How to Write an AI Policy for Your Small Business (With Template)
Why every SMB needs an AI use policy in 2026, the 9 sections it must contain, and a copy-paste policy template you can adapt in 30 minutes.
What Actually Goes Wrong Without an AI Policy?
What Are the 9 Sections Every SMB AI Policy Needs?
The Copy-Paste AI Policy Template
How Do You Roll Out an AI Policy Without It Being Ignored?
When Should You Involve a Lawyer?
The Bottom Line
Your employees are already using AI at work. Every survey says so, and every audit I run confirms it — including at companies whose owners were sure "we haven't rolled that out yet." The only question is whether they're using it under rules you wrote, or improvising with your client data in a free consumer account. This guide gives you the reasons, the nine required sections, and a complete copy-paste template so you can close that gap this week.
I've written and reviewed AI policies for companies from 5 to 200 employees. The ones that work all cover the same nine areas. Keep each to a short paragraph — the template below shows how compact this can be.
Name the specific tools and account tiers employees may use — for example, "Claude Team and ChatGPT Team accounts provisioned by the company." The tier matters as much as the tool: business plans exclude your data from model training by default, while free consumer accounts may not. Include a simple request path for new tools ("ask the owner; answer within a week") so the list can grow without being bypassed.
The most important section. List, concretely, what never goes into an AI tool at any tier: customer personal data, employee HR and payroll records, financial account numbers, credentials and API keys, unreleased financials, and anything under NDA. Concrete beats abstract — "no Social Security numbers, no bank details, no client contract terms" is followed; "no sensitive information" is interpreted.
Define when a human must review AI output before it's used. My default rule for clients: anything leaving the building — client emails, proposals, published content, invoices — and anything involving numbers, legal claims, or compliance statements gets human review, every time. Internal brainstorms and first drafts don't. This single rule would have prevented the $12,000 HIPAA incident above.
Decide, in advance, when you tell clients AI was involved. Check your client contracts first — a growing number of MSAs restrict or require disclosure of AI processing of client data. A defensible default: disclose when AI materially produced a deliverable or processes client data in an ongoing way (like meeting transcription), and name a human accountable for every deliverable regardless.
Frequently Asked Questions
Does a small business really need a formal AI policy?
Yes, once even one employee uses AI for work — and surveys consistently show a majority already do, often without telling their boss. A one-page policy takes about 30 minutes to adapt from a template and directly addresses the three most common AI incidents: confidential data pasted into consumer tools, unreviewed AI errors reaching clients, and unsanctioned shadow-AI accounts.
How long should an SMB AI policy be?
One to three pages. A 20-page policy written for a Fortune 500 will not be read, let alone followed, at a 15-person company. Cover approved tools, prohibited data, review requirements, and consequences in plain English. If an employee cannot summarize the rules after one read, the policy is too long.
What data should employees never put into AI tools?
At minimum: customer personal data, employee HR and payroll records, financial account numbers, passwords and API keys, unreleased financials, and anything covered by an NDA or regulation such as HIPAA. On consumer-tier AI accounts, treat every prompt as if it were being sent to an outside vendor — because it is.
Do we have to tell clients we use AI?
It depends on your industry and contracts, which is why disclosure gets its own policy section. Professional-services firms increasingly face client contracts that restrict AI use on their data, and some regulated fields require disclosure. A sensible default: disclose when AI materially produced a deliverable, and always keep a human accountable for the final product.
When should a lawyer review our AI policy?
Bring in counsel if you handle regulated data (HIPAA, financial, defense), your client contracts contain confidentiality or AI clauses, or you operate in a licensed profession. For a typical unregulated SMB, an owner-adapted template is far better than nothing, and a one-hour attorney review — typically $300-$600 — is cheap insurance once the draft exists.
How do we enforce an AI policy without becoming the AI police?
Make compliance easier than violation. Provide paid business-tier accounts for approved tools so nobody needs a personal workaround, run a 30-minute training with real examples, and treat first offenses as coaching moments. Reserve discipline for knowing violations involving prohibited data — the same standard you would apply to any confidentiality breach.