools quietly training on whatever you feed them because nobody flipped the setting. And a page written once and never touched again, slowly going stale as the tools change under it. A policy is a living thing or it is decoration.

What the business gets

Your team keeps the speed of AI without betting the business on it. You can answer a client honestly about how their data is handled. New hires get one clear page instead of guessing. And the quiet risk that someone pastes the wrong thing into the wrong tool stops being a matter of luck.

You do not get to choose whether your team uses AI. You only get to choose whether they are guessing about the rules.

Bring me how your team already uses AI today. I'll help you turn it into a one-page AI policy people will actually follow.