Skip to contentSkip to Content

Writing your team’s AI usage policy

Your team is already using AI. Some of them with company blessing, some quietly on personal accounts, all of them without clear rules — unless you have written some down. An AI usage policy is not about restriction. It does two jobs at once: it manages real risk, and it accelerates adoption by telling people exactly where the safe lanes are.

Why you need one now

The risk side. Without a policy, the failure modes are predictable: client information pasted into a personal account on a free tool, AI-drafted work sent to a client without review, and nobody accountable when something goes wrong. None of these require bad intent — just the absence of rules.

The adoption side. Uncertainty kills adoption faster than skepticism does. People who are unsure whether AI use is allowed either avoid the tools entirely or use them and hide it. Both outcomes are worse than honest, visible, governed use. A clear policy is permission in writing — and as Team adoption covers, people climb the adoption ladder faster when the ground under it is solid.

The six sections every policy needs

A good SMB policy fits on one or two pages. Anything longer goes unread. Cover these six things:

  1. Purpose and scope — why the policy exists and who it covers. Set the tone in the first sentence: this is here to help people use AI well, not to discourage them.
  2. Approved tools and accounts — which AI tools the company uses, and the rule that work happens on company accounts, not personal ones. Include a path for proposing new tools, so the list does not become a ceiling.
  3. Data rules — the heart of the policy. Name what must never go into an AI tool: client confidential information, personal information about employees or candidates, passwords and credentials, anything under NDA. Then say what is fine, so people are not paralyzed.
  4. Human review and accountability — AI output is a draft until a person has reviewed it. Whoever sends, publishes, or acts on AI-assisted work owns it. “The AI wrote it” is never an explanation for an error.
  5. Disclosure and transparency — when and how you tell clients that AI was involved in work delivered to them. The simplest durable rule: if a client asks, answer honestly.
  6. Training, support, and updates — who to ask, how new starters learn the tools, and how often the policy is reviewed. A policy with no named owner and no review date is dead within six months.

A template to start from

Copy this, replace the [BRACKETED] fields, and cut anything that does not fit how your business works. It is deliberately short — a policy people read beats a policy that covers everything.

AI usage policy template
template
[COMPANY NAME] — AI usage policy Effective date: [DATE] | Owner: [NAME, ROLE] | Reviewed: quarterly 1. Purpose and scope This policy sets out how we use AI tools at [COMPANY NAME]. It exists to help everyone use AI confidently and safely, not to discourage use. It applies to all employees and contractors whenever they are doing company work, on any device. 2. Approved tools and accounts We use the following AI tools under company accounts: [LIST TOOLS]. Use your company account, not a personal one, for any work task. If you want to use a tool that is not on this list, ask [NAME/ROLE]. The default answer is "let's evaluate it", not "no". 3. Data rules Never enter into any AI tool: - Client confidential information, unless [CONDITION, e.g. "the tool is on our approved list and the client contract permits it"] - Personal information about employees, candidates, or customers - Passwords, API keys, or financial account details - Anything covered by an NDA Everything else — drafting, brainstorming, summarizing public or internal non-sensitive material — is encouraged. When in doubt, ask before you paste. 4. Review and accountability You own what you produce, however it was produced. AI output is a draft until a person has reviewed it. Anything sent to a client, published, or used to make a decision must be checked by the person responsible for it. "The AI wrote it" is never an explanation for an error. 5. Disclosure We are honest about how we work. If a client asks whether AI was used, we tell them. For [DELIVERABLE TYPES, e.g. "client-facing reports"], we disclose AI use proactively when [CONDITION, e.g. "the contract requires it or the client has asked us to"]. 6. Training, support, and updates [NAME/ROLE] is the first stop for questions. New starters get a walkthrough of our AI tools in their first week. This policy is reviewed quarterly; suggest changes any time to [NAME/ROLE]. Last reviewed: [DATE]. Acknowledged by: ______________________ Date: ______________

Rolling it out

A policy announced by email is a policy ignored by lunchtime. Roll it out the way you would any change — see Change management for the full playbook.

Draft with the people closest to the risk

Write the first version with whoever handles your most sensitive data — client work, HR, finance. They know where the real exposure is. Keep it under two pages.

Review it with the team, not at them

Walk through the draft in a team session and invite objections. Every “what about…” question you answer now is a violation you prevent later. Expect the data rules to generate the most discussion.

Finalize and collect acknowledgements

Publish the final version somewhere permanent, have everyone read and acknowledge it, and add it to onboarding for new starters.

Review quarterly

Tools change, and so will your rules. Put a recurring review in the owner’s calendar. A 20-minute check four times a year keeps the policy alive; see Staying current for what to factor in.

Check your understanding

It manages real risk - client data in personal accounts, unreviewed AI output, no accountability - and it accelerates adoption by telling people exactly where the safe lanes are. A clear policy is permission in writing.

Client confidential information (unless your approved-tool and contract conditions are met), personal information about employees, candidates, or customers, passwords and credentials, and anything covered by an NDA.

Whoever sends, publishes, or acts on it. AI output is a draft until a person has reviewed it, and “the AI wrote it” is never an explanation for an error.

Next steps

With the rules written down, the next constraint is usage. Team adoption covers how to get people from “allowed to use AI” to actually using it well.

Last updated on