Writing an AI Use Policy: A Practical Template for Small Firms

A section-by-section AI use policy template for small firms, covering approved tools, data rules, disclosure and review, with plain-English wording examples you can adapt in about an hour.

Why your firm needs this in writing now

Most small firms already use AI, whether the owner knows it or not. Someone in the office is pasting client emails into ChatGPT, summarising meetings with Microsoft Copilot, or drafting proposals with Claude. Without a written policy, every one of those actions is an individual judgement call about your client data, your reputation and your legal exposure. The risk is not that staff use AI; it is that they each invent their own rules.

The good news is that an AI use policy for a small firm does not need to be a twenty-page legal document. Four short sections cover what matters: which tools are approved, what data can and cannot go into them, when you disclose AI involvement, and how the policy stays current. This article works through each section with wording a non-lawyer can adapt in about an hour.

One caveat before you start. A template is not legal advice. If your firm handles special category data under UK GDPR (health, biometric or criminal-record information) or operates in a regulated sector such as financial or legal services, have a solicitor check the finished version before you circulate it.

Section one: approved tools and accounts

Name specific tools, not categories. "AI tools" is unenforceable; "ChatGPT Team, Microsoft Copilot and Claude, on company accounts" is a rule people can actually follow. The account point matters more than most owners realise: consumer tiers of some chatbots may use conversations to improve future models unless you change the settings, while business tiers such as ChatGPT Team, Copilot for Microsoft 365 and Claude for Work exclude your data from training by default. Paying for the business tier is often the cheapest compliance decision you will make all year.

Suggested wording you can adapt:

  • "Staff may use the following AI tools for work tasks, on company-provided accounts only: [list your tools]."
  • "Personal AI accounts must not be used for any work task, even briefly."
  • "Any tool not on this list requires written approval from [named role] before first use."
  • "Browser extensions and plug-ins that read page content count as AI tools for the purposes of this policy."

Keep the list short. Three or four sanctioned tools that people genuinely use beat a long list nobody reads, and a short list is far easier to review every six months.

Need a hand with this?

Our team delivers AI & Machine Learning for UK businesses — with a free initial consultation, transparent fixed quotes and no lock-in contracts. Tell us what you're working on →

Section two: data rules everyone can remember

The heart of the policy is a red list: things that never go into an AI tool, full stop. Keep it short and absolute, because nuanced rules get forgotten under deadline pressure.

  • Customer or staff names, addresses and contact details, unless the tool is covered by a signed data processing agreement.
  • Bank details, card numbers, payroll and pricing information.
  • Passwords, API keys and anything from your password manager.
  • Anything covered by an NDA or a client confidentiality clause.
  • Special category data of any kind: health, ethnicity, beliefs, biometrics, criminal records.

Pair it with a green list so the policy does not read as a ban: drafting text from scratch, working with publicly available information, and using properly anonymised examples are always fine. Anonymised means the person could not be re-identified from context, not just that you deleted the surname.

Remember that under UK GDPR your firm remains the data controller when staff put personal data into a third-party tool. The ICO expects you to treat AI vendors like any other processor, which means checking their terms and having a contract in place. Suggested wording: "Personal data may only be entered into tools where [named role] has confirmed a data processing agreement is in place."

Section three: disclosure and human review

Two questions decide this section: when do you tell people AI was involved, and who checks output before it leaves the building? The safest default for a small firm is that a human reviews everything client-facing, every time. AI drafts; people send.

  • "All AI-generated content must be reviewed and edited by the responsible staff member before it is sent to a client, supplier or the public."
  • "Where AI-generated images or video are used in marketing, this must not be presented as photography of our real work, premises or team."
  • "Any chatbot on our website must identify itself as automated and offer a route to a human."
  • "Errors in AI-assisted work are owned by the person who produced the work, not attributed to the tool."

That last line does a lot of work. Once staff know they are accountable for whatever they send, the review step stops being a formality. It also protects you commercially: a confidently invented delivery date or price in an AI draft becomes your firm's promise the moment it lands in a client's inbox.

Section four: ownership and review dates

A policy without an owner quietly dies. Name a role (not a person, so it survives staff changes) and commit to a review every six months. AI products change their features and their defaults frequently; a policy last touched in 2024 tells staff it does not really matter.

At each review, work through a short checklist:

  • Is the approved tools list still accurate, and are the account tiers still the ones we pay for?
  • Have any tools added features that change the risk, such as memory, connectors or changed training defaults?
  • Have there been any incidents or near misses since the last review?
  • What questions have staff actually asked, and does the policy answer them?

Suggested wording: "This policy is owned by [role], reviewed every six months, and version-dated at the top. Suggestions for changes are welcome at any time via [channel]."

Key Takeaway

Write four short sections: named approved tools on company accounts only, an absolute red list of data that never enters an AI tool, a human-review-before-sending rule with clear accountability, and a named owner with six-monthly reviews. Pay for business tiers so your data is excluded from model training, treat AI vendors as processors under UK GDPR, and launch the policy with a team walkthrough rather than a silent email attachment.

Rolling it out in an afternoon

A policy that lives in a forgotten folder protects nobody. The rollout is short but it matters:

  • 1. Draft the four sections using the wording above; an hour is realistic for a first version.
  • 2. Circulate it for comment for a week; the people using the tools will spot gaps you cannot.
  • 3. Run a thirty-minute team walkthrough, focusing on the red list and real examples from your work.
  • 4. Add it to your onboarding pack and your staff handbook.
  • 5. Store it somewhere findable and put the next review date in the diary.

Keep the tone practical rather than punitive. The goal is safe adoption, not prohibition: firms that ban AI outright usually just push usage onto personal phones where no policy reaches it. If you would like help choosing business-grade AI tools or setting them up safely, our team at Thind Global Services can help.

Work With Us

Need Help With Your Digital Strategy?

Our team of experts is ready to help. Get a free consultation and tailored proposal.