How to write an AI policy for a small company (with template)

Ethical AI · 4 min read

If your company is under 50 people and you’ve been waiting until you have a legal team to write an AI policy, you’ll be waiting forever. Here’s the short version that actually works.

Your team is already using AI

Whatever your size, someone on your team has put company information into ChatGPT this month. Maybe a draft email. Maybe a client document. Maybe code. Without a policy, you have no idea what’s going where, and your team has no idea what’s okay.

A policy isn’t about restriction. It’s about giving people a clear answer when they ask “can I use this for that?”

A small-company AI policy needs four things

1. A list of approved tools. Not “AI tools” in general. Specific tools by name. ChatGPT (free or paid), Claude, internal copilots, anything else. If a tool isn’t on the list, it’s not approved. Add tools when someone asks and you’ve vetted them.

2. A clear line on what data goes in. Client information? PII? Internal financials? Spell it out. The default for most small companies should be: nothing identifying about clients, nothing protected by NDA, nothing that would embarrass us if it leaked. When in doubt, ask.

3. Disclosure rules. When AI is used in client deliverables, do you tell the client? Most clients are starting to ask. Get ahead of it. We disclose by default. It’s easier than getting caught not disclosing.

4. Who to ask when you’re unsure. One named person. That person should be able to give a real answer within a day. If you don’t have someone like that yet, the policy says so, and you commit to figuring out who that is.

The template

A working draft you can adapt in a day:

Six lines. Ship it. Refine quarterly. A policy that exists and gets updated beats a perfect policy that’s still being drafted six months from now.