What is an AI usage policy?

An AI usage policy is a short internal document that sets the rules for how your staff use AI tools at work. A good one answers four questions. Which tools are approved? What data must never go into them? Who checks AI output before it goes to a client? And what should staff do when something goes wrong?

It is not a technical document, and it is not an ethics essay. For a typical UK SME it fits on one or two pages. The audience is every employee, so it reads in plain English, not legal language.

It also cuts both ways. The policy protects the business from data leaks and bad output. It equally protects your people, because nobody gets blamed for using a tool the company never gave them rules for.

Is an AI policy a legal requirement in the UK?

No. There is no UK law that says a business must have an AI usage policy. But that answer misleads on its own, because the laws you already follow apply in full when staff use AI.

UK GDPR and the Data Protection Act 2018 govern any personal data your team pastes into a chatbot, exactly as they govern a spreadsheet. The ICO publishes detailed guidance on AI and data protection, including a risk toolkit, and notes the guidance is under review following the Data (Use and Access) Act 2025. Employment law and the Equality Act still apply if AI helps with hiring or appraisal decisions.

So the policy is not the legal duty itself. It is the practical evidence that you take those existing duties seriously. If a regulator, client or insurer ever asks how you control AI use, a dated policy with acknowledgement records is the answer.

Why does the AI policy gap matter?

Because usage has raced ahead of rules. The CIPD found 61% of UK organisations now allow generative AI for work tasks, yet only 31% developed a formal policy in the past year, up from just 16% the year before (Labour Market Outlook, 2025). Most firms opened the door and never wrote the house rules.

What fills that vacuum is shadow AI. Microsoft and LinkedIn’s global Work Trend Index found 78% of AI users bring their own tools to work, and 52% are reluctant to admit using AI for their most important tasks (Work Trend Index, 2024). IT managers describe having “the governance framework on paper” with “literally zero enforcement measures behind it”.

The pattern matches what I call the leaver problem in onboarding: the visible issue gets fixed, the silent one does not. A blocked website gets noticed. Client data quietly pasted into a free chatbot complains to no one.

What does it cost to get this wrong?

Samsung found out publicly. In April 2023, staff leaked sensitive internal data, widely reported as source code, into ChatGPT. Samsung responded by banning generative AI tools on company devices from May 2023 while it built safeguards (TechCrunch, 2023).

The lesson for a UK SME is not “ban it like Samsung”. It is that the leak happened where no rules existed, and the ban was the expensive emergency response. A one-page policy and a do-not-paste list cost almost nothing. Cleaning up after client data has left the building costs trust, and possibly an ICO conversation.

For a 20-person firm the risk concentrates in the everyday cases. A proposal drafted in a free tool that trains on inputs. A spreadsheet of customer details summarised by a browser extension nobody vetted. None of it malicious; all of it invisible until it isn’t.

Should you ban AI, allow it freely, or govern it?

Govern it. Banning feels safe but fails in practice, because staff route around blocks on personal phones and home accounts, and the 52% who already hide their usage simply keep hiding it. A free-for-all avoids the conflict but accepts every risk silently.

Here is the practical difference:

The CIPD numbers back this up: 25% of UK organisations still prohibit generative AI outright. They are not safer; they are just less informed about what their staff actually do.

What should an AI usage policy include?

Keep it to one or two pages with these sections. This is the whole skeleton; fill it in with your own tools and examples.

• Purpose and scope. One paragraph: who it covers (everyone, including contractors) and why it exists.
• Approved tools. Name them, with the account type. “ChatGPT on the company business plan” is a rule; “AI” is not.
• Banned data. The do-not-paste list: client personal data, financials, credentials, anything under NDA. This is the most important section in the document.
• Human review. AI output that reaches a client, a candidate or a regulator gets checked by a named human first.
• When you tell clients AI helped, and who decides.
• Hiring and people decisions. AI never makes a final decision about a person. The Equality Act applies.
• Incident reporting. What to do in the first hour after a mistake, blame-free, so people actually report.
• Ownership and review. Who owns the policy and when it gets reviewed. Every six months is right for 2026.

How do you write a policy your team will actually follow?

Write it with your team, not at them. Ask each department which tools they already use and what for; the answers will surprise you, and the policy will be honest instead of theoretical. A rule that matches reality gets followed. A rule that pretends nobody uses AI gets ignored on day one.

Then keep the language human. “Never paste client names, addresses or account details into any AI tool” beats three paragraphs about data classification. Staff should be able to recall the three or four hard rules from memory.

Finally, pair the policy with training rather than just circulation. The CIPD found only 35% of UK employers provided AI training or support (2025). A short induction module in your LMS turns the document into behaviour, and slots naturally into new-starter onboarding.

How do you roll it out and keep it alive?

This is the step nearly every guide skips, and it is where policies die. A PDF emailed once, or parked in a shared drive, fails the only test that matters: can you prove, today, who has read the current version?

Treat the policy as a living document with a lifecycle. Publish it where your team already works, notify everyone it applies to, capture a read-and-understood acknowledgement from each person, and chase the stragglers automatically. When you revise it, archive the old version and repeat, so version one cannot circulate after version two exists.

This is exactly what a policy manager inside your intranet does. The AI Policy Manager in the Claromentis platform runs the full lifecycle: approval workflow, version control, distribution with mandatory acknowledgements, automatic reminders, and an audit trail of who viewed and accepted each policy. Two AI touches help here, and it pays to be precise about them. Staff can ask the built-in assistant a plain-English question and get an answer from your actual policy text. Nobody has to read twenty-odd pages to find one rule. And anyone can find the current version from the main intranet search. It surfaces a plain answer, points to the policy it drew from, and shows each person only what their permissions allow. Acceptance-rate reports keep the audit answer a two-click job, the discipline that makes a digital workplace more than a document dump.

Should UK SMEs write an AI usage policy in 2026?

Yes, and this is the year it stops being optional in practice. With 35% of UK SMEs now actively using AI, up from 25% in 2024 (British Chambers of Commerce, 2025), clients, insurers and auditors have started asking the “show me your AI controls” question of small firms, not just enterprises.

The good news: this is a one-afternoon job, not a transformation programme. Draft the eight sections above, sense-check them with your team, publish with acknowledgement tracking, and book the six-month review. Done properly once, it runs itself.