Template
A one-page AI usage policy your staff can sign in under 15 minutes. Free to copy. Written for teams of 5 to 50, deliberately shorter than the enterprise templates you have already read. Rolled out with the 90-minute meeting at the bottom of this page.
1. Purpose. This policy sets out how [company] staff may use artificial-intelligence tools while performing their work, so we get the benefit without leaking client data, shipping confidently-wrong output, or breaking the data-protection rules we operate under.
2. Sanctioned tools. The AI tools staff may use for company work are: [ChatGPT Plus / Team], [Claude], [any client-hosted model]. Any other tool requires written approval from [role]. Personal accounts are never used for company work.
3. What must be stripped from a prompt. Client full names when a client identifier or alias will do. Bank details, tax numbers, government IDs. Passwords, API keys, session tokens. Unreleased plans or financials. Any data that would embarrass the company if it appeared in a training set.
4. Verification. No AI output goes to a customer, a regulator, or a public channel without a named human reviewer. Confidently-wrong output is treated as a defect, not a fluke.
5. Reporting a leak. If you believe sensitive data reached an AI tool it should not have, tell [role] the same day. No consequence for reporting quickly. Consequences for hiding it.
6. Review. This policy is reviewed every [quarter / six months / year] by [role]. Staff sign a fresh copy at each review.
Signature. I acknowledge the policy above and agree to work within it. Name, date, signature.
Repeat quarterly for the first year, then annually. New joiners sign the policy on day one, before they touch any AI tool.
A policy sets the rules. Training embeds the habits. NexBDM's Briefing is on-site safe-AI-use training that leaves your team with the sanctioned-tools list, the prompt-sanitisation cheat-sheet, and a walk-through of the exact scenarios above. Half-day tier is $490, full tier with 30-day check-in is $1,300.
Six sections, at minimum. Which AI tools are sanctioned. What data can and cannot go into a prompt. Who is accountable for AI output that touches customers. How employees report a suspected data leak. How the policy is reviewed. And a signature line so every staff member acknowledges the rules. Nine sections is common. Nothing above twelve is worth doing until you have run a review cycle.
One meeting, in that order: read the policy aloud together, walk through five real scenarios (a client email, a proposal, a support reply, a code snippet, a financial statement), have each person sign, and put the signed copies in a shared folder. Total time under 90 minutes. Repeat the exercise every quarter for the first year, then annually.
Yes. The seven-section template on this page is free to copy and adapt. If you want the policy plus on-site training to embed the habits behind it (prompt sanitisation, sanctioned-tools list, spotting confidently-wrong output), that is what NexBDM's Briefing does. Half-day tier is $490.
or email hjr@nexbdm.com