Guide + free template · AI governance

How to write an AI policy for your business

Your staff are already using AI, whether or not you have a policy. This guide shows you how to write one that keeps you safe without killing the productivity, and gives you a free template you can copy and adapt today.

Get the free template Talk to us about AI governance

What is an AI policy, and why you need one now

An AI policy sets out how your people can and cannot use AI tools at work. It exists to capture the productivity of tools like ChatGPT, Copilot and Gemini while protecting you from the real risks, confidential data leaking into public tools, inaccurate output going out unchecked, and unfair automated decisions. A good policy is short, clear and permissive by design: it tells people what good use looks like, not just what is banned.

The urgency is simple: your staff are already using AI. Without a policy, they are guessing about what is safe, which means either they hold back and you lose the productivity, or they take risks you never sanctioned. A one-page policy fixes both.

What an AI policy should cover

Keep it tight. A workable policy covers these points and little else:

  • Purpose and scope: why the policy exists and who it applies to.
  • Approved tools: which AI tools are sanctioned, and that others need sign-off.
  • Acceptable use: the everyday tasks people are encouraged to use AI for.
  • Prohibited use: the clear red lines, especially around data and automated decisions.
  • Data and confidentiality: never put personal, confidential or regulated data into non-approved tools.
  • Accuracy and human review: a person checks AI output before it is used or sent.
  • Transparency: when AI use should be disclosed.
  • Security, roles and review: account security, who owns the policy, and when it is reviewed.

Free AI policy template

Copy the template below, change the bracketed parts to fit your organisation, and you have a working first draft. It is deliberately plain English and permissive, adapt the detail to your sector and risk appetite.

AI Use Policy · starter template
[ORGANISATION NAME] AI Use Policy Version 1.0 · [DATE] · Owner: [NAME / ROLE] · Review date: [DATE + 12 MONTHS] 1. Purpose This policy explains how staff at [ORGANISATION NAME] may use artificial intelligence (AI) tools at work. We encourage the responsible use of AI to do better work, faster. This policy sets the guardrails that keep us, our clients and our data safe. 2. Scope This policy applies to all employees, contractors and temporary staff who use AI tools for any work purpose, on any device. 3. Approved tools The following AI tools are approved for work use: [e.g. Microsoft Copilot, Claude, Google Gemini]. Using any other AI tool for work requires approval from [ROLE]. Use the business or enterprise version of a tool where one is provided. 4. Acceptable use You are encouraged to use approved AI tools to: draft and edit documents and emails; summarise long material; analyse data; research; brainstorm; and prepare for meetings. AI is a tool to support your work, not a replacement for your judgement. 5. Prohibited use You must not: - Enter personal data, confidential or commercially sensitive information, or client data into any AI tool that is not on the approved list. - Rely on AI output for any decision affecting a person (e.g. hiring, performance, customer outcomes) without meaningful human review. - Present AI-generated work as fully checked when you have not reviewed it. - Use AI in any way that breaks the law, our other policies, or a client contract. 6. Data and confidentiality Treat anything you type into an AI tool as potentially leaving the organisation. Never input personal, confidential, regulated or client data unless the specific tool is approved for it and configured to protect that data. If in doubt, leave it out. 7. Accuracy and human oversight AI can be confidently wrong. You remain responsible for any work you produce with AI. Always check facts, figures, names and sources before you use or send AI output. 8. Transparency Disclose AI use where it matters, for example where a client expects human authorship, or where a decision must be explainable. When in doubt, be open about it. 9. Security Protect your AI tool accounts as you would any work system: strong passwords, no sharing logins, and report any suspected misuse to [ROLE]. 10. Responsibilities [ROLE] owns this policy. Line managers are responsible for its use in their teams. Every member of staff is responsible for following it. Questions go to [NAME / EMAIL]. 11. Training Staff who use AI for work should complete the AI training provided by [ORGANISATION NAME]. 12. Review This policy will be reviewed at least every 12 months, and sooner if tools or regulations change significantly.
A policy is step one. The harder part is making sure your people can actually use AI safely and well, which is a skills question, not just a document. We teach AI governance and safe, productive use inside our AI apprenticeships and Level 5 leadership units.

How to roll it out (so people actually follow it)

A policy nobody reads changes nothing. Three moves make it land: keep it to a single page so people actually read it; pair it with short, practical training so staff know what safe use looks like in their real work; and review it regularly, because the tools and the rules (including the EU AI Act and UK guidance) keep moving. Governance and good use are two sides of the same coin, which is why we teach them together.

Frequently asked questions

How do I write an AI policy for my business?

Start from a simple template covering purpose, scope, approved tools, acceptable and prohibited use, data and confidentiality, accuracy and human review, transparency, security, responsibilities and a review date. Keep it to one page and permissive by design, then pair it with practical training so staff know what safe use looks like. You can copy our free template above and adapt it.

What should an AI policy include?

The essentials are: which AI tools are approved, what people can and cannot do with them, a clear rule never to put confidential or personal data into non-approved tools, a requirement for human review of AI output, and who owns and reviews the policy. Our free template covers all of these.

Do small businesses need an AI policy?

Yes. The risks, data leaking into public tools and unchecked output, apply to any organisation whose staff use AI, regardless of size. A one-page policy is quick to put in place and protects you. The free template above is a ready starting point.

What about the EU AI Act?

If you operate in or sell into the EU, the EU AI Act adds obligations depending on how you use AI, particularly for higher-risk uses like decisions affecting people. Build a human-review requirement into your policy now, and review it as guidance develops. We cover this in our governance and leadership training.

A policy is the easy part. Capability is the rest.

We help organisations write the policy and build the skills to use AI safely and productively, often funded by your apprenticeship levy.

Talk to us about AI governance See leadership & AI routes

This template is provided for general guidance and is not legal advice. Adapt it to your circumstances and take professional advice where needed.

Last updated: 19 June 2026