A member of your team has been using ChatGPT to draft client proposals for the past three months. You find out not from them, but from a client who mentions it in passing. You have no record of what was shared, no idea whether personal data went into the prompts, and no written document to point to.
That situation is more common than many owners realise. Microsoft’s 2024 Work Trend Index found three-quarters of knowledge workers were using AI at work that year, frequently before any formal policy existed. A short written policy gives your firm something to point to that shows you took accountability seriously before anything went wrong.
What is an AI policy?
An AI policy is a short document that tells your staff which AI tools they can use for work, what they can and cannot put into them, and what to do when something goes wrong. It gives your firm a shared written record of acceptable use. For an owner-managed services firm of five to fifty people, one to three pages covers the ground.
The policy does not need to be drafted by a solicitor. The simplest version names the tools your team may use, sets a rule about what cannot go into a prompt, requires a human to check anything client-facing, and gives one person responsibility for maintaining it.
Your existing data protection, cyber security, and professional obligations all apply whether or not you have a written AI policy. A short document creates an accountability structure around how your team uses AI tools, one you can point to if the ICO or a client asks how you manage the risk.
Why does your business need one now?
UK data protection law applies to your team’s use of AI tools whether or not you have a written policy in place. The Information Commissioner’s Office is clear: if your team’s AI use involves personal data, you need a lawful basis for that processing, a way to assess the risk, and someone accountable for it. A written policy is the simplest way to demonstrate that accountability.
The ICO’s guidance on generative AI is specific: the organisation using an AI tool remains responsible for data protection compliance, even where a third party handles the processing. That responsibility covers what your staff put into prompts, what the tool returns, and what you do with the output. An AI tool that generates a client-facing document from information in your systems is subject to the same rules as any other processing activity.
The NCSC makes the same point from a security angle. Staff who paste sensitive client data into a free AI tool may be sending it to servers they know nothing about, with retention policies they have never read. A short policy that names approved tools and prohibits certain uploads addresses both the data protection exposure and the cyber risk in one document.
The UK Government’s pro-innovation AI white paper sets out five cross-sector principles for regulators: safety, transparency, fairness, accountability, and contestability. For a small firm, those five words are a useful internal check: could you show that each applies to how your team uses a given tool?
What does a simple AI policy actually contain?
A practical AI policy for a five-to-fifty-person services firm can fit on one side of A4. The core elements are scope, a list of approved tools, rules about what cannot go into a prompt, a human review requirement for client-facing work, a simple data classification, one named policy owner, and a short reporting step. Firms with heavier regulatory exposure will need more, but those seven cover the baseline.
Start with scope. Say the policy applies to any AI tool used for work, including generative AI, and covers all staff, contractors, and temporary workers. Name your approved tools and separate free public accounts from paid business plans, because data handling and retention often differ between the two. The policy should also say who approves new tools and how quickly, so staff are not working around a gap in the rules.
Define what cannot go into a prompt. For a UK services firm, the three categories that carry the highest risk are client personal data, commercially confidential information, and HR records. The ICO’s guidance on generative AI is explicit that prompts, uploads, and outputs all create data protection exposure, so none of these should go into an unapproved tool.
Set a human review requirement for anything going to a client, affecting a financial decision, or forming part of a contract. Requiring a human check before anything leaves the business is the most direct way to reduce the risk of AI-generated errors in your work.
Write a simple data classification. Three tiers is enough: public information, internal information, and restricted information. Map each tier to what can and cannot go into a prompt, and keep the categories short enough that staff can recall them without looking up the document.
Name one policy owner and set a clear reporting step. Give one person authority to approve new tools, update the policy, and handle incidents. Where a personal data breach is involved, the ICO’s standard reporting window is 72 hours from awareness. Knowing early is what keeps a manageable situation manageable.
When is a short policy enough, and when is it not?
A one-page policy is a reasonable starting point if your firm uses AI for low-risk internal tasks, such as drafting, summarising, or reviewing documents. If your business is regulated, whether by the FCA, a professional body, or another authority, a short document alone is unlikely to be sufficient. You will also need documented risk assessments, vendor due diligence, and recorded governance alongside it.
The FCA has signalled through its supervisory messaging that regulated firms cannot use AI as a reason to sidestep existing obligations. Consumer duty, operational resilience, and model risk management all remain in scope. Citing an AI tool as the source of an outcome is not a defence against a conduct finding.
Firms in legal, health, or professional services face similar expectations from their own regulatory bodies. A written AI policy is a starting point for governance work in those contexts, not the end of it.
The EU AI Act entered into force in 2024 and applies a risk-based model with obligations phasing in over time. If your firm sells into EU markets or uses AI in EU-facing services, it is worth checking whether the Act’s scope applies and noting it in your policy for future reference.
For an owner-managed services firm without heavy regulatory exposure, a one-page policy covers the baseline and is proportionate to the scale of the business. In a regulated sector, the same document is the floor, with governance to build above it.
What does an AI policy sit alongside?
An AI policy works best as part of a small cluster of related controls. Data handling rules, cyber security basics, acceptable-use guidelines, and incident reporting procedures all address overlapping risks. If you already have a data protection policy and an acceptable-use policy for IT systems, your AI policy may only need to extend those rather than start from scratch.
The NCSC consistently places basic cyber controls at the top of its recommendations for small organisations. Restricting what staff can paste into an AI tool extends those baseline controls around access and data handling. Connecting your AI policy to existing controls, rather than treating it as a separate document, makes it easier to maintain and more likely to be followed.
From a data protection angle, the ICO’s principle of data protection by design and by default applies whenever you introduce a new AI tool. The question to ask before approving one is whether it handles personal data consistently with your UK GDPR obligations, not just whether your staff will use it carefully.
The CMA has flagged risks around concentration in the foundation-model market, including vendor lock-in and misleading capability claims. If you are evaluating AI tools, it is worth checking whether your contract lets you move your data if the product changes, and whether the vendor’s claims about capability are actually verifiable.
A short policy, maintained by one person, reviewed annually, and connected to your existing data and cyber controls, is a proportionate approach to AI governance for a small firm. If your team is already using these tools, writing one now is the straightforward move.
