The one-page AI policy every UK SMB should have by next Friday

Most SMBs have no AI policy at all. The few that do tend to have something written by an external consultant, full of jargon, that nobody on the team has actually read - including the leadership team that signed it off. It sits on the intranet, quietly contributing to the impression that 'we're doing AI properly' while everyone in the business pastes whatever they like into ChatGPT.

You can do better in an afternoon. Here's a template - one page, plain English, written for the people who'll actually use it.

What it should cover

The point of a one-pager is not to anticipate every situation. It's to give your team a clear default for the 90% of cases that come up every week, and a named person to ask for the other 10%.

• The tools your business has approved. Be specific - 'ChatGPT Team', not 'AI tools'. List what's off-limits too: free public chatbots, anything that hasn't gone through your usual procurement.
• What client or customer data must never be pasted into a public AI tool. Personal data, financial details, anything covered by an NDA, anything the client would be unhappy to see leaked. Give examples.
• The 'human-in-the-loop' rule: AI drafts, humans approve. Nothing goes to a customer, regulator, or external party without a human reading it first.
• Who to ask if you're not sure - a name, not a department. Ideally a single person, with a backup. 'When in doubt, message Priya' is a much more useful policy than 'consult the IT governance team'.
• A simple 'when in doubt, don't' default. If your gut says it might not be OK, treat that as a no until you've checked.

Why this matters more than you'd think

Without a policy, your team is making it up as they go. Some are being too cautious and missing the productivity gains - they read one scary headline about hallucinations and quietly stopped using the £30/month tool you bought them. Others are at the opposite end, pasting client data into free chatbots because nobody told them not to. Both are risks - one to growth, one to trust - and both are completely avoidable.

The most common AI incident we see in SMBs isn't a sci-fi failure mode. It's a junior staffer pasting a draft proposal containing a client's confidential pricing into a free public AI to 'tidy it up', then hitting send on the polished version without anyone realising the data left the building. A one-page policy that simply says 'don't paste client data into public tools, use the approved one' would have prevented it.

What a good one-pager looks like

Keep it readable in 90 seconds. Use plain English. Avoid the words 'governance', 'framework' and 'controls' - your team isn't going to read those words, let alone act on them. Give examples next to every rule. Put the named person at the top, not the bottom. And date it - every policy needs a refresh date, even a one-pager.

If it's longer than a page, it's not a one-pager - it's a document people will skim once and forget. The whole point of the format is forced clarity.

Common pitfalls

• Writing it once and never revisiting. The tools change every quarter. Reread your policy every six months at minimum.
• Making it the legal team's policy. The team that owns the policy should be the team that uses AI most - because they're the ones who know what the real edge cases look like.
• Treating it as a substitute for training. A policy tells people what to do. Training tells them why and how. You need both, but the policy is the cheaper one to do first.
• Forgetting freelancers and contractors. They use your tools too. The policy needs to apply to them - and they need to be told, not just sent a link.

The follow-up

Once the policy is live, schedule three things in the diary: a fortnightly slot for someone to read recent AI-related incidents in the news (there will always be some), a quarterly check that your approved-tools list still reflects what you actually use, and a six-monthly rewrite. Done well, the policy gets shorter over time, not longer.

An AI policy isn't a compliance exercise. It's a productivity tool. Done right, it removes a layer of low-grade anxiety from your team and frees them to actually use the tools you've paid for.