Your Small Business Needs an AI Policy

Your Small Business Needs an AI Policy. Here’s a One-Page Template

ByJohn Frydman
Key takeaways
  • Your team is already pasting things into ChatGPT. The question is whether anyone has decided what’s okay to paste.
  • 11% of every paste into ChatGPT contains confidential data, per Cyberhaven research. That’s per paste, not per person.
  • A small business AI policy doesn’t need to be 40 pages. It needs to fit on one, name the approved tools, list the forbidden data, and set an “ask first” culture.
  • The template at the end of this post drops into Gamma, Notion, or Google Docs in about 30 minutes.

Pop quiz: do you know what your employees are pasting into ChatGPT right now?

If the answer is “no” or “I’d rather not think about it,” you’re not alone. And you’re also not in a great spot. Because somewhere between Monday’s coffee and Friday’s deadline, someone on your team is feeding client information, financial data, or proprietary documents into an AI tool that might be storing every word of it.

This isn’t hypothetical. Samsung famously banned ChatGPT internally after engineers pasted source code into it. Law firms have been sanctioned for AI-generated briefs full of fake case citations. And small businesses — the ones without a CISO or a 40-page handbook — are sitting ducks because they assume “we’re too small for this to matter.”

You don’t need a 40-page handbook. You need one page. Template’s at the end.

Why this matters more than you think

Let’s be real about what’s actually happening in your business right now. Your bookkeeper is probably using AI to draft client emails. Your sales rep is probably feeding meeting notes into a transcription tool. Your marketing person is definitely running copy through ChatGPT. And your receptionist? She figured out last month that she can summarize voicemails with an AI app on her phone.

None of these people are doing anything malicious. They’re trying to do their jobs faster and better. That’s a good thing. But without guardrails, “trying to do your job faster” can turn into “accidentally uploaded our entire client list to a public model” really quickly.

11%
Of every paste into ChatGPT contains confidential data, per Cyberhaven research. That’s not 11% of employees. It’s 11% of every paste. If your team uses AI even casually, the odds aren’t with you.

And the kicker: most small business owners don’t find out about a problem until a client asks why their information showed up somewhere it shouldn’t, or until an employee leaves and takes their AI-generated work product with them.

What a one-page AI policy actually does

A good policy isn’t about saying “no AI.” That ship sailed. Your competitors are using AI, your employees want to use AI, and frankly, AI makes a lot of work genuinely better.

What a policy does is answer the questions your team already has but isn’t asking out loud:

  • Can I use ChatGPT for work? (Yes, but…)
  • What can I put into it? (Here’s what you can’t.)
  • Free version vs. paid version — does it matter? (Big difference, actually.)
  • If I use AI to write something, do I need to tell anyone? (Sometimes.)
  • What happens if I screw up? (Better to ask first than apologize later.)

When you don’t answer these questions, your team makes up their own answers. And their answers are usually based on whatever they read on LinkedIn that morning.

AI can draft. Humans deliver. The human is responsible for what they send out, regardless of who — or what — wrote the first version.

The five things every small business AI policy needs

Skip the legalese. Here’s what actually matters.

1. What people can use

Name the tools. Don’t just say “approved AI tools” — list them. ChatGPT (paid version with data controls turned on), Claude, Microsoft Copilot, whatever you’ve vetted. If it’s not on the list, employees should ask before using it for work.

This sounds restrictive. It isn’t. You’re not trying to lock down innovation — you’re trying to make sure that when someone discovers a useful new tool, you take ten minutes to look at its data policy before it touches your business.

2. What people absolutely cannot put into AI tools

This is the most important section, and most policies get it wrong by being too vague. “Don’t share confidential information” is useless because nobody thinks the thing they’re about to paste counts as confidential.

Be specific. Things like: client names paired with details, social security numbers or financial account information, employee personnel data, anything covered by an NDA, source code, contract drafts before they’re signed, internal financials. Spell it out so there’s no ambiguity.

3. Disclosure rules

When does someone need to tell a client (or you) that AI was involved? This depends on your business, but here’s a reasonable default: if AI generated content that goes to a client as your professional work product, a human reviews it before it goes out. Period.

For internal stuff — drafting an email, summarizing a meeting, brainstorming — knock yourself out. For client-facing deliverables, AI is a starting point, not a finish line.

4. The accuracy rule

AI hallucinates. It makes up case law, invents statistics, fabricates quotes from real people. If your team uses AI output without verification, eventually you’re going to have a problem. The rule is simple: the human is responsible for what they send out, regardless of who or what drafted it. AI is an assistant, not an alibi.

5. The “ask first” clause

The most important sentence in any AI policy is this one: “If you’re not sure whether something is okay, ask before doing it.”

Build a culture where asking is rewarded, not punished. The alternative is a culture where people guess, and guessing is how you end up explaining to a client why their merger details were used to train a chatbot.

“But we’re too small for this.” Legitimate concern, and it doesn’t hold up. Small businesses are more exposed, not less — no IT department to catch problems, no compliance officer reviewing tools, often more sensitive client data per employee than a big company. A one-page policy takes about 30 minutes to roll out. Pretty good trade for not waking up one morning to a problem that costs you a client or a lawsuit.

How to actually roll this out without everything breaking

Don’t email it. Don’t post it on a Slack channel and hope people read it. Don’t bury it in the employee handbook.

Sit your team down for 20 minutes. Walk through it together. Take questions. The conversation is more important than the document, because the conversation is when you find out that Janet has been using an AI tool nobody knew about, and Mike has questions about whether his transcription app counts.

Then put a copy somewhere everyone can find it. Review it once a year, because the AI landscape changes faster than almost anything else in business right now. And update it when something new comes up — because something new always comes up.

The one-page template

Below is the template, written so you can paste it into Gamma, Notion, or Google Docs and customize the bracketed sections. Run it past your attorney if you want to be thorough, then walk your team through it.

[Company Name] AI Use Policy

Effective: [DATE] · Review Date: [DATE + 1 YEAR] · Owner: [NAME / ROLE]

Why this policy exists

We want our team to benefit from AI tools. We also need to protect our clients, our data, and our business. This policy tells you what’s okay, what’s not, and what to do when you’re unsure.

Approved AI tools

You may use these tools for work purposes:

  • [Tool 1 — e.g., ChatGPT Team or Enterprise]
  • [Tool 2 — e.g., Claude Pro or Team]
  • [Tool 3 — e.g., Microsoft Copilot]

If you want to use a tool not on this list for work, ask [NAME / ROLE] before using it. Five minutes of review now beats a much bigger problem later.

What you cannot put into AI tools

Never paste, upload, or share the following with any AI tool:

  • Client names combined with case, medical, or financial details
  • Social security numbers, account numbers, payment information
  • Employee personnel files or compensation data
  • Anything covered by an NDA or confidentiality agreement
  • Unsigned contracts, deal terms, or M&A information
  • Internal financial data not yet public
  • Login credentials, passwords, or API keys
  • Proprietary code or technical documentation

When in doubt, don’t paste it. Ask first.

Using AI for client-facing work

AI can draft. Humans deliver. Anything generated by AI that goes to a client as your work product must be reviewed and approved by a human before it’s sent. You are responsible for accuracy, tone, and appropriateness — not the AI.

Accuracy is your job

AI tools make things up. They invent statistics, misquote people, and state false information confidently. Verify any factual claim, citation, or data point before using it in client work or external communication.

Disclosure

  • Internal use (drafts, summaries, brainstorming): no disclosure needed
  • Client-facing written work: human review required
  • Legal filings or regulated communications: follow [INDUSTRY RULES]

When you’re not sure

Ask [NAME / ROLE] before doing it. We would much rather answer a question than fix a problem. There is no penalty for asking.

If something goes wrong

If you accidentally share something you shouldn’t have, tell [NAME / ROLE] immediately. Honest mistakes handled quickly are not a fireable offense. Hiding a problem until it gets worse is.

Acknowledgment

I have read this policy and understand my responsibilities for using AI tools at [COMPANY NAME].

Name:

Signature:

Date:

Final thought

The question isn’t whether your team is using AI. They are. The question is whether they’re using it with guardrails or without.

A one-page policy isn’t bureaucracy. It’s the difference between AI making your business better and AI making your business a cautionary tale on someone’s LinkedIn post.

Common questions about small business AI policies

Do we really need a written AI policy if we’re only five people?
More than a 500-person company does, actually. At five people, every employee handles more types of data and more client-facing outputs. There’s no IT department to catch a misstep and no compliance officer reviewing tool choices. A one-page policy takes about an hour to draft and protects the business from a long list of possible incidents. Most small businesses currently have no written policy — not because they decided they don’t need one, but because nobody’s made the hour available.
Isn’t ChatGPT safe if we’re just using it for emails and brainstorming?
Depends on which ChatGPT and what you put in it. The free consumer version may use your inputs to improve the model unless you turn that off in settings. The paid Team and Enterprise versions have different data handling. The risk isn’t ChatGPT itself — it’s the gap between what your team thinks the tool does with their data and what the tool actually does. The policy closes that gap by naming the approved version and what can go into it.
What about AI features baked into tools we already use, like Microsoft 365 or Google Workspace?
Treat them the same way. The policy should name the AI features inside your existing tools as approved (or not), and apply the same data-handling rules. Just because Copilot lives inside Word doesn’t mean a draft contract is safe to feed it — that depends on your tenant’s data settings and whether you’ve reviewed them.
How often should we update the policy?
Annually at minimum, and any time something significant changes — a major model release, a new tool added to the approved list, a regulatory update in your industry, or an internal incident worth learning from. The AI landscape moves fast enough that an unchecked policy from two years ago is closer to fiction than guidance.
What if an employee uses an unapproved AI tool anyway?
Treat it like any other policy violation: have a conversation, find out why (usually because the approved tools don’t do what they need), decide whether to add the new tool to the approved list or reaffirm why it’s off-limits. The “ask first” clause exists specifically to surface these moments before they become problems. Most unapproved-tool usage is a sign your approved list is incomplete, not that your team is reckless.
Should we have employees sign the policy?
Yes. A signature isn’t about being heavy-handed — it’s about making sure everyone read it and had a chance to ask questions. Add it to onboarding for new hires and re-sign it annually when you update the policy. The acknowledgment line at the bottom of the template is built for this.
Sources and further reading

Need help rolling this out across your team?

An AI Workshop walks your team through the policy, the approved tool list, and the data-handling rules in one session — built around your actual operation, not a generic template. Ninety minutes, your business, a clear plan when you walk out.

See how an AI Workshop works