A simple AI policy for your small business
You don't need a legal team to write a small business AI policy. The usable version is one page: approved tools, data redlines, who to ask, and a human on client-facing work.
In short
A small business AI policy is one page, not an enterprise framework: name your approved tools, list what never gets pasted in, say who to ask, and require a human to review client-facing work.
- Your people are almost certainly already using AI; a short policy makes that visible and safe instead of hidden.
- The risk doesn't scale down with headcount. One employee pasting a client's financials into a free chatbot is the same exposure at five people as at five thousand.
- Pair the page with a little training so people know why the redlines exist, and it actually gets followed.
Why a small business AI policy matters now
Here's the reality a small business AI policy is responding to: your team is already using AI, and almost nobody wrote down how. The JPMorganChase Institute, looking at transaction data from millions of business accounts, found small-business AI adoption roughly tripled in two years, from 5.2% in 2023 to 17.7% by the end of 2025, and higher among employer firms. Meanwhile Cyberhaven, analyzing 1.6 million workers, found 8.6% had pasted company data into ChatGPT and 11% of what they pasted was classified as confidential. Put those together and the gap is obvious: usage is climbing fast and the rules aren't there. A small business AI policy closes that gap, and the good news is it takes an afternoon, not a legal department.
The point isn't to police anyone. It's to make AI use visible and safe so your team can say yes to it confidently, which means the policy has to be short enough that people actually read it.
What a small business AI policy needs, in six lines
The risk doesn't scale down with headcount. One employee pasting a client's financials into a free chatbot is the same exposure at five people as at five thousand, except the small business has no legal team to absorb the fallout.
"Isn't a written policy overkill for a small team?"
The strongest pushback is fair: most AI-governance advice is built for companies with compliance departments, and a five-person shop genuinely can't run an enterprise framework. The objection is right about enterprise frameworks and wrong about the one-pager. The exposure doesn't shrink with the team, and a small business is the one with no legal department to clean up after a leak. Pacific AI's 2025 governance survey found only 36% of small firms have any dedicated AI governance role and just 29% monitor their AI use, so most small businesses are running on nothing. The fix isn't bureaucracy; it's a single page that makes AI use visible, predictable, and safe enough to grow, which is the opposite of overhead. A short policy is what lets a small team say yes to AI without guessing, and it's distinct from the full framework in our how to set an AI policy guide, which is built for bigger orgs.
Name the tools and redlines, then teach the why
A policy people don't understand is a policy people route around. Naming the approved tools and the data redlines only works if your team knows why those lines are there, what 'business tier' actually changes, why a free chatbot is different, what counts as confidential in your specific business. That's why the one page pairs best with a little AI literacy: not a training program, just enough for people to recognize a redline and a hallucination on their own. The owner-context version of this lives on our AI for small business page. Get the pairing right and the policy stops being a document nobody reads and becomes the thing that lets you treat AI as a real capability the business is choosing to enable, on purpose, with the guardrails written down.
Common questions
Does a small business really need an AI policy?
Yes, because your team is almost certainly already using AI and the risk doesn't scale down with headcount. One person pasting a client's financials into a free chatbot is the same exposure at five people as at five thousand, and the small business has no legal team to absorb it. The fix isn't an enterprise framework; it's a one-page policy you can write in an afternoon.
What should a small business AI policy include?
Six lines: your approved tools named on their business tiers, a redline list of what never gets pasted in, one named person to ask on gray-area cases, a rule that a human reviews anything client-facing, when you'll update it, and a plain statement that the policy exists to enable people, not police them. You can draft the first version with our AI policy generator.
What should employees never put into AI tools?
Customer personal data, anything that combines a client's name with financial, health, or legal detail, employee records and salaries, passwords and credentials, and unreleased financials or contracts. The simplest rule of thumb: if you'd hesitate to email it to a stranger, don't paste it into a public AI tool. Use the paid business tiers for anything sensitive, since they carry stronger data-handling terms.
How long should a small business AI policy be?
One page. The strongest versions are short enough to read in one sitting and specific to your business. A long, generic policy gets filed and ignored. Pair the page with a little training so people understand why the redlines exist, and it actually gets followed.
A policy your team will actually follow
CandovaI pairs your one-page AI policy with hands-on training, so your people know why the redlines exist and can use AI confidently inside them.
Power users save 10+ hours a week. Learn how.
The practical AI habits behind it, one a week.
Written by
Rich Hornstein
CFO & General Counsel of Candova
Rich is a CPA and an attorney with more than 25 years in finance and law at high-growth technology companies. He led Quotient Technology (formerly Coupons.com) through its roughly billion-dollar IPO as both CFO and General Counsel, and held finance and legal leadership roles at companies including McAfee and LogLogic before joining Study.com and Candova.