An AI usage policy your team will actually follow (with template)

A one-page AI policy, short enough that people actually read and remember it, that tells your team the approved tool, the data rule, and the one hard line, with a copy-paste template to start from.

What you'll have when you're done

A one-page AI usage policy in your hands, drafted from a template and tuned to your company, that your team will actually follow because it is short, concrete, and tied to a real sanctioned tool. Not a legal document that lives unread in a wiki, a practical rule that fits on a screen and answers the questions people actually have: which tool, what data, what's off-limits, who to ask.

A policy nobody reads is not a policy

Most company AI policies fail in one of two ways. Either there is no policy (so people improvise, which means shadow AI), or there is a 30-page legal document that nobody read past the first paragraph (so people improvise anyway). Length is the enemy here. A policy works only if your team can hold it in their head while they work. I have been guilty of the second failure mode: I once "solved" AI governance by forwarding a dense vendor terms document to the team and considering the matter closed. Nobody read it. I am not sure I read all of it. The result was identical to having no policy, except I felt covered, which is the most dangerous state of all, because it stops you from doing the thing that would actually work.

The fix is a one-pager built on two things you have already done: the green-yellow-red data rule and the sanctioned business-tier tool you set up. A policy without a sanctioned tool is just a "no," which drives usage underground; a policy with one is a "yes, here's how." AI can draft the first version in seconds, then a human (you, ideally with a quick legal check) makes it real.

What you need first

• Your sanctioned tool decided (the business-tier account you set up).
• The data rule (green-yellow-red).
• A named point person for AI questions.
• A Claude Project to draft it, and ideally a quick review by counsel before it goes out.

Step-by-step

Step 1Start from the one-page template

Here is the skeleton. Copy it, then customize:

[Company] AI Usage Policy

1. Approved tool: Use [your business-tier tool] for work. It's on a business plan,
   so it does not train on our data. Don't use personal AI accounts for company work.

2. The data rule (green / yellow / red):
   - GREEN (public/already-shared info): fine to use anywhere.
   - YELLOW (internal, not sensitive): fine in the approved tool; de-identify elsewhere.
   - RED (customer or employee data, financials, secrets, anything under NDA):
     approved tool only, never a personal account. If unsure, treat it as red.

3. The one hard line: no company data in personal/free AI accounts. Ever.

4. Questions? Ask [name/channel]. No judgment, we'd rather you ask.

5. We review this quarterly as tools change.

Step 2Have AI draft your customized version

Drop the template into a Project with your specifics and ask it to tailor the language to your company and tone. Keep it to one page, the moment it grows past a screen, you have lost the people you are writing it for.

Here is the skeleton filled in, illustrative, for a 40-person B2B SaaS company:

Northwind AI Policy

1. Approved tool: Claude Team, log in with your Northwind Google account. It runs on a business plan and does not train on our data. Do not use personal ChatGPT or Claude for Northwind work.
2. The data rule:
   • GREEN (public, like our website or blog): anywhere is fine.
   • YELLOW (internal but not sensitive, like process docs): Claude Team, or de-identify before using anything else.
   • RED (customer data, the financial model, employee info, anything under a customer NDA): Claude Team only, never a personal account.
3. The hard line: no Northwind data in personal or free AI. Ever.
4. Questions? Post in #ai-help, or ask Priya (CTO). Genuinely no judgment, we would much rather you ask.
5. We review this the first Monday of each quarter.

Notice it names the actual tool, the actual login method, and a real person to ask. That specificity is the difference between a policy and a poster. A new hire can read it in a minute and know exactly what to do on day one.

Step 3Get a human (and ideally counsel) to finalize

A human edits the draft for your reality, and if you are in a regulated industry or have specific compliance obligations, a quick legal review is worth it. The AI gets you a strong first draft in seconds; the judgment about your specific obligations is human.

Step 4Tie it to the real enforcement mechanism

The policy works because it points at a real, better, sanctioned tool, not because of an honor system. The enforcement is the business account everyone uses; the policy just names the rule. A policy with no sanctioned tool behind it is a wish, not a rule.

Step 5Ship it short and review it quarterly

Send the one-pager, point people at the named contact, and put a quarterly reminder to revisit it (the tools change fast). Short and current beats comprehensive and stale every time.

Day one matters more than the document. A policy emailed once and never mentioned again gets the engagement an emailed PDF deserves: none. The rollout that sticks is small and human: post the one-pager in your main channel with a two-line note from you ("we now have a real, safe AI tool, here's how we use it"), pin it, walk through it for five minutes in the next all-hands, and add it to onboarding so every new hire meets it on their first day. Then, crucially, model it, when you reference using the approved tool in your own work, the policy stops being a rule imposed on the team and becomes how the company actually operates. The goal is not that people have read it. It is that they would know the answer without rereading it.

How you'll know it's working

People actually follow it, because they read it (it is one page) and there is a real tool behind it. New hires understand the AI rules on day one. And the "what AI tools are you using?" question gets the answer "the one in the policy" instead of a list of personal accounts.

When it breaks

• Nobody follows it. Almost always because there is no sanctioned tool, just a "no." Stand up the business tier first; a policy without a yes is a policy people route around.
• It's too long. If it grew past a page, cut it. Length kills adoption.
• It's vague on data. The green-yellow-red rule is the concrete part; keep it specific with examples relevant to your business.
• It went stale. AI tools and their data terms change fast. The quarterly review is what keeps the policy from quietly becoming wrong.
• It reads as a list of bans. If every line is a "don't," people tune out and feel policed. Lead with the yes, the approved tool and what it is great for, and let the one hard line be the only prohibition. A policy that mostly says "here is how to use this well" gets followed; one that mostly says "no" gets resented and routed around.
• Legal wants to make it longer. Their instinct is thoroughness; yours is adoption. The resolution is usually a one-page operational policy for the team plus a longer terms-and-DPA reference filed elsewhere for the people who need it. Do not let the long version become the one you actually circulate.

Make it yours. A regulated business needs an extra line or two (a pointer to the compliance rules that govern your data, a note on which categories are off-limits even on the business tier) and a real legal review. A small, low-regulation startup can ship the template nearly as-is the same afternoon. Either way, write it in your company's actual voice, not legalese, because the policy people follow is the one that sounds like the people who wrote it, not like a contract.

Where this fits in your harness

This is the artifact that locks in AI governance: it codifies the data rule and points at the sanctioned tool. Together these three close the shadow AI gap. A clear policy is also a prerequisite for rolling out AI to a non-technical team, you set the data rule on day one so the rollout is safe from the start.