Most companies are moving fast with AI. Almost none of them have a policy for it.
Your team is already using ChatGPT, Gemini, Copilot, and a dozen other tools to get work done faster. That is a good thing. But without a clear framework around it, you are also making decisions you do not know you are making: which tools are approved, what data can be uploaded, who owns the output, and how you handle client confidentiality when an employee pastes a brief into a free account.
These are not theoretical questions. They are decisions being made inside your business every day, just without your input.1
Here is how to change that.
Start With a Tool Audit
Before you write a single rule, find out what your team is actually using. Send a short anonymous survey or have a direct conversation. You will likely discover five to ten AI tools being used across your organisation that you did not formally approve.2
Categorise each tool into three buckets: approved for all use, approved with restrictions, and not permitted. This becomes the foundation of your policy.
Define What Data Can and Cannot Be Used
This is the highest-risk area for most businesses. The rule of thumb is simple: if it would be confidential in an email, it is confidential in a prompt.
Set clear written rules around the following:
- Client names, briefs, and campaign data must not be entered into free-tier AI tools
- Internal financial data and HR information must stay out of all third-party AI systems unless the provider has a signed data processing agreement
- Paid or enterprise tiers of AI tools, where data is not used for model training, are generally safer for sensitive work3
If your team does not know the difference between a free ChatGPT account and ChatGPT Enterprise, that gap alone is worth addressing immediately.
Clarify Who Owns AI-Generated Output
This matters more than most businesses realise. If a team member uses AI to write a proposal, a strategy deck, or client-facing content, the question of ownership and liability is not always straightforward.4
Your policy should state clearly that all AI-generated output must be reviewed and edited by a human before it is shared internally or externally. One person should be accountable for every piece of work, regardless of how it was produced.
Set Up an Escalation Process
Not every situation will fit neatly into the rules you write today. New tools will emerge. Edge cases will come up. Your team needs to know who to ask when they are unsure.
Designate one person as your internal AI point of contact. That could be a department head, a digital lead, or a founder in a smaller team. The goal is to make it easy for people to raise questions rather than quietly make the wrong call.
Keep It Short and Communicate It Clearly
A 40-page document will not be read. A three-page policy covering approved tools, data handling rules, and escalation steps will be.5
Share it during onboarding. Revisit it every six months. The AI landscape changes quickly and your policy should keep pace.
The Window Is Still Open
The companies that build this framework now will not be in the headlines in 2027 for the wrong reasons. The ones that wait will.
You do not need a legal team or a six-month project to get started. You need a clear decision about what is acceptable, written down, and shared with your team. That alone closes the most serious gaps.
Start this week. Keep it simple. Build from there.
Sources
- McKinsey Global Institute (2024). The state of AI in 2024: GenAI adoption spikes and starts to generate value. mckinsey.com
- KPMG (2024). Generative AI in the workplace: employee views. kpmg.com
- OpenAI (2024). ChatGPT Enterprise: data privacy and security. openai.com
- World Intellectual Property Organization (2024). Generative AI and IP: key questions. wipo.int
- IBM Institute for Business Value (2024). AI governance: from principles to practice. ibm.com