Does a small business actually need an AI use policy?

Yes. The moment a single staff member pastes a customer email, a contract draft, or financial data into a public AI tool, you have a data position whether you wrote it down or not. A one-page policy is the cheapest control you can put in place, and the closest thing you have to a paper trail if anything goes wrong.

What should an AI use policy include?

Eight things on one page: which tools are approved, which are banned, what data classifications can and cannot go into approved tools, the human-review rule for AI output that touches customers, the disclosure rule for AI-generated content, who owns the prompts and outputs, how the policy is updated, and who to ask when something is ambiguous. Anything more belongs in a separate procedure document.

Do I need a lawyer to write an AI use policy?

Not for the first version. A one-page policy that names approved tools, draws a clear line on data, and sets a human-review rule covers most of the practical risk in a small business. A lawyer is worth involving when the policy is also being used to satisfy a customer contract, a regulator, or a procurement gate.

How long should it take to write?

Under an hour to draft, half a day to socialise, signed inside the week. The DPEX AI Use Policy Generator runs the intake in five minutes and produces the policy on screen and via email, free, with an optional printable signable PDF for nineteen dollars.

Writing an AI use policy for a small business: a one-page guide

A bookkeeper pastes a draft tax letter into ChatGPT to clean up the wording. A junior account manager runs a customer complaint through Claude to suggest a reply. The marketing lead drops the new pricing model into Gemini and asks for a press release. None of them is doing anything wrong; all of them are doing it without a policy. If your business has fewer than fifty staff, you almost certainly have nothing written down. This piece is the one-page guide you can ship this week.

Why a one-page policy beats a fifteen-page one

The risk of an AI use policy is not that it is too short. The risk is that it is too long, lives in a folder, and never gets read. A one-page policy that staff have actually seen beats a fifteen-page policy that sits in a SharePoint site nobody opens. The job is to make the right behaviour the obvious behaviour, not to win an audit.

A useful policy answers four questions in language a new hire can read on their second day:

Which tools are approved. Naming them is the single most important decision. “Use AI responsibly” is not a policy. “Approved tools are ChatGPT Team and Claude for Work; everything else needs sign-off” is.
What data can go into them. Public marketing copy and meeting agendas, yes. Customer records, financial statements, contracts, employee data, anything covered by an NDA, no. The line should be readable in one sentence.
What has to happen before AI output reaches a customer or a regulator. A named human reviews, edits, and signs off. The output is treated as a first draft, not a finished artifact.
Who to ask when it is ambiguous. A named person (often the owner, often the COO, sometimes the ops lead) is the escalation point. Ambiguity is the rule, not the exception.

That is the whole policy. Everything else is procedure: how the approved-tool list is updated, how disclosures are handled in customer-facing content, what happens if a leak occurs. Those belong in a separate document that the policy points to.

The eight things that belong on the page

Working back from a hundred policies I have read in the last year, eight items earn their space:

Scope. Who the policy applies to (all staff, all contractors, all interns) and what it covers (public AI tools, AI features inside approved SaaS, custom internal tools).
Approved tools. A short list, named. Free personal accounts are usually banned for work; paid business accounts with admin controls are usually approved.
Data classification. A two-line table: allowed, not allowed. Resist the urge to add tiers; staff cannot remember tiers.
Human review rule. Customer-facing or regulator-facing output is reviewed by a named human before it leaves the building.
Disclosure rule. When AI-generated content is material (the bulk of an article, an analysis, an assessment), it is disclosed. Routine drafting help is not.
Ownership. Prompts, outputs, and any derivative work created by staff using AI tools belong to the business, full stop.
Update cadence. Reviewed at least quarterly, ad hoc when a new tool is added or a regulator publishes guidance. The owner is named.
Escalation. One person, named, reachable.

What does not belong

The temptation, especially after reading a few articles like this, is to start covering edge cases. Resist. The following do not belong on the one-pager:

Detailed lists of prohibited prompt content. Staff cannot remember them; lawyers can argue them.
Technical architecture notes. Where the data is processed belongs in the vendor diligence record, not the staff policy.
Long disciplinary clauses. The policy points at the existing disciplinary procedure; it does not rewrite it.
Training plans, intern sections, vendor-by-vendor breakdowns, roadmap statements. None of them survives contact with the second hire.

How to ship it this week

The path that works, again and again:

Draft. Run the AI Use Policy Generator with a five-minute intake. You get a one-page policy on screen and in your inbox, free.
Read it once. The default policy is honest. If two clauses do not match how you run, change them.
Socialise. Two staff meetings, ten minutes each. The first time is to flag it is coming and ask for objections; the second time is to confirm it is now live.
Sign. Upgrade to the printable PDF (a one-off nineteen dollars) and ask everyone to sign at their next one-on-one. The signature is the proof you wanted.
Calendar. Put a quarterly review in the owner’s calendar. Most reviews change nothing; the calendar entry is what keeps it alive.

The honest summary

The AI use policy is the cheapest, most overdue piece of governance in most small businesses in 2026. It does not have to be perfect; it has to exist, be read, and be signed. The one-page version, written in language a new hire can understand, updated quarterly, beats the version a consultant could write you for thousands of dollars and that nobody opens. If you do not have one this week, you will not have one next week either. Spend the five minutes.

The generator below produces the policy free. The signable PDF is the upgrade. Nothing else is gated.