Writing your team’s AI usage policy
Your team is already using AI. Some of them with company blessing, some quietly on personal accounts, all of them without clear rules — unless you have written some down. An AI usage policy is not about restriction. It does two jobs at once: it manages real risk, and it accelerates adoption by telling people exactly where the safe lanes are.
Why you need one now
The risk side. Without a policy, the failure modes are predictable: client information pasted into a personal account on a free tool, AI-drafted work sent to a client without review, and nobody accountable when something goes wrong. None of these require bad intent — just the absence of rules.
The adoption side. Uncertainty kills adoption faster than skepticism does. People who are unsure whether AI use is allowed either avoid the tools entirely or use them and hide it. Both outcomes are worse than honest, visible, governed use. A clear policy is permission in writing — and as Team adoption covers, people climb the adoption ladder faster when the ground under it is solid.
The six sections every policy needs
A good SMB policy fits on one or two pages. Anything longer goes unread. Cover these six things:
- Purpose and scope — why the policy exists and who it covers. Set the tone in the first sentence: this is here to help people use AI well, not to discourage them.
- Approved tools and accounts — which AI tools the company uses, and the rule that work happens on company accounts, not personal ones. Include a path for proposing new tools, so the list does not become a ceiling.
- Data rules — the heart of the policy. Name what must never go into an AI tool: client confidential information, personal information about employees or candidates, passwords and credentials, anything under NDA. Then say what is fine, so people are not paralyzed.
- Human review and accountability — AI output is a draft until a person has reviewed it. Whoever sends, publishes, or acts on AI-assisted work owns it. “The AI wrote it” is never an explanation for an error.
- Disclosure and transparency — when and how you tell clients that AI was involved in work delivered to them. The simplest durable rule: if a client asks, answer honestly.
- Training, support, and updates — who to ask, how new starters learn the tools, and how often the policy is reviewed. A policy with no named owner and no review date is dead within six months.
A template to start from
Copy this, replace the [BRACKETED] fields, and cut anything that does not fit how your business works. It is deliberately short — a policy people read beats a policy that covers everything.
[COMPANY NAME] — AI usage policy
Effective date: [DATE] | Owner: [NAME, ROLE] | Reviewed: quarterly
1. Purpose and scope
This policy sets out how we use AI tools at [COMPANY NAME]. It exists
to help everyone use AI confidently and safely, not to discourage use.
It applies to all employees and contractors whenever they are doing
company work, on any device.
2. Approved tools and accounts
We use the following AI tools under company accounts: [LIST TOOLS].
Use your company account, not a personal one, for any work task. If
you want to use a tool that is not on this list, ask [NAME/ROLE]. The
default answer is "let's evaluate it", not "no".
3. Data rules
Never enter into any AI tool:
- Client confidential information, unless [CONDITION, e.g. "the tool
is on our approved list and the client contract permits it"]
- Personal information about employees, candidates, or customers
- Passwords, API keys, or financial account details
- Anything covered by an NDA
Everything else — drafting, brainstorming, summarizing public or
internal non-sensitive material — is encouraged. When in doubt, ask
before you paste.
4. Review and accountability
You own what you produce, however it was produced. AI output is a
draft until a person has reviewed it. Anything sent to a client,
published, or used to make a decision must be checked by the person
responsible for it. "The AI wrote it" is never an explanation for an
error.
5. Disclosure
We are honest about how we work. If a client asks whether AI was used,
we tell them. For [DELIVERABLE TYPES, e.g. "client-facing reports"],
we disclose AI use proactively when [CONDITION, e.g. "the contract
requires it or the client has asked us to"].
6. Training, support, and updates
[NAME/ROLE] is the first stop for questions. New starters get a
walkthrough of our AI tools in their first week. This policy is
reviewed quarterly; suggest changes any time to [NAME/ROLE].
Last reviewed: [DATE].
Acknowledged by: ______________________ Date: ______________Rolling it out
A policy announced by email is a policy ignored by lunchtime. Roll it out the way you would any change — see Change management for the full playbook.
Write the first version with whoever handles your most sensitive data — client work, HR, finance. They know where the real exposure is. Keep it under two pages.
Walk through the draft in a team session and invite objections. Every “what about…” question you answer now is a violation you prevent later. Expect the data rules to generate the most discussion.
Publish the final version somewhere permanent, have everyone read and acknowledge it, and add it to onboarding for new starters.
Tools change, and so will your rules. Put a recurring review in the owner’s calendar. A 20-minute check four times a year keeps the policy alive; see Staying current for what to factor in.
Check your understanding
It manages real risk - client data in personal accounts, unreviewed AI output, no accountability - and it accelerates adoption by telling people exactly where the safe lanes are. A clear policy is permission in writing.
Client confidential information (unless your approved-tool and contract conditions are met), personal information about employees, candidates, or customers, passwords and credentials, and anything covered by an NDA.
Whoever sends, publishes, or acts on it. AI output is a draft until a person has reviewed it, and “the AI wrote it” is never an explanation for an error.
Next steps
With the rules written down, the next constraint is usage. Team adoption covers how to get people from “allowed to use AI” to actually using it well.