Search for an AI usage policy template and you will find two unhelpful extremes: a one-line ban that nobody respects, or a forty-page enterprise document written for a company with a legal department you do not have. Neither is much use to a UK SME whose staff are already pasting client emails into ChatGPT to draft replies. This guide closes that gap. It walks through how to write an AI usage policy section by section, then hands you a copy-paste starter you can adapt in an afternoon — written for the operator who needs a control that actually fits a small business.
The aim is not a document that sits in a folder. It is a short, readable rulebook that tells your team what they may do with AI, what they must never do, and who is accountable when AI is used on company or client data. That is the difference between a policy that reduces risk and one that just looks reassuring in a tender response. The structure below is the same one we use when scoping governance as part of our AI integration services, and it sits underneath the broader AI governance framework for SMEs.
An AI usage policy is the staff-facing rulebook for how people in your business may and may not use AI tools with company and client data. It is a behaviour document: it governs what your team does at the keyboard. That makes it different from two things it is often confused with.
It is not a governance framework. A governance framework is the organisational machinery — the approval process, the impact assessments, the ownership, the review cadence — that keeps the policy true over time. The policy is one artefact produced by that framework. It is also not a tool-selection decision. Choosing whether to build on Copilot, Claude, or a bespoke tool is a separate commercial question; the policy governs how staff use whatever tools you have approved. Keep those three things distinct and the policy stays short. Blur them and it bloats into something nobody reads.
The risk an AI usage policy addresses is already live in most small businesses, whether leadership knows it or not. Staff use consumer AI tools to draft, summarise, and research, and in doing so they routinely paste in material they should not: client personal data, commercially sensitive figures, draft contracts, internal credentials. On a free or personal tier, that data may be retained and, depending on the tool and plan, used to train future models. That is a data protection problem before it is an AI problem.
Under UK GDPR, the moment AI tools process personal data, the ICO's expectations apply: processing must be lawful, controlled, and accountable, and where AI processes personal data at any scale a data protection impact assessment may be required. There is no single law that mandates an AI usage policy, but a written policy is the cheapest way to demonstrate to an auditor, an insurer, or a client that AI use in your business is deliberate rather than accidental. It also closes off "shadow AI" — the unsanctioned tools staff reach for when no approved route exists. A clear policy paired with an approved route is how you bring that behaviour back into view.
A complete, SME-scale AI usage policy needs seven sections and no more. Each one answers a question a member of staff or an auditor would actually ask. Work through them in order and the document writes itself.
State who the policy applies to (all staff, contractors, and anyone using company data), what it covers (any AI or generative tool used for work), and why it exists in two sentences. Keep it plain. The purpose line should make clear that the policy protects client data and the business, not that it exists to restrict people.
List the AI tools staff are permitted to use, and — critically — make the register criteria-led, not a fixed allowlist. The tools change month to month; a hard-coded list is out of date within weeks. Define what makes a tool acceptable (UK or EU data residency, a business-grade plan that excludes your data from training, contractual data protection terms) and approve anything that meets the criteria. Name a person who maintains the register so it stays current.
Spell out the green and red lanes. Permitted: drafting, summarising, brainstorming, code assistance, research — using approved tools and non-sensitive data. Prohibited: pasting client personal data, credentials, or commercially sensitive information into any non-approved tool; relying on AI output without human review; using AI to make decisions about people (hiring, credit, discipline) without oversight. Concrete examples beat abstract principles here.
Tie permitted data to approved tools using simple classification tiers — for example public, internal, confidential, and personal data. State plainly which tiers may go into which tools. The default rule that prevents most incidents is one sentence: never enter confidential or personal data into a consumer-tier AI tool. If your business already has a data classification scheme, reuse it rather than inventing a new one.
Make ownership unambiguous: the person who uses AI output is responsible for it. AI assists; it does not absolve. This single principle does more work than any other in the policy because it keeps a human in the loop on everything that leaves the building. State that AI output must be reviewed before it is sent, published, or acted upon, and that the reviewer owns the result.
Set out when AI use should be disclosed — to clients, in published content, or in regulated communications — based on your sector and client expectations. For many SMEs this is light-touch, but having a stated position avoids awkward conversations later and signals maturity to clients who ask.
Close with the housekeeping that keeps the policy alive: a named owner, a review date (at least every six months), a short training requirement so staff have actually read it, and a proportionate statement of what happens if the policy is breached. A policy with no owner and no review date is already out of date.
Here is a starter you can lift straight into a document and adapt. Replace the bracketed prompts with your specifics. This is a usable AI usage policy template, not a substitute for tailoring it to your business and sector — but it gets you to a working first draft in an afternoon rather than a week.
[Company Name] — AI Usage Policy
Owner: [name / role] · Version: 1.0 · Review date: [date, max 6 months out]1. Scope and purpose. This policy applies to all employees, contractors, and anyone handling [Company] data. It governs the use of any AI or generative tool for work. Its purpose is to let staff use AI productively while protecting client data, company information, and our legal obligations.
2. Approved tools. Staff may use AI tools that meet all of: UK or EU data residency; a business-grade plan that excludes our data from model training; and contractual data protection terms. The current approved list is maintained by [name] and available at [location]. Tools not on the list must be requested before use.
3. Permitted uses. Drafting, summarising, research, brainstorming, and code assistance using approved tools and non-confidential data. Prohibited uses. Entering client personal data, credentials, or commercially sensitive information into any non-approved tool; sending or publishing AI output without human review; using AI to make decisions about individuals without human oversight.
4. Data handling. Data is classified as public, internal, confidential, or personal. Confidential and personal data must never be entered into a consumer-tier AI tool. When in doubt, treat data as confidential and ask [name].
5. Human accountability. The person who uses AI output is responsible for it. All AI output must be checked by a human before it is sent, published, or acted upon.
6. Disclosure. Disclose AI use to clients and in published material where [Company / sector] requires it. [State your position.]
7. Review and enforcement. This policy is reviewed at least every six months by the owner above, and whenever a new tool or data type is introduced. All staff must confirm they have read it. Breaches will be handled under [relevant disciplinary / data protection procedure].
Most failed policies fail the same handful of ways. Avoid these and you are ahead of the majority of SMEs.
A policy nobody has read is a liability, not a control — if anything it is worse than no policy, because it implies a diligence you have not exercised. The rollout matters as much as the drafting. Pair the document with a fifteen-minute briefing that covers the green and red lanes with real examples from your business, capture a simple sign-off so you can show staff have read it, and — most importantly — make sure there is at least one approved tool that does the job staff were reaching for. People follow the sanctioned route when it is easier than the unsanctioned one.
If you are not yet sure your business is ready to adopt AI in a controlled way, the AI readiness checklist is the right place to start before the policy; and if you would rather have the policy, the approved tools process, and the training designed together as one piece of work, that is exactly the kind of governance scoping our how we work process is built for. A policy is a small document, but it is the foundation the rest of your AI adoption sits on. Get it right early and everything after it is easier.
Book a 30-minute discovery call. We will look at how your team already uses AI, the data they touch, and your sector, and help you stand up a policy, an approved tools process, and the training to make it stick — sized for an SME, not an enterprise. No sales theatre.
Book a Discovery Call