The 10-Minute AI Policy: Rules Your Team Will Actually Follow
71% of employees use AI at work without approval. Here's how to write a one-page AI policy that protects your business without slowing your team down.
The 10-Minute AI Policy: Rules Your Team Will Actually Follow#
Your team is already using AI. The only question is whether you’re driving the car or riding in the trunk.
Microsoft’s 2025 research found that 71% of UK employees use consumer AI tools at work without formal approval. Nearly half of those employees use them to draft emails; two in five use them for reports. The tools are free, easy to access, and faster than waiting for IT. So your people use them—and they don’t tell you.
KPMG’s 2025 data is even starker: 44% of employees admit they’re knowingly using AI improperly. That means they’re pasting client data into public chatbots, generating financial summaries they don’t verify, and hitting send on AI-drafted emails without a second look. No policy. No guardrails. No visibility.
The longer you wait to write rules, the more risk accumulates. But you don’t need a 50-page document. You need a one-pager your team will read, remember, and follow. This article gives you exactly that.
Why Your Business Needs an AI Policy Right Now#
Shadow AI is the new shadow IT. Your team is using tools you don’t know about, on devices you don’t control, with data you can’t track. Secureframe’s 2025 survey found that 38% of employees who use AI at work admit sharing sensitive company data with AI tools. That means client files, financial records, proprietary formulas—pasted into systems with no security agreement and no audit trail.
Meanwhile, only 36% of organizations have a formal AI policy in place, according to EisnerAmper’s 2025 research. The rest are hoping nobody makes a mistake.
Here’s what that hope costs:
- A small business that pastes client data into a free ChatGPT account carries full liability under data protection regulations. The tool provider has no obligation to protect that data. If it leaks, it’s your name on the breach notification.
- An employee who uses AI to generate a contract without review can bind your business to terms nobody checked. AI writes confidently even when it’s wrong.
- A marketing assistant who lets AI auto-respond to customer complaints can turn a minor issue into a public relations problem before anyone in leadership sees it.
The cost of inaction is real: data breaches, compliance violations, reputational damage, and legal exposure. The cost of a simple policy is ten minutes to write and five minutes to read.
The risk isn’t that your team uses AI. It’s that they use it without rules, without oversight, and without knowing where the lines are.
The One-Page AI Policy Framework#
A good AI policy answers seven questions. Answer them in order, fill in your company’s specifics, and you have a working document in under ten minutes.
1. Purpose & Scope#
Start with who this covers and what it applies to. “This policy applies to all employees, contractors, and temporary staff. It covers all use of AI tools—company-provided and personal, for any work purpose.”
The scope matters because people assume personal accounts are exempt. They’re not. If an employee uses their own ChatGPT subscription to summarize a client meeting, that data still left your business.
2. Data Classification Tiers#
Instead of listing every forbidden action, group your data into three tiers:
- Tier 1 (Never share): Customer personal information, financial records, passwords, proprietary formulas, anything covered by a non-disclosure agreement. This data never goes into an AI tool without explicit legal review.
- Tier 2 (Approved tools only): Anonymized analytics, internal documentation, general business questions. Use only AI tools your company has vetted and contracted with.
- Tier 3 (Free to use): Brainstorming, formatting help, general knowledge queries. No sensitive data, no client information, no business specifics.
The “when in doubt” rule is simple: default to Tier 1. If you’re not sure whether something is sensitive, assume it is.
3. Approved Tools List#
Name the tools your team can use and what they’re approved for. “We use [Tool Name] for drafting marketing copy, [Tool Name] for data analysis, and [Tool Name] for customer support responses. No other AI tools may be used for work purposes without written approval from [Role].”
This prevents tool sprawl and gives you a single point of accountability. When a new tool emerges, your team knows to ask before experimenting.
4. Prohibited Uses#
Be specific about what AI must never do:
- Make hiring or termination decisions without human review
- Generate legal documents, contracts, or financial commitments without legal sign-off
- Auto-send communications to clients, customers, or regulators without a person checking them first
- Process Tier 1 data in any unapproved tool
Specificity matters. “Don’t do bad things with AI” is useless. “AI cannot be used to screen job applications” is enforceable.
5. The Human Review Rule#
Every output generated by AI that reaches a client, customer, or regulator must be reviewed by a human before it goes out. No exceptions.
This is your primary quality control. AI writes confidently about things it doesn’t understand. A human check catches errors, hallucinations, and tone problems before they reach the outside world.
6. Incident Reporting#
When AI makes a mistake, or when data is shared improperly, your team needs to know what to do. “Report any AI-related incident immediately to [Role/Email]. Include what tool was used, what data was involved, and what action was taken. There will be no retaliation for good-faith reporting.”
The “no retaliation” clause matters. If your team fears punishment, they’ll hide mistakes until they become crises.
7. Review Cycle#
Set a review date six months from now. AI moves fast, and your policy needs to keep pace. Put it on the calendar today.
Seven sections, one page, ten minutes. Your policy doesn’t need to be perfect. It needs to exist.
The Data Tier System Explained#
Three tiers beat a long list of rules because people can remember three things. They can’t remember twenty.
To classify your business data, grab a whiteboard and list the types of information your team handles daily:
- Customer names, addresses, and account details
- Financial records and payment information
- Employee records and payroll data
- Proprietary product information and trade secrets
- Marketing materials and public-facing content
Sort them into the three tiers. When you’re done, print the tier definitions on a single page and give one to every employee. Post it by the coffee machine. Make it impossible to miss.
Here are examples for common small business scenarios:
- A retail shop: Customer purchase history is Tier 1 (personal information). Sales trends by month are Tier 2 (anonymized). General product descriptions are Tier 3.
- A professional services firm: Client files are Tier 1. Internal process documentation is Tier 2. Industry research articles are Tier 3.
- A healthcare practice: Patient records are Tier 1 (and subject to HIPAA, which means even stricter rules). Appointment schedules without identifiers are Tier 2. General wellness content for your blog is Tier 3.
The data tier system works because it’s simple. Simple gets followed. Complex gets ignored.
Getting Buy-In Without a Meeting#
The biggest reason policies fail? Nobody reads them.
Don’t send a policy email and hope for the best. Make it a conversation. Try the “AI amnesty”: invite your team to share what tools they’re already using, with no consequences. You’re not gathering evidence for discipline. You’re mapping reality so you can write rules that match how people actually work.
Frame the policy as permission, not restriction. Lead with “Here’s what you CAN do with AI” rather than “Here’s what you can’t.” Most people want to do the right thing. They just need to know what the right thing is.
Get one leader per department to model the behavior. When the office manager talks about using AI for scheduling and the head of client services talks about using it for email drafts, the rest of the team sees that AI is sanctioned, not suspicious.
This matters because 57% of workers hide their AI use from employers, according to KPMG’s 2025 study. Transparency starts with trust, not surveillance.
People follow rules they helped write and trust the intent behind. Involve your team in building the policy, and they’ll help enforce it.
Enforcement That Doesn’t Feel Like Enforcement#
Only 22% of organizations actively monitor AI usage, according to EisnerAmper’s 2025 survey. The rest rely on self-reporting and hope. There’s a middle ground.
Practical monitoring means monthly usage reports from your approved tools, not keystroke logging or screen recording. You need to know which tools are being used and for what purposes. You don’t need to read every prompt.
When violations happen, use an escalation ladder: informal chat first, formal warning if it repeats, disciplinary action only for willful disregard after clear communication. Focus on the process failure, “We didn’t make the rule clear”, not just the person.
Better yet, reward good AI use publicly. When someone finds a safe, effective way to automate a tedious task, celebrate it. Positive reinforcement sets the standard faster than punishment ever could.
Enforcement works when it feels like coaching, not policing. Build systems that guide behavior, not systems that catch people.
What to Do in the First 30 Days#
You don’t need a rollout event. You need consistent action:
- Week 1: Draft the policy using the framework above. Fill in your company name, your approved tools, and your tier definitions.
- Week 2: Get feedback from two or three trusted team members. Ask them what’s unclear, what’s missing, and what they’d change.
- Week 3: Roll it out in a brief team discussion, fifteen minutes, not a training session. Explain why it exists, what it covers, and where to find it.
- Week 4: First check-in. What’s working? What’s unclear? What’s missing? Take notes and schedule the six-month review.
Put the review on the calendar before you finish the rollout. AI will change between now and then, and your policy needs to change with it.
A policy that lives in a shared drive is a policy that doesn’t exist. Make it visible, make it discussed, and make it reviewed.
Your Next Move#
Your team is already using AI. A short, clear policy doesn’t restrict them, it gives them permission to use it safely. It tells them where the guardrails are so they can drive faster without worrying about the cliff.
The best AI policy isn’t the most comprehensive one. It’s the one people actually follow.
Draft yours this week. Not because regulators are knocking. Because your team is already on the road, and they need a map.
“Ready to implement this?” Get the templates, checklists, and step-by-step guides at Rozelle.ai ↗
Sources#
- KPMG (2025). “Trust, Attitudes and Use of Artificial Intelligence.” ↗
- Microsoft (2025). “71% of UK employees use consumer AI tools at work without approval.” Via Compare the Cloud ↗
- Secureframe (2025). “Why You Need an AI Policy in 2025 & How to Write One.” ↗
- EisnerAmper (2025). “AI Acceptable Use Policy for Employees.” Via Keystone ↗
- Zevonix (2026). “The AI Acceptable Use Policy Template for Small Teams.” ↗