Most AI policies are 14 pages of risk-team prose nobody reads. This is a one-page policy framework built for B2B companies between $5M and $50M — the kind that fits on a poster, gets adopted, and still covers the things that matter.
Copy the seven sections below into your own document. Replace the bracketed examples with your actual tools, owners, and data categories. Get the document under one page.
The single best predictor that an AI policy will be followed: it fits on one page. The second best: it names a specific human to ask when in doubt. Almost nothing else matters.
Sample text: This policy covers how [Company] employees and contractors may use AI tools (including Claude, ChatGPT, Copilot, Gemini, and similar) in the course of their work. It applies to anyone with a [Company] email address. Questions about anything not covered here go to [Name, Title].
| Category | Examples | OK in approved AI tools? |
|---|---|---|
| Public | Marketing copy, published content, public regulatory filings | Yes |
| Internal | Process docs, internal memos, training material | Yes, with approved tools only |
| Confidential | Customer data, contracts, financial detail | Yes, only in enterprise-tier tools with no-training settings confirmed |
| Regulated | PHI, payment card data, attorney-client privileged content | Only via tools and configurations explicitly approved for that data class |
Sample text: If you are unsure whether something fits this policy, ask [Name, Title] before doing it. There is no penalty for asking. There is a penalty for assuming.
Sample text: This policy is reviewed every 6 months by [Name] and [Name]. Material changes are communicated in the [weekly all-hands]. The current version always lives at [link].