SecurSentry
← All notes
EU AI Act

The AI Acceptable Use Policy Every Small Business Needs (Free Template)

Your team is already using AI tools. A short, clear AI acceptable-use policy turns scattered, ad-hoc habits into something you can stand behind — and it is more achievable than you think.

The short version

Somewhere in your business, right now, someone is pasting something into an AI tool. A draft email. A customer query. A spreadsheet they want summarised. It is fast, it is useful, and almost nobody asked permission, because there was no rule to ask about. That is exactly why you need an AI policy template to work from. Not to ban anything, but to turn a dozen private habits into one shared, sensible standard your whole team can follow.

The good news, as with most compliance, is that you are not as far behind as it feels. A workable AI acceptable-use policy for a small business is a short document, and you can build the first version in an afternoon. This guide walks you through what it needs to cover and how to write one that people will actually read.

Why your business needs an AI acceptable-use policy

An AI acceptable-use policy protects your business by setting clear ground rules for how your team uses AI tools — so useful experimentation does not quietly turn into a data leak or a reputational mistake.

The risk with AI tools is rarely the technology itself. It is the gap between how quickly people adopt them and how slowly the rules catch up. Someone pastes a client list into a free chatbot to “tidy it up.” Someone lets an AI draft a contract clause and sends it without checking. Someone shares confidential figures with a tool whose terms allow it to train on the input. None of this is malicious. It is just what happens when capable people are handed powerful tools with no guidance.

A policy closes that gap. It tells your team, in plain terms, what is fine, what is off-limits, and where to ask. It also gives you something to point to when a client, an insurer, or a procurement team asks how you govern AI use, a question that turns up in security questionnaires more and more often.

The honest reality

Most small businesses do not have an AI problem. They have an AI silence. The tools are already in use; nobody has written down what good use looks like. A policy is how you replace that silence with a shared understanding, not how you start policing your team.

What a good AI policy covers

A good AI acceptable-use policy covers four things: which tools are approved, what data must never go into them, who approves new tools, and what staff need to understand before they use AI.

You do not need a long document. You need these four areas covered clearly.

Approved tools

List the AI tools your business has decided are acceptable for work use, and the kind of work each is suitable for. This does not have to be exhaustive, but naming a sensible starting set means people are not guessing. If a tool has a paid business tier with stronger data protections than the free version, say which one is approved, because the difference matters.

Prohibited data

This is the most important section, so make it concrete. Spell out what must never be entered into a general AI tool: typically client or employee personal data, confidential commercial information, anything covered by a non-disclosure agreement, login credentials, and unreleased financials. Keeping personal data out of tools you do not control is closely tied to your obligations under UK data protection law, so this section protects you on more than one front.

Who approves new tools

New AI tools appear constantly, and someone on your team will want to try the next one. Name the person or role who signs off a new tool before it is used for real work, and give them a short checklist: what data would it touch, what do its terms say about that data, and is there a safer alternative? A single named owner stops shadow adoption without slowing your team to a crawl.

Staff awareness

Set out what people need to keep in mind: that AI outputs can be confidently wrong and must be checked, that AI is an assistant rather than a decision-maker for anything that affects a person, and that they should be honest about AI’s role where it matters. This connects directly to your legal responsibility for the AI tools your team uses. The output is yours once you act on it.

“An AI policy is not about distrusting your team. It is about giving capable people the boundaries that let them use powerful tools with confidence rather than guesswork.”

Writing your first version — keep it short and clear

To write your first AI policy, start from a template, fill in your real tools and data in plain English, and resist the urge to make it long — a one-to-three-page document people read beats a twenty-page one they ignore.

The blank page is the hardest part, which is why a template helps. Download or sketch a simple structure with the four headings above, then work through them for your actual business. A few principles keep the result usable:

You can genuinely draft this in an afternoon. The goal of version one is a clear, honest baseline, not perfection.

Rolling it out: acknowledgement and basic AI literacy

A policy only works once people have read it and understood the basics — so pair it with a simple acknowledgement step and a short briefing on using AI sensibly, which also supports the AI literacy expectation in the EU AI Act.

A document sitting in a shared drive changes nothing. Two small steps turn it into practice. First, ask each team member to confirm they have read and understood the policy. A name, a date, a tick is enough for a small team, and it gives you a simple record. Second, run a short briefing: what AI is and is not good at, why certain data must stay out of these tools, how to sanity-check an output, and who to ask when unsure.

That briefing matters beyond good housekeeping. The EU AI Act’s Article 4, in force since 2 February 2025, expects providers and deployers of AI systems (which includes most businesses simply using AI tools) to ensure their staff have a “sufficient level of AI literacy,” proportionate to how they use AI. The Act does not mandate a specific training course, a certificate, or even a formal written policy. The European Commission’s own guidance stresses a flexible, risk-based approach, and supervision of the literacy rules begins from August 2026. But a short written policy plus a brief literacy session is a sensible, proportionate way to show you have taken the expectation seriously. If you want the wider picture of how the Act applies to a small team, our EU AI Act guide for small businesses covers it in plain English.

A note on honesty

Saying you have an AI policy and actually having one your team follows are different things, and only the second protects you. The acknowledgement step and the briefing are what move you from the first to the second. Do not treat them as paperwork; they are the part that does the work.

Keeping it current as your AI use changes

Review your AI policy on a set cadence and whenever your tools change, because a policy written for last quarter’s tools quietly stops describing what your team actually does.

AI tools move fast. The version you write today will drift out of date as your team adopts new tools, as vendors change their terms, and as your understanding sharpens. Build in a light review rhythm rather than a one-off effort:

None of this is heavy. It is a short document with a named owner and a date, exactly the kind of small, durable habit that compounds. The work you do now becomes the foundation you maintain, not a project you repeat from scratch.


SecurSentry is launching soon to help UK SMEs put practical AI governance in place, from a clear acceptable-use policy to the wider obligations that sit alongside it, and carry that effort forward to every certification and questionnaire that follows. To be clear, this article gives you a starting-point template to write yourself; it is not an automated policy generator. Join the waitlist to be among the first to know when we open.

This article is for general information only and does not constitute legal or compliance advice. Requirements vary by organisation and context; where in doubt, consult a qualified professional.

Frequently asked questions

Does my small business legally need a written AI policy?

There is no UK law that says you must have a written AI acceptable-use policy as a specific document. However, the EU AI Act's Article 4 (in force since February 2025) expects providers and deployers of AI systems to ensure their staff have sufficient AI literacy, and a short written policy plus a briefing is a sensible, proportionate way to demonstrate you have done that. It also protects you against data-handling mistakes that existing data protection law already cares about. So while it is not a named legal requirement, it is good practice that supports obligations you already have.

What should an AI acceptable use policy cover?

At a minimum: which AI tools are approved for work use, what data must never be entered into them (client personal data, confidential information, credentials), who approves a new tool before anyone adopts it, and what staff need to understand before using AI — including checking outputs and being honest about AI's role. Keep each section short and specific to how your team actually works.

How long should a company AI policy be for a small team?

Shorter than you think. For a small business, one to three pages in plain English is usually enough. A long policy that nobody reads protects nobody. Write the version your team will actually follow, then expand it only as your AI use grows more complex.

Is an AI policy template enough on its own?

A template is a strong starting point — it stops you missing the obvious sections. But a template is a draft, not a finished policy. You still need to adapt it to your real tools and data, decide your approval process, brief your team, and ask people to acknowledge it. The template saves you the blank-page problem; the thinking is still yours to do.

Written by The SecurSentry Team

We write plain-English notes on security and compliance for small businesses — the things we wish someone had explained to us. Read more notes →

More from the blog

Security questionnaires

Vendor Security Questionnaire: What It Asks & How to Prepare

7 Jul 2026 · 7 min
Cyber Essentials

How to Choose a Cyber Essentials Certification Body

4 Jul 2026 · 6 min
Cyber Essentials

What Cyber Essentials Plus Actually Costs

1 Jul 2026 · 6 min

Be first to know when we launch.

Leave your email and we'll let you know the moment SecurSentry is ready. One email — no newsletters, no spam.

Just one email, at launch. We never share your data. Privacy policy.

You're on the list — we'll be in touch at launch.