Why you need an AI policy now
Chances are employees in your business are already using AI tools – with no rules in place. This does not necessarily mean something will go wrong. But it does mean you have no control.
An AI policy is not a bureaucratic document. It is a simple, clear description of:
- Which tools are permitted
- What they can be used for
- What must never be shared with AI
- Who is accountable
It does not need to be long. It does not need legal language. It needs to be read and followed.
What a good AI policy includes
1. Purpose and scope
Describe briefly why the policy exists and who it applies to. Keep it simple.
Example:
This policy applies to all employees of [Company Name] and describes the rules for using AI tools in a work context. The purpose is to ensure responsible, safe, and value-creating use of AI.
2. Approved tools
List which AI tools are approved for use. Everything else requires authorisation.
Example:
Approved tools:
- Microsoft Copilot (included in M365 subscription)
- Claude.ai Team
- Grammarly Business
Use of other AI tools requires prior approval from [name/role].
3. What AI can be used for
Be concrete and positive – show what AI can actually contribute.
Example:
AI tools may be used for:
- Writing assistance (emails, reports, presentations)
- Summarising meeting notes and documents
- Idea generation and brainstorming
- Code assistance and debugging
- Translation
- Research and information retrieval (with source criticism)
4. What must never be shared with AI
This is the most important section. Be specific.
Example:
The following information must never be entered into AI tools without specific authorisation:
- Personal data about customers, employees, or partners (names, email, address, national ID numbers)
- Confidential business information (pricing, strategic plans, non-public figures)
- Passwords, API keys, or access credentials
- Health information
- Legal information subject to confidentiality obligations
5. Human accountability and quality control
AI does not replace human judgement. This must be stated clearly.
Example:
Content generated by AI must always be reviewed and approved by a human before it is used, published, or shared. The employee who uses AI is accountable for the final result – including where AI has contributed.
6. GDPR and data processing
Example:
Use of AI tools that involves processing of personal data must be cleared with [data protection officer/CEO] in advance. A valid data processing agreement with the vendor is required.
7. Updates and ownership
Example:
This policy is owned by [name/role] and is reviewed at least once per year, or when significant changes occur in AI tools or regulation. Questions should be directed to [contact details].
Common mistakes when businesses create an AI policy
Too long and too legal
A policy nobody reads helps nobody. Keep it to one or two pages.
Only prohibitions, no guidance
Employees need to know what they can do, not just what they cannot. A pure list of prohibitions creates frustration and gets worked around.
Static document with no owner
The AI landscape changes rapidly. A policy with no named owner and no review plan is out of date before the ink is dry.
No training
Distributing a document is not enough. Set aside 30 minutes in a team meeting to walk through the policy. That is usually sufficient.
How long does it take?
For most SMBs, it takes one to two weeks to have a functioning AI policy in place:
- Days 1–3: Map which AI tools are already in use
- Days 4–7: Write the draft (use the structure above as a template)
- Days 8–10: Involve key people, adjust, approve
- Days 11–14: Communicate to all employees, run a short training session
This is not a large project. It is a question of prioritisation.
Want help?
IT Buddy helps Norwegian SMBs go from zero to working AI governance in two to four weeks. This includes mapping existing AI usage, drafting an AI policy, and training employees.
Take our AI Ready assessment – free and takes 5–10 minutes. You will receive a concrete report with recommendations tailored to your business.