Most small and mid-size businesses have no written policy governing how AI is used on company time — which means no guardrails, no accountability, and no protection if something goes wrong. This template changes that in an afternoon.
AI adoption inside most businesses is not being driven by a committee or a rollout plan. It is being driven by individual employees who found a tool that helps them work faster — the same way shadow IT spread a decade ago. Informally, inconsistently, and without any guardrails.
Right now, someone on your team is pasting a client proposal into ChatGPT. Client names, financials, and confidential details — entered into tools you have never reviewed or approved.
Free AI accounts typically use submitted data to improve their models. When employees use personal free accounts on company work, your business data may not stay private.
Your team is not trying to do anything wrong. They just do not know which data is off-limits, which tools are approved, or whether AI-generated content needs review before it goes to a client.
If an employee causes a data breach or compliance issue using AI — and nothing is in writing — you have very little to stand on. Not with the client, not with your insurer, and potentially not in court.
Most are not trying to cause problems. They just don't know where the line is. A written policy tells them — and protects both the employee and the business.
A policy that skips even one of these sections leaves a gap that will eventually cost you. The template covers all six in plain language — no legal background required to read or use it.
Names which AI tools employees are authorized to use — and makes clear that anything not on the list requires approval before use. Visibility into what is running in your business is not optional.
The most critical section — and the one most businesses skip entirely. Defines what categories of data cannot be entered into any AI tool: client info, financial data, health records, PII, and NDA-covered material.
AI gets things wrong. Specifies that AI-generated content going to a client, prospect, or regulator must be reviewed by a human first. The AI does not carry the liability. Your business does.
Addresses whether employees use personal AI accounts on company work — and who owns that data. Business AI use should run through company-owned or company-approved accounts, not personal ones.
Defines when you must tell a client, partner, or regulator that AI was involved in producing something. Some contracts already require it. Some industries are moving toward regulatory requirements.
A policy with no enforcement is just a suggestion. Employees need to understand what happens when the policy is violated — not as a threat, but because clarity on consequences is part of professional accountability.
Most business owners who do try to put a policy in place make one of these three mistakes. Each one defeats the purpose. Here is how to avoid them.
These six steps take most businesses from nothing on paper to a distributed, acknowledged policy in under a month. The template covers the hardest part — you just fill in the specifics for your business.
Before you write a policy, know the landscape. Ask your managers. Survey your team. Find out which AI tools are in active use right now — approved or not.
Identify your most sensitive data categories before you write a single policy line. Client data, financial records, health information, proprietary processes — list them. These become your data rules.
Use the template from this page. Approved tools, data classification, output review, account ownership, disclosure obligations, violations. Keep it readable — a policy no one reads does not protect you.
This does not mean a six-month process. It means a single review by your attorney or HR advisor to catch anything jurisdiction-specific — especially if you handle regulated data.
Email is not enough. Build acknowledgment into your onboarding process and distribute to your current team with a signed receipt or logged confirmation. If you ever need to prove an employee knew the policy existed, you need that paper trail.
Put a calendar reminder for six months out. The policy is a living document. Build that expectation in from day one — the AI landscape is moving fast, and your policy needs to keep up.
The AI Acceptable-Use Policy Template is built specifically for small and mid-size businesses. It is written in plain language — not legal jargon — and covers all six sections this video walked through.
Built for small and mid-size businesses. Covers all 6 sections. Adapt it to your business in an afternoon.
By submitting, you agree to our Privacy Policy. Xact AI Solutions will never sell or share your information.