Q: Does my 10-person business really need an AI policy?

A: Yes. Insurance carriers and enterprise customers are already asking. More importantly, your team is already using AI — having a policy just means you've decided what's OK rather than letting individual employees decide for you.

Q: How is an AI AUP different from a regular acceptable use policy?

A: A regular AUP covers how employees use company technology generally. An AI AUP focuses on a specific category of tool that can memorize inputs, generate plausible-but-wrong outputs, and act on behalf of users — risks that don't apply to a spreadsheet.

Q: Can I just use a free template from the internet?

A: A template is a fine starting point — the SANS standard is free and well-written. Just customize the tools list, data classification, and internal links to your own environment. A template you didn't tailor will read like one.

Q: How often should the AI policy be updated?

A: Every six months is a reasonable cadence for most small businesses. Update sooner if you've adopted a new AI tool, had an incident, or seen a relevant change in your industry's regulatory landscape.

Q: What happens if an employee violates the AI policy?

A: That belongs in your employee handbook discipline procedure, not the AI policy itself. The policy says what's allowed; HR handles enforcement.

How Do I Write an Acceptable Use Policy for AI at My Business?

Name: ROI Technology Inc.
Address: PO Box 3424, Arlington, WA, 98223, US
Telephone: (888) 707-3652
Price range: $$

An AI Acceptable Use Policy is a short written agreement that tells your team which AI tools they can use, what data they can put into them, when human review is required, and who’s accountable when something goes wrong. For a 10-to-50-person business, a good first version is two to three pages, references one or two recognized frameworks, and gets reviewed every six months. The hard part isn’t writing it — it’s making sure it doesn’t end up unsigned in a folder.

What Is an AI Acceptable Use Policy and Why Do You Need One?

A regular Acceptable Use Policy (AUP) tells employees how to use company technology — email, internet, devices. An AI AUP is the same idea applied to a new category of tool that handles your data differently than anything before it. AI tools can memorize inputs, generate outputs that look authoritative but aren’t, and act on behalf of your employees in ways a spreadsheet never could.

You need one for three practical reasons. First, almost all of the modern frameworks (NIST AI RMF, ISO/IEC 42001) and most insurance and contractual asks now expect a written AI policy. Second, without one, your shadow-AI problem grows on its own — see our shadow AI overview for what that looks like. Third, if something goes wrong, you want a documented standard to point to. “We had no policy” is the worst answer you can give a regulator, an auditor, or a client’s procurement team.

What Frameworks Should an SMB Reference?

You do not need to become a compliance professional. You do need to know the two names that come up in every serious conversation.

NIST AI Risk Management Framework 1.0 (NIST AI RMF), published January 2023. Voluntary, free, organized around four functions — Govern, Map, Measure, Manage. It’s the de facto U.S. baseline. Most state and federal procurement contracts that mention AI now reference NIST AI RMF.

ISO/IEC 42001:2023, the international standard for AI Management Systems. Unlike NIST AI RMF, it’s certifiable — meaning a third-party auditor can issue you a certificate. Most SMBs don’t need certification yet, but if you sell to enterprise customers or work in regulated sectors, expect to see ISO 42001 in vendor questionnaires within the next 18 months.

A NIST-to-ISO crosswalk PDF is published by NIST if you need to show how your controls map between them.

For policy templates, the SANS Artificial Intelligence Standard, published April 15, 2025, is the most useful starting point — free, no email gate, written in plain English. FRSecure and Adelia Risk also publish templates worth reading before you draft.

What Sections Should Your Policy Include?

A workable AI AUP for a 15-person firm typically covers nine clauses. Keep them short — one paragraph each is plenty.

Approved tools list. Name specific products and tiers — “ChatGPT Enterprise via company SSO,” not “AI tools.” Vague approvals are the same as no approval.
Prohibited inputs. Things that may never go into an AI tool: regulated data (PHI, CJIS, financial account data), client PII, trade secrets, source code if you’re not on an enterprise tier, internal financials. Tie this to whatever data classification scheme you already use.
Human-review requirements. Any AI-generated output that goes to a customer, affects a financial or legal decision, or modifies a record requires a named human reviewer. The human owns the result.
Disclosure rules. When to disclose AI involvement internally (in meeting notes, in draft markup) and externally (to clients, in published content). Many bar associations and industry codes now expect this.
Data handling. Where AI inputs and outputs live, how long they’re retained, who has access to logs.
Accountability. The human who submitted the prompt owns the output. AI is not a defense.
Training and acknowledgment. Every employee touching AI tools signs the policy. New hires get it during onboarding. Annual refresh.
Reporting. Where to report incidents, near-misses, and questions. Make this no-blame for near-misses — you’d rather hear about them.
Cross-reference. Tie the AI AUP to your existing AUP, remote work policy, data classification scheme, and incident response plan. AI policy should never live in isolation.

You’ll notice penalties aren’t on this list. Discipline for policy violations belongs in your employee handbook, not your AI policy — that’s HR’s territory, and it should already exist.

How Do You Actually Roll It Out Without It Becoming Shelfware?

Here is what we typically see work across Western WA small businesses.

Sequence the rollout. Week 1: draft v1 from the SANS template, customize names and tools. Week 2: review with leadership and one or two power users — they’ll spot what’s unworkable. Week 3: distribute, hold a 30-minute all-hands explaining the why, collect signatures. Week 4: turn on the technical guardrails (DNS filtering categories, Microsoft Defender for Cloud Apps, Entra conditional access policies).

Pair the policy with a sanctioned tool. A rule that says “don’t use unsanctioned AI” without offering a sanctioned option will be ignored within a week. License one approved AI option for the whole team — even if it’s just Copilot Chat free tier signed in with company credentials — before you publish the policy.

Make the no-blame channel obvious. A short Microsoft Form or shared mailbox where anyone can ask “is this OK?” before they paste something. The cost of one extra question is far lower than the cost of one unreported leak.

Don’t try to write penalties into the policy itself. Existing employee handbook discipline procedures already cover policy violations. Keep this document focused on what’s allowed, not what happens when it isn’t.

For broader compliance program questions, our IT compliance documentation requirements post covers what records to keep, and the compliance risk assessment frequency post explains how often to revisit it all.

How Do You Keep It Current?

AI tools change on a six-week cadence right now. Your policy can’t keep up — and it shouldn’t try. Set a calendar reminder every six months for a 60-minute review. Look at three things:

Tools list. Are there new approved tools? Old tools deprecated?
Incidents and near-misses. Did anything happen in the last six months that the policy didn’t anticipate? Update accordingly.
External landscape. Has Washington passed an AI law? Has your industry regulator issued new guidance? Did your insurance carrier change its AI questions at renewal?

Reading this far doesn’t make you compliant with anything. NIST AI RMF and ISO 42001 are frameworks you align with, not certifications a blog post can confer. This article is not legal advice — if you’re in healthcare, legal services, or another regulated field, run the draft past your industry-specific counsel before publishing it internally. Our AI risks for healthcare and legal practices post covers the regulated-industry specifics.

ROI Technology Inc. helps Western Washington small businesses draft, roll out, and technically enforce AI policies. Contact us or call (888) 707-3652 to talk through an AI AUP for your team.