Write a One-Page AI Policy Your Team Will Actually Follow
If you manage a team, your people are already using AI at work — with or without your blessing. The only real question is whether they’re doing it with any guardrails. And here’s the trap: most attempts at an “AI policy” fail in one of two opposite ways.
Either there’s no policy at all, so everyone improvises and someone eventually pastes a customer contract into a random chatbot. Or there’s a twelve-page policy written by committee that nobody reads past the first paragraph, which in practice is the same as having none.
The fix is a policy short enough that people actually absorb it. One page. Here’s what belongs on it.
Rule 1: Say what it’s good for (permission, not just prohibition)
A policy that’s all “don’t” makes people either ignore it or avoid the tool entirely — and you lose the upside. Lead with encouragement. Name the things you actively want people using AI for: drafting, summarizing, brainstorming, rewriting, explaining code or contracts they don’t understand. Giving explicit permission is what turns a policy from a handcuff into a green light.
Rule 2: The one hard line — what never goes in
This is the rule that actually matters, so make it unmissable. There are categories of information that should never be pasted into a general AI tool:
- Customer or client data that identifies real people
- Anything covered by a confidentiality agreement or NDA
- Regulated data — health records, financial account details, legal specifics
- Secrets: passwords, API keys, internal credentials
The reason isn’t superstition. With many consumer AI tools, what you type
can be retained and, depending on the product and its settings, used as training data
The material an AI model learns from. With some consumer tools, the things
you type in can be fed back into improving the model — which means a
snippet of confidential text you pasted could, in principle, surface
influence elsewhere later. Business and enterprise tiers usually promise
they won’t do this, but the free consumer versions often make no such
guarantee. Always check the specific tool’s data settings.
If your company has an approved, paid tool with a proper data agreement, name it here, and point people to it as the safe place to do the riskier work.
Rule 3: Disclose and verify where the stakes are real
Two lightweight habits prevent most of the embarrassing failures:
- Verify anything that leaves the building or drives a decision. AI states wrong things with total confidence. A human signs off on anything client-facing or consequential before it goes out — the AI drafts, a person approves.
- Disclose when it matters. You don’t need a label on every reworded email, but be honest where it counts — AI-generated analysis presented as your own careful work, or content where your audience would reasonably want to know.
Rule 4: Keep it a living document
Say, in one line, that the policy will change as the tools do — and give people one name to ask when they’re unsure. The goal is a culture where someone asks “is it okay to use AI for this?” out loud, instead of quietly guessing. A question asked is a leak prevented.
A one-page template you can steal
How we use AI here
Use it freely for: drafts, summaries, brainstorming, rewriting, explaining things you don’t understand, first passes on analysis.
Never paste in: customer/client data, anything under an NDA, regulated data (health, financial, legal), or any password or key. For that kind of work, use [approved tool] only.
Before it goes out: a human reviews anything client-facing or decision-driving. AI drafts; a person approves.
When unsure: ask [name]. There are no dumb questions here — asking is how we stay safe.
That’s the whole thing. It fits on an index card, which is exactly the point.
The takeaway
A policy nobody reads protects nobody. Resist the urge to be comprehensive; be memorable instead. Encourage the good uses out loud, draw one bright line around the data that can’t go in, put a human check where the stakes are real, and make it safe to ask. Five sentences your team actually remembers will protect you more than fifty pages they never open.
Related: How to Pick Your First AI Task at Work — a filter for choosing which work to trust AI with in the first place.