LevelUpAutomate
AI Governance / Policy Template

An AI policy your team will actually read

Most AI policies fail because nobody reads them. This one fits on a page, uses plain English, and covers the rules that matter most for businesses under 500 employees.

Get the editable Word docBack to AI Governance
Reviewed by Level Up Automate.
TL;DR

  • A useful AI policy fits on one page, names approved tools, and tells staff what data is off-limits.

  • It should be reviewed quarterly — not bolted to the wall and forgotten.

  • Adapt the template below by changing the bracketed sections; you do not need a lawyer to start.

What an AI policy actually is

An AI policy is a short document that tells your team how to use AI tools at work. It answers three questions: which tools are approved, what data they can put in, and what they need a human to review.

That's the whole point. It is not a legal contract, a risk-acceptance form, or a compliance artifact for the sake of compliance. It exists so your staff can use AI confidently, and so you can show a customer, partner, or insurer that AI use at your company is intentional and supervised.

The starter template (copy this and edit the brackets)

Below is the structure. Replace anything in brackets. Aim to keep the entire document under 600 words.

  • Header: Company AI Use Policy. Effective date: [date]. Owner: [your name]. Next review: [3 months from today].
  • Section 1 — Why we have this: 'AI tools can make our work faster and better. They also create new risks for client data, accuracy, and the quality of what we produce. This policy exists so the team can use AI well without surprising themselves or our clients.'
  • Section 2 — Approved tools: List by name. Examples: 'ChatGPT (paid Team plan), Anthropic's Claude (Team or Pro plan), Microsoft Copilot in our Office tenant, Claude Code or GitHub Copilot for engineering, [other approved tools].' Anything not on this list requires approval from [owner role] before use.
  • Section 3 — What you cannot put into AI tools: '[Specific examples for your business: client names, account numbers, PHI, source code, salary information, anything labeled Confidential.]'
  • Section 4 — What requires a human review: 'Anything that goes to a client, partner, or regulator. AI may help draft, but a person on our team reads it before it leaves the company.'
  • Section 5 — Personal AI tools: '[Choose: allowed for personal use on personal devices / not for any work content / allowed only for non-confidential brainstorming.]' Be specific.
  • Section 6 — When in doubt, ask: 'Email [contact] before pasting it in. We will respond within one business day. Asking is never penalized.'
  • Section 7 — Review cadence: 'This policy is reviewed every 3 months for the first year, then annually. Last reviewed: [date].'

What to leave out (on purpose)

Resist the urge to add legal language, definitions of every AI term, or detailed risk taxonomies. They make the document longer and less likely to be read. The whole goal is a document your bookkeeper, your sales rep, and your warehouse manager can all read in 5 minutes and remember.

If you operate in a regulated industry (healthcare, finance, legal), you may eventually need a longer policy that maps to specific regulations. Get the one-pager working first. Add the longer version later, with the one-pager as the front.

How to roll it out

Send it. Hold a 30-minute meeting. Have everyone sign or e-sign it. Put it on the same intranet page as your handbook.

The single most important thing is the meeting. People follow policies they've heard their boss talk through. They ignore policies that show up in an attachment.

After rollout, the policy lives or dies on the quarterly review. Put a recurring 30-minute meeting on the calendar. If you skip it for two quarters in a row, the policy is a fiction — and your governance is back to zero.

Common questions

Plain-English answers

Do I need a lawyer to review this?
Not for the one-pager, in most industries. If you're in healthcare, finance, legal, or you handle EU/UK personal data at scale, a 30-minute review by counsel is worth it before you finalize. For most small businesses, the template alone is a meaningful improvement on no policy.
What if my team uses dozens of AI tools?
Cut the list to the ones that are official. The point of an approved-tools list is to limit what you have to govern. If sales wants a new tool, that's a 5-minute conversation; if they're already using six, the list isn't doing its job.
Should I have employees sign it?
Yes, ideally. A signature is not a legal silver bullet, but it makes employees pay attention and it gives you an audit trail. Most HR systems can route this in 30 seconds.
Can I get this template as a Word doc?
We hand it over as a Word doc on the first call when you book a scoping conversation. Most clients have it customized and rolled out within 10 business days.
Related reading

Acceptable Use Policy for Staff

The detailed staff-facing version of the rules in section 3.

Read on →

Getting Started with AI Governance

The 5-step plan that includes writing this policy.

Read on →

AI Policy Generator (free tool)

A guided form that produces a customized version of this template.

Read on →
Next step

Want a hand getting this right?

A 30-minute conversation often saves weeks of guessing. We'll talk through your team, your data, and what to do first — no slide deck required.

Get the editable Word doc