An AI usage policy for SMEs: a simple template to start

Most small businesses have no written AI policy at all. The larger ones often have a policy written by a committee, reviewed by lawyers, and nobody actually reads it. You need something in between: a clear, short rule that your team can actually use.

This guide walks you through writing one in under an hour, using a template you can copy.

Why you need a policy (even a simple one)

Without any rules, three things happen:

1. Data leaks. Someone puts a customer’s full details into ChatGPT to draft an email, and now that data is in OpenAI’s training set (unless you’ve opted out).
2. Tool sprawl. Everyone picks their favourite AI tool. Suddenly you’re paying for five subscriptions, training no one, and you can’t move data between them.
3. Paralysis. Someone wants to use AI for something, nobody knows if it’s allowed, and they either give up or do it anyway without telling you.

A one-page policy fixes all three by answering three questions upfront.

The three-question framework

Your policy needs to answer exactly three things:

1. Which tools are approved?

List the tools your business is using or planning to use:

• ChatGPT (via paid account or free tier)
• Claude (via Claude.ai or API)
• Gemini
• Perplexity
• Specialized tools (HubSpot AI, Zapier, etc.)

For each tool, note:

• Who can use it? (everyone, only with business account, management only, etc.)
• What’s the data sensitivity? (low = drafts and research; high = customer or financial data)

Example:

ChatGPT (paid account):
- Who: anyone
- Data sensitivity: low (summaries, drafts, brainstorming only)
- Never: customer emails, pricing, contracts without redaction

2. What data never goes in?

This is the core of the policy. Draw a line.

Almost never:

• Customer names, account numbers, transaction details
• Employee personal information (phone, address, salary)
• Contracts or agreements (even redacted)
• Pricing, margin, costs (competition risk)
• API keys, passwords, secrets

Might be okay with redaction:

• Customer feedback (remove names)
• Call transcripts (remove personal details)
• Internal processes (remove specific business numbers)

Usually fine:

• General questions about your industry
• Help with grammar or structure
• Brainstorming and ideation
• Code review (if you’re a tech company, redact proprietary parts)

Put this in plain language your team understands. “Don’t put anything you wouldn’t say in a crowded café” is better than a long list of prohibited items.

3. Who decides if something is ready?

Every AI output that touches a customer needs approval before it goes live.

Set one rule: “A human reads it first.” That’s it.

Examples:

• AI drafted an email to a customer? Someone reads it before sending.
• AI wrote internal documentation? Someone checks the facts.
• AI generated code? A developer reviews it before it goes to production.

For small teams, the founder is usually the bottleneck. Consider delegating:

• Emails → team member with customer experience
• Technical work → your tech person
• Marketing copy → whoever owns the brand

Assign one person to “own” each approval category. Write it down.

The one-page template

Here’s a template you can copy, customize, and print. Takes 15 minutes:

---

[Your Company Name] AI Usage Policy Updated [date] | Review: [quarterly/annually]

1. Approved tools

Tool	Users	Data sensitivity	Notes
ChatGPT	All staff	Low	For drafts, summaries, brainstorming. No customer data.
Claude	All staff	Low	Same as ChatGPT.
[Your tool]	[Who]	[Level]	[Specific rules]

2. What data never goes in AI tools

❌ Never:

• Customer names, phone, email, account numbers
• Employee personal information
• Contracts, pricing, or financial data
• API keys or passwords

✅ With redaction (remove names/numbers first):

• Customer feedback
• Call notes
• Internal processes

✅ Usually fine:

• General research questions
• Grammar and writing help
• Brainstorming
• Code review

3. Before anything goes live

All output touching customers or business decisions gets reviewed by:

Category	Reviewer	Timeframe
Customer emails	[Name]	Before send
Marketing copy	[Name]	Before publish
Financial/legal	Founder	Before decision
Internal docs	[Name]	Before publishing
Code/technical	[Name]	Before deployment

---

How to roll it out

1. Draft it yourself (15 minutes using the template above).
2. Walk your team through it in a 10-minute meeting. Ask if there are tools or use cases missing.
3. Adjust one round based on feedback.
4. Post it where your team works (Slack, Google Drive, printed on the wall).
5. Revisit quarterly. As you use new tools or hit new situations, update the policy.

Don’t overthink it. A policy that exists and gets used is infinitely better than a perfect policy that lives in a drawer.

What happens when you get it wrong

You will. Someone will put customer data somewhere they shouldn’t, or you’ll discover a tool has a privacy issue you didn’t know about. When that happens:

1. Don’t blame anyone. The policy was unclear.
2. Fix the policy, not the person.
3. Update the team on what changed and why.
4. Move forward.

Small businesses learn by doing, not by predicting every problem. A policy that evolves is better than waiting for a perfect policy that never ships.

---

Next steps

Once you have a policy, start tracking which tools actually save time. See our guide on [[measuring AI training impact]] to find the real wins in your business.

You might also want a playbook for the next step: [[why SOPs matter before automation]].