Template

AI usage policy template for a small business.

A one-page AI usage policy your staff can sign in under 15 minutes. Free to copy. Written for teams of 5 to 50, deliberately shorter than the enterprise templates you have already read. Rolled out with the 90-minute meeting at the bottom of this page.

The template

1. Purpose. This policy sets out how [company] staff may use artificial-intelligence tools while performing their work, so we get the benefit without leaking client data, shipping confidently-wrong output, or breaking the data-protection rules we operate under.

2. Sanctioned tools. The AI tools staff may use for company work are: [ChatGPT Plus / Team], [Claude], [any client-hosted model]. Any other tool requires written approval from [role]. Personal accounts are never used for company work.

3. What must be stripped from a prompt. Client full names when a client identifier or alias will do. Bank details, tax numbers, government IDs. Passwords, API keys, session tokens. Unreleased plans or financials. Any data that would embarrass the company if it appeared in a training set.

4. Verification. No AI output goes to a customer, a regulator, or a public channel without a named human reviewer. Confidently-wrong output is treated as a defect, not a fluke.

5. Reporting a leak. If you believe sensitive data reached an AI tool it should not have, tell [role] the same day. No consequence for reporting quickly. Consequences for hiding it.

6. Review. This policy is reviewed every [quarter / six months / year] by [role]. Staff sign a fresh copy at each review.

Signature. I acknowledge the policy above and agree to work within it. Name, date, signature.

The 90-minute rollout meeting

  1. 10 minutes. Read the policy aloud. Every section.
  2. 40 minutes. Five real scenarios. For each, ask: what would you paste in? What must be stripped first? Who reviews the output? A client email. A proposal draft. A support reply. A code snippet with a real API key. A financial statement.
  3. 20 minutes. Everyone signs a printed copy. Photos of signed copies go into a shared folder titled [Company] AI Usage Policy.
  4. 20 minutes. Q&A. Name the awkward scenarios everyone already had this week and did not raise. Update the sanctioned-tools list on the spot if needed.

Repeat quarterly for the first year, then annually. New joiners sign the policy on day one, before they touch any AI tool.

When to get outside help

A policy sets the rules. Training embeds the habits. NexBDM's Briefing is on-site safe-AI-use training that leaves your team with the sanctioned-tools list, the prompt-sanitisation cheat-sheet, and a walk-through of the exact scenarios above. Half-day tier is $490, full tier with 30-day check-in is $1,300.

What should a small-business AI usage policy include?

Six sections, at minimum. Which AI tools are sanctioned. What data can and cannot go into a prompt. Who is accountable for AI output that touches customers. How employees report a suspected data leak. How the policy is reviewed. And a signature line so every staff member acknowledges the rules. Nine sections is common. Nothing above twelve is worth doing until you have run a review cycle.

How do I roll an AI usage policy out to a team of five to fifty?

One meeting, in that order: read the policy aloud together, walk through five real scenarios (a client email, a proposal, a support reply, a code snippet, a financial statement), have each person sign, and put the signed copies in a shared folder. Total time under 90 minutes. Repeat the exercise every quarter for the first year, then annually.

Is there a free AI usage policy template we can use?

Yes. The seven-section template on this page is free to copy and adapt. If you want the policy plus on-site training to embed the habits behind it (prompt sanitisation, sanctioned-tools list, spotting confidently-wrong output), that is what NexBDM's Briefing does. Half-day tier is $490.

Book The Briefing

or email hjr@nexbdm.com