A team member asks if she can use ChatGPT to draft client emails. The owner says yes. Two weeks later, it turns out she has been pasting entire client briefs into a free account, including names, addresses, and project scopes, because no one told her otherwise. There was no approved tool, no guidance on what data could go in, and no process for checking output before it reached a client.
That is the gap a staff AI policy closes. It does not need to be a weighty compliance document. For a services firm of five to fifty people, a one-to-two page guide covers the essentials and puts a shared standard in place of a hundred individual guesses.
What is a staff AI policy?
A staff AI policy tells your team which AI tools they can use, how to handle data inside those tools, who checks outputs before they reach a client, and what to do if something goes wrong. For many owner-managed UK firms, one to two pages is sufficient. The Scottish AI Playbook describes it as essential protection for businesses of any size, not optional paperwork.
The policy typically covers seven things: which tools are approved, what data can go in and what cannot, who reviews AI outputs before they leave, who owns the policy and who champions it day-to-day, what training staff need, how to report an incident, and when the policy gets reviewed. That list sounds long until you write it out. Many owner-managed firms can cover all seven in under 800 words, and a one-page use-case mapping session before you start makes the drafting straightforward.
A 2024 Microsoft and TechUK survey found that 70% of UK SMEs were using some form of AI, but only 31% reported a clear return on investment. Scattered, uncoordinated use with no shared standard is often what eats the return, not the tool choice itself. A policy gives you a common baseline without creating a compliance burden.
Why does your business need one now?
The main risk for a services firm is what your staff feed into these tools. UK GDPR still applies when your team uses third-party AI. Your business remains the data controller, which means you are responsible for what goes in, how it is processed, and whether the tool you are using has appropriate data-processing agreements in place.
The Information Commissioner’s Office confirms that organisations remain responsible for UK GDPR compliance when using AI, including third-party systems, and must ensure lawful processing, data minimisation, and appropriate technical safeguards. Serious infringements can attract fines of up to £17.5 million or 4% of global annual turnover. The ICO fined Interserve Group £4.4 million in 2022 for failing to protect employee data in a digital system. Generative AI was not involved in that case, but the principle is unchanged: data handling requires a deliberate process, not an assumption that the vendor has it covered.
A vendor’s privacy page is worth reading, but it does not substitute for checking the actual contractual data-processing terms before your team puts client information into any tool. Beyond GDPR, sector regulators have their own expectations. The FCA has signalled that AI use by financial firms must sit within existing governance, operational resilience, and consumer protection frameworks. Professional bodies for solicitors and accountants have issued similar guidance. A simple staff policy is the minimum floor, not a replacement for sector-specific obligations.
Where do you start when writing one?
Start with a one-page table mapping each role in your firm to the AI tasks they might do, the data those tasks involve, and the risk level. That mapping becomes the backbone of your approved-tool list and your data rules. Once you can see what your team actually wants to use AI for, writing the seven policy sections takes an afternoon rather than a week.
The sections to include are: a brief purpose statement covering who the policy applies to and which tools it governs; an approved-tool list naming what is allowed and what is off-limits; data protection rules stating clearly that personal data and confidential client information do not go into unapproved tools; a human-review requirement so that AI outputs are always checked before reaching a client or influencing a decision; named roles covering who owns the policy and who acts as your internal AI champion; training expectations covering what staff need to understand before using any approved tool; and an incident-reporting process defining what counts as a problem and who to tell.
On tool selection, Spicy Advisory’s 2026 guide for UK SMBs recommends standardising on one core platform, such as Microsoft 365 Copilot or Google Workspace with Gemini, plus one external assistant. Tool sprawl makes compliance harder and reduces the chance that any single tool gets used well enough to pay back. The AI champion role, recommended by both the Scottish AI Playbook and Spicy Advisory, works best when it sits with a respected operator rather than the business owner, someone with time to trial tools, document what works, and support colleagues.
When is a simple policy not enough?
A one-to-two page staff policy is the right starting point for a 5-to-50 person services firm, but it has limits. If your business uses AI to make automated decisions about individuals, score creditworthiness, or screen job candidates, the EU AI Act classifies those as high-risk applications and the obligations are considerably more demanding than a simple internal guide can satisfy.
Three other limits are worth knowing. First, sector regulation: if your firm is FCA-regulated, SRA-supervised, or works under another professional body, you are expected to manage AI risks within existing governance frameworks, not treat them as informal experiments. A simple staff policy satisfies the minimum; it does not replace sector-specific compliance work.
Second, enforcement. Written policies alone have limited impact on how staff actually behave if your team does not know they exist, has not been trained on them, or sees no consequence for ignoring them. Research on SME data and cyber policies consistently shows that effectiveness depends on awareness, training, and consistent follow-through. A policy that is emailed out and never mentioned again is functionally the same as no policy.
Third, shadow IT. An overly restrictive policy that bans all AI without offering usable alternatives tends to push staff towards unapproved tools. The National Cyber Security Centre has documented the security risks of shadow IT in UK businesses. If your policy is all restriction with no workable solution, your team will route around it and your exposure increases rather than decreases.
What concepts belong alongside the policy?
The policy is one document among several things that need to work together. The most important supporting piece is checking the data-processing terms for each approved tool. A vendor’s assurance that they do not train on your data is worth reading, but the actual contractual terms need checking before client information goes anywhere near their platform.
Two practical habits keep the policy functional over time. The first is a four-week rollout: draft the policy, sense-check it against ICO guidance, have the business owner sign it off as policy owner, run a 60-to-90-minute staff briefing covering what is allowed, the data rules, and how to report an incident, and ask everyone to confirm they have read it. The UK Government AI Playbook describes appropriate human oversight of AI outputs as a core safety principle and recommends piloting with a defined success criterion, along with a clear decision point if the pilot does not deliver within a set period.
The second is an annual review. AI tools change quickly, and a policy written for today’s tool set will have gaps within twelve months as new tools appear and team use evolves. Kefihub’s 2026 guide for UK SMEs recommends treating the policy as a living document, updated whenever you significantly change your tool set. The ICO identifies ongoing incident reporting and review as standard expectations for any organisation processing personal data.
If your firm is in a regulated sector, schedule a run-past with your compliance adviser when you first draft the policy and again at each annual review. That step adds an hour to the process and removes a meaningful category of risk.
