Do I need an AI policy for my business?

Written By Tom Lewis

Do I Need an AI Policy for My Business?

The short answer is yes. The longer answer is that most small businesses don't have one, don't know they need one, and are already using AI in ways that probably should be covered by one.

If your team is using ChatGPT, Copilot, Claude, Gemini or any other AI tool at work - even occasionally, even informally - your organisation needs a position on how that's done. An AI policy is how you set that position down in writing.

Here's what it actually involves and why it doesn't need to be as complicated as it sounds.

What is an AI policy?

An AI policy is a document that sets out how your organisation expects AI to be used by staff. Think of it as your organisation's constitution on AI - a set of ground rules that makes sure everyone is using these tools in a way that's safe, legal and in line with your values.

It doesn't need to be lengthy. A good AI policy for a small business or charity can be a few pages page. What matters is that it exists, that staff have seen it, and that it covers the things that actually matter. It’s also good to distill it down to a single reference page so it’s easily checked at a glance.

What should it cover?

At a minimum your AI policy should address:

What AI tools staff are permitted to use and in what context. Free tools like the free version of ChatGPT handle your data differently to paid, business-grade subscriptions. Your policy should reflect that distinction.

What data can and cannot be shared with AI tools. Customer data, financial information, confidential business data and personally identifiable information should never be pasted into a free AI platform. Your policy needs to say this clearly.

Who owns AI-generated content. If a member of staff uses AI to produce a report, a marketing post or a client proposal, who owns that output? What disclosure obligations exist? Your policy should give staff clarity on this.

The requirement for human review. AI makes mistakes. It presents inaccurate information confidently. Any content generated with AI assistance must be reviewed and approved by a human before it goes anywhere near a client, a customer or the public. This is arguably the most important thing your policy can say.

Why does it matter now?

AI tools have gone from novelty to mainstream workplace tool in a very short space of time. The chances are your staff are already using them, with or without any guidance from you. Without a policy in place you have no visibility on how AI is being used in your organisation, no protection if something goes wrong, and no framework for staff who want to use AI responsibly but aren't sure where the lines are.

This isn't about restricting AI use. It's about making sure it happens safely and in a way that benefits your organisation rather than creating risk.

Do I need a solicitor to write one?

No. An AI policy for a small business is not a legal document in the same way a contract is. It's an internal policy - a set of expectations. You can write one yourself, adapt a template, or get support putting one together as part of training.

We include an AI Policy template as part of our AI 101 training session. Every participant leaves with a template they can take back and adapt for their own organisation on the day.

Where do I start?

If you want to put something in place quickly, start with four questions:

  • What tools are we using?

  • What data are we sharing with them?

  • Who is checking AI outputs before they go out?

  • Does everyone on the team know the answers to these questions?

If the answer to that last one is no, that's where to start.

If you'd like to find out more about our AI training - which covers AI policy as part of a practical, hands-on session for your whole team - you can find out more and register your interest here.

Tom Lewis
Previous

How to Introduce AI to a Team That's Nervous About It
Next

What is the Welsh Government Flexible Skills Programme?