Internal AI use policy: a one-page template
Write an internal AI use policy that fits on one page: allowed tools, forbidden data, human review, training and an owner. Template ready to copy.
An internal AI use policy does not have to be a forty-page document or go through the law firm. It fits on one page and comes down to five clear decisions: which tools your team may use, with what data never, who reviews what goes out, who trains people and who is in charge. In this article I give you those five decisions and a template you can copy today.
Let’s start with what a policy like this does not do. It does not remove the risk of someone leaking a client’s data. It does not turn your company into an artificial intelligence expert. It does not free you from your legal obligations. The one thing it does, and it is no small thing, is take a risk that today is scattered and invisible and put it in writing so it becomes visible and can be decided on. That alone changes a lot.
What is an AI use policy really for?
It exists so decisions stop being made one by one, in silence, on each employee’s computer. Right now, someone on your team decides several times a day whether to paste a client’s email into a free tool to get it summarized. They decide alone, with no shared criteria, and probably without knowing it can be a problem. A policy turns those loose decisions into a shared rule.
The problem underneath has a name: shadow AI, the use of AI tools by the team without the company knowing or controlling it. The policy is the direct answer to that problem. It does not eliminate it, but it brings into the open what is allowed and what is not, so people can do their job well without risking a nasty surprise.
A word on vocabulary, because I will use it several times. When I say “AI tool” I mean any program you write something to in plain language (an email, a contract, a question) and it returns text, a summary or an answer. Under the hood, that tool sends what you write to a computer that is not in your office, owned by another company. That detail, that your data leaves your control, is the reason behind almost the whole policy.
The five blocks of a one-page policy
Five blocks. Not one more. Each one answers a question your team actually asks.
1. Allowed tools
The first decision is what can be used. The most practical form is a list with three columns: allowed, requires permission and forbidden. “Allowed” are the tools the company has reviewed and approves for daily work. “Requires permission” are the ones you have to check before using, usually because they touch sensitive data or cost money. “Forbidden” are the ones that are not used, and it helps to say why, so it does not look like a whim.
A common mistake is leaving this list empty “until we study it properly”. While you study it, your team is already using something. A imperfect list today beats a perfect list next month.
2. Data that is never uploaded
This is the block that protects the most. It is the red line: the information that is not pasted into any AI tool, whether it is allowed or not. At a minimum this covers clients’ or employees’ personal data (names, emails, phone numbers, addresses), the company’s financial data, access credentials (passwords, keys) and anything covered by a confidentiality agreement with a third party.
The rule has to be so concrete that an employee in a hurry can apply it in two seconds. “Handle data carefully” is useless. “Do not paste the client list into any AI tool” works, because it leaves no room for interpretation.
3. Mandatory human review
Nothing generated by an AI tool goes out to a client, a supplier or an official body without a person reading it and taking responsibility for it. AI tools get things wrong with total confidence: they invent data, cite things that do not exist and always sound convincing. That confident invention is a hallucination, and it cannot be fully removed. The only reliable defense is a human reviewing before sending.
This matters especially in any text that commits the company: quotes, terms, legal replies, official communications. The review is not optional or “when there is time”. It is part of the job.
4. Training
A policy nobody understands is useless. The fourth block says who teaches what and how often. You do not need a huge training plan: a short session when someone joins, a reminder when the policy changes and a person to ask are enough. Training your team in AI is what turns a document into a habit.
Training also lowers the temptation of shadow AI. When people know what they can use and why, they stop looking for shortcuts on their own.
5. Owner
A person with a first and last name, not “the IT department” or “management”. Someone to ask when a new tool appears, someone who reviews the policy every so often and someone who decides on the doubtful cases. If everyone is responsible, no one is, and the policy ends up as an email nobody opens again.
The template, ready to copy
Here it is. Copy this block, fill in what is in brackets and you will have your policy on one page.
AI USE POLICY · [Company name]
Version [1.0] · Date [dd/mm/yyyy] · Owner: [First and last name]
1. ALLOWED TOOLS
- Allowed without asking: [tool A], [tool B]
- Requires the owner's permission: [tool C]
- Forbidden: [tool D] (reason: [...])
2. DATA THAT IS NEVER UPLOADED TO AN AI TOOL
- Clients' or employees' personal data
- The company's financial data
- Passwords, keys and access credentials
- Any information under a confidentiality agreement
3. HUMAN REVIEW
- Any AI-generated text that goes out to a client,
supplier or official body is reviewed and signed off by a person before sending.
4. TRAINING
- Every person gets one session when they join.
- For questions, ask: [Owner's name].
5. OWNER
- [First and last name] maintains this policy and reviews it every [6] months.
Adapt it to your company. A generic copy from the internet with no changes is almost worse than nothing, because it gives a false sense of being covered.
Mistakes when writing the policy
Banning everything. It is the most tempting reaction and the most counterproductive. If you ban any use of AI without offering an alternative, people do not stop using it: they use it in secret, and then you lose even the little visibility you had. Allowing with judgment protects more than banning blindly.
Copying a template without adapting it. Every company handles different data and uses different tools. A policy that does not mention your specific tools or your specific data is one nobody will apply.
Making it so long nobody reads it. If your policy runs ten pages, your team will read zero. The virtue of one page is that it is read in one go and remembered.
Not naming an owner. With no person behind it, the policy ages on its own. A new tool appears, nobody decides, and everyone goes back to doing what they think best.
Writing it and never looking again. Tools change every few months. A policy from a year ago may be recommending something that no longer makes sense. Give it a review date.
The criteria for deciding what goes in each column (what to allow, what to condition, what to forbid) is exactly what we work on in the course AI without hype: when (not) to use it in your company, with real cases and no guru promises.
One new concept every week
What about the GDPR and the AI Act?
An internal policy does not replace your legal obligations, it complements them. In Europe there are two rules that matter here. The GDPR (Regulation (EU) 2016/679) protects personal data and applies to you whenever you handle a person’s information, so block 2 of the template (the data that is never uploaded) is partly a way of complying with it. The European Artificial Intelligence Regulation, known as the AI Act (Regulation (EU) 2024/1689), governs how AI systems are used according to their level of risk, and for most companies that only use third-party tools the obligations are light.
If you want to understand what really applies to you and what does not, I explain it in detail in the guide to AI, GDPR and the AI Act for companies. And an important note: this is not legal advice. For specific decisions, consult a legal professional.
Policy checklist
- The policy fits on one page and anyone reads it in five minutes
- The tool list distinguishes allowed, requires permission and forbidden
- The forbidden-data list is concrete, not generic
- It is written down who reviews what goes out to a client before sending
- There is one owner with a first and last name
- The policy has a date and a next-review date
- The team knows where the policy is and who to ask
Frequently asked questions
Do I need a lawyer to write the internal AI use policy?
To write the one-page version, no. It is a common-sense operational document that management itself can draft with the template in this article. Your full legal compliance under the GDPR and the AI Act is another matter: for that a professional review is worth it, especially if you handle sensitive data. The internal policy and legal compliance are two separate layers that support each other.
How often should I update the policy?
Every six months is a good default rhythm, and whenever a relevant new tool appears or a law changes. AI tools evolve fast, so a policy written and forgotten ages badly. Put a visible review date in the header of the document so it does not slip past you.
Is an AI use policy worth it for a five-person company?
It is, and perhaps more than in a large one, because in a small company a single data leak does more damage. You do not need complicated processes: the same five-block page works. The difference is that the owner is probably you, and training can be a ten-minute conversation instead of a formal session.
What do I do if an employee ignores the policy?
The first thing is to understand why. Often non-compliance means the allowed tool did not work for them and they looked for an alternative. If it is a one-off slip, a reminder is enough. If it repeats, check whether the policy is realistic or whether training is missing. Punishing without understanding the cause only makes shadow AI hide better.
Should I allow only paid tools or free ones too?
It is not a matter of price, but of what happens to your data. Some paid tools offer guarantees that they do not use your information to train their models, and many free ones do not. What matters is reading what each tool does with what you give it, and that check is part of the owner’s job before putting a tool on the allowed list.