Skip to content
Network Motion

Free resource · No sign-up

AI usage policy starter

Most SMEs don't have an AI policy; their staff use AI anyway. This starter closes that gap in an afternoon: adapt the square-bracketed parts, share it with your team, and you've replaced silent risk with clear rules.

Want it done for you?
1

Replace every [square-bracketed] item with your own tools, names and review cadence.

2

Share it with staff and ask for a read-and-acknowledge — a reply to one email is fine.

3

Diarise the review date. Tools change monthly; the policy should be looked at on a schedule.

Template — adapt before use

Acceptable use of AI tools

[Company name] · Version 1.0 · Owner: [name/role] · Next review: [date]

1. Why this policy exists

AI tools are useful and we encourage sensible use of them. This policy exists so that using them never puts client data, colleague data or the company at risk. It applies to everyone, on any device, wherever you're working.

2. Approved tools

Use the AI tools the company has approved and signed into — currently: [list your approved tools here, e.g. Microsoft 365 Copilot under the company account]. If a tool isn't on the list, ask before using it for work — the answer will often be yes once it's been checked.

3. What must never go into an AI tool

Never paste or upload: client names or client data; personal data about colleagues (HR, payroll, health); passwords or security details; financial records; anything covered by an NDA; anything you'd be uncomfortable seeing outside the company. If in doubt, treat it as confidential.

4. Free accounts and personal logins

Free, personal-account AI tools may use whatever you type to train their models. That's why work content only goes into company-approved tools on company accounts. Signing up for a new AI tool with your work email counts as using it for work — check first.

5. Check the output

AI output can be confidently wrong. Anything that leaves the company — quotes, advice, reports, code, contract text — gets checked by a person who understands it before it goes out. The sender remains responsible for what's sent, however it was drafted.

6. Personal data and UK GDPR

If a task involves personal data, the normal data protection rules apply exactly as they would without AI. If you're unsure whether something counts as personal data, ask [named person/role] before proceeding.

7. Questions and new ideas

Found a tool or use case that would genuinely help? Tell [named person/role] — the point of this policy is safe adoption, not prohibition. This policy is reviewed every [6/12] months, or sooner when the tools change materially.

Starter template by Network Motion (https://networkmotion.com). Free to adapt and use within your organisation. It's a sensible starting point, not legal advice — if your sector has specific regulatory requirements, have your adapted version reviewed.

A policy is the start, not the fix

The policy tells people the rules. Finding out which AI tools are already in use, what data they can reach and which are worth keeping — that's what our AI Readiness Assessment does in about two weeks.