How to Write an AI Usage Policy for a Small Business (Section-by-Section Template)

Most AI usage policies fail in one of two ways. They are written by lawyers for lawyers, run 20 pages, and get read by exactly nobody. Or they are written in a panic after an incident, ban everything, and get ignored by everybody.

A working policy for a company in the $1M-$50M range is one to two pages, written in plain language, and answers the only four questions employees actually have: what can I use, what can I put into it, what do I do with the output, and who do I ask when it is unclear.

Here is the structure, section by section, with the reasoning behind each choice.

Before You Write: Know What Is Already Happening

A policy written without an inventory regulates an imaginary company. Run an amnesty audit first: ask every employee which AI tools they use and for what, with a guarantee of no consequences. The answers will surprise you. In most companies, unsanctioned AI use is already widespread long before leadership writes a single rule.

The inventory tells you which tools to evaluate for official adoption, which workflows already depend on AI, and where your sensitive data has already been. Write the policy to govern the company you have, not the one you imagined.

Section 1: Purpose and Scope

Two sentences. The policy exists to let the company use AI productively while protecting customer data, confidential information, and work quality. It applies to all employees and contractors, on all devices, for all work-related tasks.

The phrase “all devices” matters. A policy that only governs company laptops sends sensitive work to personal phones.

Section 2: Sanctioned Tools

Name the specific tools the company has approved and pays for. Business-tier accounts, not free tiers, because the paid tiers are where data protection commitments live. Two or three tools cover most companies: one general assistant, one embedded in your main work platform, and whatever your industry tooling already includes.

State plainly that new tools can be proposed and how. A one-line request to a named person is enough process. If proposing a tool takes a form and a committee, employees will skip the proposal and use the tool.

Section 3: Data Rules

This is the section that earns the policy its existence. Three tiers work for almost every business:

Never enters any AI tool: customer personal data, payment information, employee records, anything covered by a client confidentiality agreement, credentials and passwords, unreleased financials.

Sanctioned tools only: internal documents, process descriptions, draft communications, code, anything you would not post publicly but could survive a vendor seeing.

Any tool: public information, general research questions, brainstorming that contains no company specifics.

Give examples for each tier from your actual business. “Customer data” is abstract. “The contents of the CRM export” is not.

Section 4: Output Rules

AI output is a draft, not a deliverable. The policy should require human review before output reaches a customer, a financial decision, a legal commitment, or publication. Name the failure modes: fabricated facts, invented citations, wrong numbers, confident nonsense. Employees who have seen a hallucinated statistic take review seriously. The ones who have not will learn from the policy or from an incident.

For client-facing work, add a disclosure norm. Whether your contracts require disclosing AI use is a question for your attorney. Whether your reputation survives a client discovering it on their own is not.

Section 5: Accountability

One named owner. Questions, tool proposals, suspected incidents, and periodic review all route to this person. In companies without a compliance function, this is usually the operations lead or whoever owns vendor relationships.

Schedule the review. Twice a year is enough. The AI tool landscape changes fast, and a policy frozen in 2025 governs tools nobody uses anymore. Treat the policy like any other documented process: it only works if it is maintained.

Section 6: What This Policy Is Not

State explicitly that the policy is not a ban and not surveillance. Employees who fear punishment hide usage, and hidden usage is the exact problem the policy exists to solve. The companies that govern AI well are the ones where an employee can say “I ran this through the assistant” in a meeting without flinching.

The Template, Condensed

A complete first version, ready to adapt:

1. Purpose: Productive AI use with protected data. Applies to everyone, every device, all work tasks.
2. Sanctioned tools: [Your two or three tools.] Propose additions to [name].
3. Data rules: Three tiers, with examples from your business.
4. Output rules: Human review before anything external, financial, legal, or published.
5. Owner: [Name.] Reviewed every six months.
6. Spirit: Not a ban. Not surveillance. Visibility over prohibition.

Write it in an afternoon. Publish it before the next incident, not after.

The Policy Is Step One, Not the Whole Answer

A usage policy controls inputs and outputs. It does not tell you whether the company is actually ready to get value from AI, whether your data foundations support it, or where AI fits in your operations at all. Those are readiness questions, and they require measurement, not policy language.

The VWCG Strategic Assessment includes an AI Readiness module that scores governance, data practices, team capability, and use-case clarity in about 10 minutes. Companies that score well on governance but poorly on use-case clarity have a policy and no plan. The assessment shows which one you are missing.

Take the assessment ->

Kamyar Shah has led 650+ consulting engagements, including fractional COO, fractional CMO, executive coaching, and strategic advisory, producing over $300M in client impact across companies in the $1M-$50M range. He built the VWCG Strategic Assessment from the same diagnostic frameworks he uses in paid engagements.