Clear Frame AI
All posts
·James Xu

How to Create an AI Usage Policy for Your Team

Most businesses are already using AI tools without any formal guidelines. Here is how to write a simple AI usage policy that reduces risk without killing productivity.

Your employees are already using AI tools. If you have not given them any guidance on how to do that, they are making their own decisions — about what data to share, which tools to use, and how much to trust the output. Some of those decisions will be fine. Some will not be.

This is not a hypothetical risk. Employees routinely share customer data, internal pricing, draft contracts, and confidential strategy documents with tools like ChatGPT and Gemini — not because they are careless, but because nobody told them not to. In most jurisdictions, sharing personal data with a third-party AI service that stores or trains on that data creates real legal exposure under data protection law.

An AI usage policy is not a bureaucratic exercise. It is a short, practical document that removes ambiguity, reduces risk, and gives your team clarity on what they can and cannot do. Most businesses can write a workable version in an afternoon.

Why Most Businesses Do Not Have an AI Policy Yet

The most common reason is that AI tool adoption happened faster than anyone's policy process. ChatGPT launched in November 2022 and reached 100 million users in two months. Most businesses did not have time to evaluate the risk before their staff were already using it.

The second reason is that AI policy feels like something large companies need. In practice, small businesses often have more risk, not less — they are less likely to have legal or compliance teams reviewing tool usage, and more likely to have employees making solo decisions about data handling.

If your team uses AI tools regularly and you have not set any guidelines, the policy you write today is already overdue.

What an AI Usage Policy Actually Covers

A practical AI usage policy does not need to be long. For most small and medium businesses, a one-page document covering four areas is sufficient to start:

  1. What data employees can and cannot share with AI tools
  2. Which tools are approved for use
  3. How AI-generated outputs should be reviewed and disclosed
  4. Who is responsible when something goes wrong

That is it. Policies that try to regulate every possible use case end up being ignored. Policies that cover the high-risk decisions clearly tend to be followed.

What Data Can Employees Share With AI Tools?

This is the most important section to get right, and it is where most of the real risk lives.

The core rule is simple: do not share data in an external AI tool that you would not be comfortable seeing published. That covers most of the cases without requiring staff to memorise a list of exceptions.

More specifically, employees should not share:

Customer or staff personal data

Names, contact details, purchase history, health information, account numbers — any data that identifies a real person. Most AI tools are cloud services, and sending personal data to them may constitute a disclosure under privacy law in your jurisdiction. In New Zealand, Australia, the UK, and Europe, this can create breach notification obligations and fines.

The practical workaround is anonymisation. If you need an AI tool to help process customer data, remove or replace identifying information before sharing it. "A customer in Auckland with order #12345" becomes "a customer."

Confidential business information

Pricing structures, unreleased product plans, financial projections, negotiation positions, acquisition targets. This is not just a legal risk — it is a competitive one. Some AI tools use conversations to improve their models, which means information you enter today could potentially surface in a response to a competitor tomorrow.

Check the terms of service for any AI tool your team uses. The data retention and training policies vary significantly between tools, and between the free and paid tiers of the same tool.

Content covered by NDAs or client confidentiality obligations

If you have signed a non-disclosure agreement, or if your clients trust you with information under an implied duty of confidentiality, that information stays out of external AI tools unless you have a data processing agreement in place with the provider.

Which AI Tools Are Approved?

Rather than trying to ban tools, approve a short list and build around that. Blanket bans on AI tools are almost impossible to enforce and drive usage underground where you have even less visibility.

A tiered approach works well in practice:

  • Approved for general use: Tools where you have reviewed the terms of service and are comfortable with the data handling — often the paid or enterprise tiers of major platforms, which typically offer stronger data commitments.
  • Approved for non-sensitive tasks only: Free-tier tools that may retain or train on data, acceptable for tasks that do not involve confidential or personal information.
  • Not approved: Tools with no clear data policy, tools based in jurisdictions with poor data protection standards, or tools that have not been reviewed.

This gives employees something to work with rather than a binary yes/no that forces them to either seek approval for everything or ignore the policy entirely.

How Should AI-Generated Outputs Be Used?

AI tools are useful but not infallible. Large language models produce confident-sounding output that is sometimes wrong, outdated, or fabricated. Your policy should set expectations for how outputs are handled.

The core principle: AI-generated content should be reviewed by a human before it is sent externally, published, or relied upon for a business decision. This is not about distrusting AI — it is about maintaining the same quality standard you would apply to anything else your business produces.

Specific cases worth addressing:

  • Customer-facing communications: AI drafts should be reviewed and edited by the person sending them. The business, not the AI, is responsible for what goes out.
  • Factual claims: If an AI tool gives you a statistic, a legal position, or a technical specification, verify it independently before using it. The confidence of the output does not correlate with its accuracy.
  • Disclosure: Some industries and some client relationships require disclosure when AI has been used to produce work. Know whether yours is one of them.

Who Is Responsible When AI Gets It Wrong?

The answer is the same as it has always been: the person or business that produced the output. AI is a tool, not a person, and it does not have legal liability. If your team sends a customer an AI-generated email containing incorrect information, your business sent that email.

Your policy should make this explicit. The goal is not to create a culture of blame — it is to ensure that employees understand that using an AI tool does not remove their personal responsibility for checking the output.

How to Write a Policy People Will Actually Follow

Most AI policies fail not because they are wrong but because they are unreadable. A fifteen-page document with a legal tone goes unread. A short, plainly written document with clear examples gets used.

A few principles that help:

Make it specific to the tools you are actually using. A policy that mentions ChatGPT, Copilot, or whatever your team uses is immediately more credible and useful than a generic document about "AI systems."

Focus on decisions, not tasks. Do not try to list every approved or prohibited use case. Instead, give employees a clear framework for making the decision themselves: does this involve personal data? Does this involve confidential information? Does this output need to be verified before use?

Keep the restrictions proportionate. The goal is to prevent real risks, not to eliminate AI use. Overly restrictive policies get worked around; balanced ones get followed.

Review it every six months. The AI tool landscape changes quickly, and a policy written today will need updating as your team adopts new tools.


If you are working through AI adoption for your business — whether that means setting policies, choosing tools, or figuring out which processes to automate — this is exactly the kind of advisory work we do. A short engagement usually gives you enough clarity to move forward confidently. You can read more about how we approach AI consulting or get in touch directly if you have a specific situation to talk through.

Questions

Frequently asked questions

What should an AI usage policy cover?
An AI usage policy should cover four things: what data employees are and are not allowed to share with AI tools, which tools are approved for use, how AI-generated outputs must be reviewed before use, and who is responsible when AI produces an incorrect result. A simple one-page document covering these four areas is enough for most small businesses to start.
Do small businesses need an AI usage policy?
Yes, especially if employees are already using AI tools — which most are. Without guidelines, staff will make inconsistent decisions about what data to share with tools like ChatGPT, which creates real legal and reputational risk. A brief, practical policy removes ambiguity without requiring a compliance department to administer it.
What data should employees not share with AI tools?
Employees should not share personally identifiable information about customers or staff, confidential business information such as pricing or unreleased strategy, client data unless the AI tool has a data processing agreement in place, and anything covered by NDAs or contractual confidentiality obligations. The practical test is: if this information appeared in a news story, would it cause a problem? If yes, it should not go into an external AI tool.
How do you enforce an AI policy without killing productivity?
Keep the policy short and specific rather than trying to cover every scenario. Focus restrictions on data, not on tasks — the goal is to prevent data exposure, not to ban AI use. Train staff on the two or three rules that matter most rather than presenting a document nobody reads. And build the policy around the AI tools your team is actually using, so the guidance is concrete and actionable.
JX

· Founder & AI Consultant at Clear Frame AI

AI and IT consultant with experience in enterprise systems, applied AI, and custom software delivery.

Need help with AI or IT consulting?

Clear Frame AI works with companies that want practical results from technology — not just plans and slide decks.

Book a consultation