How to write an acceptable-use policy for AI in two pages

The rapid adoption of artificial intelligence in the workplace, particularly with tools like Microsoft Copilot, presents both significant opportunities and some new challenges. For UK small and medium businesses, navigating this landscape requires a pragmatic approach, and one of the most immediate needs is establishing clear guidelines for its use. An acceptable-use policy for AI isn't simply a formality; it's a critical document that protects your business, your data, and your employees.

However, the thought of drafting such a policy can feel daunting. Many leaders envision a thick, legalistic tome that no one will read. The good news is that for most SMBs, an effective AI acceptable-use policy can be concise, practical, and fit comfortably onto just two pages. This article will guide you through the key elements to include.

Why a Two-Page Policy is Sufficient and Smart

Before we delve into the content, it's worth understanding why a concise policy is often more effective than an exhaustive one:

• **Readability and Comprehension:** Employees are far more likely to read and understand a short, clearly written policy. A long document is often skimmed or ignored.
• **Agility:** The AI landscape is evolving rapidly. A shorter, principle-based policy is easier to update and adapt as new tools emerge or regulations change, without needing a complete overhaul.
• **Focus on Principles:** A two-page policy forces you to focus on the core principles of responsible AI use rather than getting bogged down in every conceivable scenario, many of which may not yet apply to your business.
• **Reduces Fear of the Unknown:** By setting clear boundaries early, you demystify AI and encourage constructive, safe exploration rather than outright avoidance or reckless experimentation.

Your goal is to provide a framework that empowers employees to use AI effectively while safeguarding the business.

Page One: Setting the Scene and Core Principles

The first page of your policy should establish the business's stance on AI and lay down fundamental principles.

**1. Introduction and Purpose:** Start with a brief statement of intent. For example: "This policy outlines the acceptable use of Artificial Intelligence (AI) tools and technologies by all employees of [Your Company Name]. Our aim is to leverage AI for efficiency and innovation while ensuring data privacy, ethical conduct, and compliance."

**2. Scope and Application:** Clearly state who the policy applies to (all employees, contractors, etc.) and what types of AI it covers (company-provided tools, third-party applications, personal tools used for work purposes). Mention that this policy supplements, and does not replace, existing IT security, data protection, and confidentiality policies.

**3. General Principles of Responsible AI Use:** This is the core of page one. Outline the overarching rules that govern all AI interactions. These should be high-level and easily remembered. Consider these points:

• **Lawfulness, Fairness, and Transparency:** AI use must comply with all relevant laws and regulations (e.g., GDPR, intellectual property). Outputs should be reviewed for bias or inaccuracy.
• **Accuracy and Verification:** AI-generated content or insights should always be reviewed and verified by a human expert before being used or shared externally. Do not blindly trust AI outputs.
• **Confidentiality and Data Privacy:** Never input sensitive, confidential, or proprietary company information, or personal data of clients/employees, into public or unapproved AI tools. Assume anything entered into an unapproved AI tool might become public or be used for training purposes.
• **Intellectual Property (IP):** Employees must respect existing IP rights. They should not use AI to infringe on copyrighted material or claim AI-generated content as their own original work without proper review and attribution where necessary. Outputs from AI tools may not be copyrighted by the user.
• **Bias and Discrimination:** Be aware that AI models can reflect biases present in their training data. Always critically evaluate outputs to prevent perpetuating stereotypes, discrimination, or unfair treatment.
• **Accountability:** The employee remains accountable for any decisions made or actions taken based on AI outputs, and for any content produced with AI assistance.

Page Two: Practical Guidelines and Consequences

The second page moves from principles to practical "do's and don'ts," and outlines the implications of non-compliance.

**1. Approved AI Tools and Usage:** Provide a clear list of AI tools that are approved for use within the company (e.g., Microsoft Copilot via official company licence). Specify if certain departments have access to particular tools not available company-wide. Crucially, state that employees **must not use unapproved generative AI tools** with company data or for company-related tasks without explicit permission from [e.g., your IT Manager or a designated AI lead].

**2. Data Handling Specifics:** Elaborate on the confidentiality principle with concrete examples:

• **Sensitive Information Prohibition:** Reiterate that company confidential information, trade secrets, financial data, or any personally identifiable information (PII) of clients or colleagues must *never* be entered into public AI services.
• **Internal Use Only:** If using AI tools on internal data, ensure the tool and its configuration guarantee data privacy and that data is not used for external model training. (This is where managed services like Microsoft Copilot excel, as they operate within your Microsoft 365 tenant boundaries).
• **Data Labelling:** If your business has a data classification system, remind employees to adhere to it when working with AI.

**3. Output Review and Responsibility:**

• **Human Oversight:** Emphasise that AI is a co-pilot, not an autonomous agent. All AI-generated content, code, reports, or communications must be carefully reviewed, edited, and fact-checked by a human before finalisation or external sharing.
• **Attribution:** Discuss internal guidelines on when and how to attribute AI assistance in work products, if required (e.g., in research, content creation).

**4. Training and Support:** Briefly mention available training resources and who employees can contact for questions or concerns regarding AI use. This encourages responsible adoption.

**5. Non-Compliance and Review:** Clearly state the consequences of violating the policy. This should align with your existing disciplinary procedures. Also, include a statement about regular policy review (e.g., "This policy will be reviewed least annually or as AI technologies and regulations evolve, by [Responsible Department/Person]").

By structuring your policy in this manner, you create a robust yet digestible document. It sets clear expectations, minimises risk, and enables your team to embrace AI's potential within defined, safe boundaries. Once drafted, ensure it is communicated thoroughly, perhaps with a short training session, and readily accessible to all employees. This proactive approach will serve your business well as AI continues to reshape the working landscape.