The 1-Page AI Usage Policy Every SMB Needs

After watching 30+ founders try to write an AI policy, my conclusion is this: anything longer than one page never gets read, and anything shorter than half a page never gets followed. The sweet spot is exactly one page — short enough to print, specific enough to enforce.

Why does most SMB AI policy fail?

The pattern is depressingly consistent. A founder reads a Reuters article about Samsung leaking source code into ChatGPT, panics, and asks legal counsel for an AI policy. Six weeks later a 17-page PDF arrives, full of capitalized defined terms and references to ISO standards. It gets emailed once. Nobody reads it. Employees keep pasting client data into whatever AI tool they were already using.

Definition: Shadow AI — unsanctioned use of AI tools by employees, outside any official policy or procurement track. A 2024 industry survey found 46% of employees have uploaded confidential data to public AI tools.

The 17-page version optimizes for the wrong reader. It's written for a hypothetical regulator who might audit you in three years. It needs to be written for the marketing coordinator who has 30 seconds between meetings and a deadline.

What does a 1-page policy actually look like?

Five sections. No legalese. Every line written so a non-lawyer can act on it without asking.

Definition: Approved tools list — the explicit set of AI products employees may use for company work, with a named owner per tool who handles access requests and renewals.

Definition: Prohibited data classes — the categories of information that must never be pasted into any AI tool, no matter how convenient. Always includes customer PII, financial records, source code under NDA, and unreleased product information.

Copy/paste 1-page AI policy template

This is the starting template. Replace bracketed sections with your specifics, print it on one page, post it in the company handbook, link it from every new-hire onboarding doc.

[COMPANY NAME] AI USAGE POLICY — v1.0 — Effective [DATE]

1. APPROVED TOOLS
You may use the following AI tools for company work:
- [Tool 1, e.g. ChatGPT Team — owner: IT]
- [Tool 2, e.g. Claude for Work — owner: IT]
- [Tool 3, e.g. GitHub Copilot — owner: Engineering]
Need a different tool? Request via [link to procurement form].
Personal/free AI accounts are NOT approved for company work.

2. PROHIBITED DATA
Never paste into any AI tool:
- Customer personal data (names, emails, phone numbers, addresses)
- Customer financial data (payment info, account balances)
- Source code marked confidential or under client NDA
- Unreleased product information, roadmaps, financial forecasts
- Employee data (salary, performance reviews, health info)
- Anything you would not put in a public LinkedIn post

3. REVIEW RULES
Every AI output that leaves the company (email, deliverable, code commit,
customer-facing content) must be reviewed by a human before sending.
The reviewer is responsible for the output, not the AI.

4. ATTRIBUTION
You don't need to attribute every AI-assisted edit. You DO need to
disclose AI involvement when:
- Producing public-facing thought-leadership content
- Generating customer deliverables billed by the hour
- Submitting work to a regulated process (legal filings, compliance)

5. ESCALATION
If you are unsure whether something is allowed — ask, don't guess.
Escalation path: your manager → [AI Champion for your team] → [Policy Owner].
Suspected data leak? Report to [security@company] within 24 hours.

Policy owner: [Name, role]. Next review: [date, quarterly].

That's it. One page. Notice what isn't there: no philosophy, no "we believe AI augments human creativity," no flowcharts. Just five enforceable sections.

Tool tip (Course for Business): When we run the 6-week program, the AI Champions (1:15-20) cohort drafts and field-tests this exact policy with their team in week two — before any production deployments. The Augment, don't replace framing shows up directly in the review rules section: the human reviewer owns every output, the AI does not. We then walk each champion through a shoulder-to-shoulder hot seat where they handle their team's first three policy edge cases live. Most teams ship v1 within seven calendar days. Walk through the program at https://course.aiadvisoryboard.me/business.

How do you actually roll it out?

Five steps, one week:

1. Day 1: Founder drafts v0 by editing the template above. 30 minutes max.
2. Day 2: Review with one IT person and one team lead. Adjust the approved tools list. Another 30 minutes.
3. Day 3: Email policy to all-hands with a 5-line summary at the top.
4. Day 4-5: Host two 15-minute office-hour sessions for questions. Track every "what about…" question — those become FAQ entries.
5. Day 7: Post final v1.0 in the company handbook. Add to new-hire onboarding.

The mistake to avoid is committee design. The more reviewers, the worse the policy. Three reviewers maximum. Founder owns the final word.

Good vs bad policy lines

Bad: "Employees shall exercise appropriate judgment when leveraging AI-powered productivity tools in alignment with company values." Good: "Don't paste customer data into any AI tool. If in doubt, ask your manager."

Bad: "AI outputs must be subject to appropriate quality assurance processes." Good: "Read what the AI wrote before you send it. You're responsible for it."

The principle is simple: a policy that needs a lawyer to interpret won't survive contact with Tuesday afternoon.

Team scan (what AI champions report after week 1)

• ~85% of staff read the policy when it's one page; under ~30% read longer versions
• Top "what about…" question: "Can I use my personal ChatGPT for non-confidential brainstorming?" — answer goes in FAQ, not policy
• Champions field most edge-case questions; only ~10% escalate to founder
• Adoption highest in marketing, sales, and customer support — fastest beneficiaries of AI tools
• One champion per ~17 staff handles a sustainable load of policy questions
• First win: shadow-AI usage drops within two weeks because the approved-tools list removes the excuse
• First friction: engineers want more nuance on code-confidentiality — handled with a one-page engineering addendum
• First win on attribution: marketing finally has a clear answer for thought-leadership posts
• Use case ranked #1 in week-2 retro: "I finally know what's allowed"
• Saved-time estimate: ~2 hours/week per manager from fewer "is this OK?" Slack threads

Micro-case (what changes after 7-14 days)

A 90-person professional services firm rolled out this policy on a Monday. By Friday, the IT team had received eleven new tool-access requests via the official procurement form — the first time anyone had used it for AI tools. The shadow-AI footprint, measured by a follow-up survey two weeks later, dropped sharply: most employees who had been using personal ChatGPT accounts had migrated to the company Team workspace. The legal counsel, who had originally pushed for a 20-page version, signed off after seeing the audit trail from the approved-tools section. Within 14 days the policy was being cited inside Slack threads as the answer to "can I do X with AI?" — the surest sign it had become operational.

Note on this case: This example is illustrative — based on typical patterns we observe with companies of 30-500 employees, not a single named client. Specific numbers are rounded approximations of common ranges, not guarantees.

Tool tip (Course for Business): The policy is half the work. The other half is making sure every employee actually has the AI skills to act on it — otherwise the approved-tools list becomes a list of underused subscriptions. Our 6-week program pairs the policy rollout with the AI Champions (1:15-20) cohort and a structured Shoulder-to-Shoulder week so each team ships their first AI automation inside the policy boundaries. Augment, don't replace is the operating frame: the policy says "human reviews every output," the training shows them how to do that fast. Book a mapping call at https://course.aiadvisoryboard.me/business.

FAQ

Do we need a separate policy for each department? No. One company-wide policy plus short addenda (one page each) for departments with unusual needs — typically engineering, legal, and finance. The core five sections apply to everyone.

How often should we revise it? Quarterly. Add new approved tools as they're vetted, refine prohibited-data examples based on the questions champions surface, and update escalation paths if ownership changes. Track changes in a simple changelog at the bottom of the document.

What about contractors and freelancers? Include them. Add one line to your standard contractor agreement: "Contractor agrees to abide by [Company] AI Usage Policy v1.0, attached." Most contractors are using AI anyway — better to have them inside your policy boundary than outside.

Should the policy mention specific frontier models by name? List the approved tools (ChatGPT, Claude, Copilot, etc.) but don't lock yourself to a specific model version. Owners on the approved-tools list handle version changes — that's their job, not the policy's.

What about the EU AI Act? For SMBs, the 1-page policy is usually compatible with EU AI Act general-purpose AI obligations. If you have high-risk use cases (HR screening, credit scoring, biometric ID), you need additional documentation — but that lives in a separate compliance artifact, not the main policy.

Conclusion

A 1-page AI policy is not a downgrade from a 20-page version — it's an upgrade. Length is the enemy of compliance. The shorter and more specific you can make it, the more likely employees will read it, follow it, and use it as a decision tool instead of treating it as legal theater.

Pick a Monday. Draft v0 from the template in 30 minutes. Ship v1 by Friday. Revise it in 90 days based on the questions that actually came up.

If you want every employee to ship their first AI automation inside the policy boundaries within five days — book a 30-min call and we'll map your team's first week at https://course.aiadvisoryboard.me/business.