Your staff are already using AI tools. Whether it is ChatGPT for drafting emails, an AI image generator for social media, or a browser extension that summarises documents, generative AI has entered most workplaces without a formal decision being made about it. The question is not whether your team uses AI. It is whether you have any control over how they use it, what data they put into it, and what risks that creates for your business. Consulting an AI governance policy SME can help ensure you manage these challenges effectively.
Most SMEs do not have an AI policy. They do not need a 30-page governance framework either. What they need is a clear, practical set of rules that staff understand and that protects the business from the most common risks: data leakage, compliance failures, reputational damage and over-reliance on unverified outputs.
Here are ten points that cover what most SMEs need.
The 10-Point AI Acceptable Use Policy
1. Name the tools that are approved.
List the AI tools your business sanctions for work use. If you use Microsoft 365 Copilot or another enterprise AI product, make it clear that this is the approved option. Unapproved tools should require sign-off before use.
2. No sensitive data in public AI tools.
Staff must not enter client data, financial information, employee records, passwords, contract details or any personally identifiable information into public AI tools like ChatGPT, Gemini or Claude. These tools may store or use inputs for training unless enterprise agreements say otherwise.
3. All AI-generated content must be reviewed before use.
AI outputs can contain factual errors, fabricated references, outdated information or biased language. Any content generated by AI that will be sent externally, published, or used in a decision must be reviewed and verified by a human before it goes out.
4. AI must not be used for regulated decisions.
Do not use AI to make hiring decisions, assess employee performance, approve financial transactions or take any action that has legal or regulatory implications without explicit senior approval and legal review.
5. Declare AI use when required.
If a client, regulator or procurement process asks whether AI was used in producing work, staff must answer honestly. Misrepresenting AI-generated work as entirely human-produced creates reputational and contractual risk.
6. Do not install AI browser extensions or plugins without IT approval.
Many AI tools operate as browser extensions that can read page content, access email, and interact with cloud applications. These should go through the same approval process as any other software installation. This connects directly to your shadow IT controls.
7. Log AI tool usage for compliance.
Maintain a simple register of which AI tools are used, by whom, and for what purpose. This does not need to be complex. A shared spreadsheet reviewed quarterly is enough to maintain visibility.
8. Review supplier AI use.
If your suppliers or subcontractors use AI to process your data or deliver services, understand what tools they use and what data they access. Include AI use in your supplier security questionnaire.
9. Train staff on AI risks.
Include a short AI safety module in your security awareness programme. Staff should understand the data leakage risk, the accuracy limitations, and the importance of not trusting AI outputs without verification. If you use managed security awareness training, discuss adding AI-specific scenarios with your provider.
10. Review the policy every six months.
AI tools and capabilities change fast. A policy written today may not cover the tools your team is using in six months. Build in a scheduled review rather than treating it as a one-off document.
Why This Matters Even If You Do Not Sell AI Services
This is not about whether your business offers AI products. It is about whether your staff use AI tools in the course of their work, and the answer is almost certainly yes. Without a policy, you have no visibility into what data is leaving your organisation, no standard for quality control on AI-generated outputs, and no defence if something goes wrong.
The NCSC’s AI threat assessment highlights that AI is accelerating the speed and sophistication of cyber attacks, including phishing and social engineering. But the internal risk, staff pasting sensitive data into public AI tools, is just as real and far more common.
Make It Simple, Make It Visible
Print the 10 points. Pin them in the office. Include them in your onboarding pack. Refer to them in team meetings. A policy only works if people know it exists and understand why it matters.
If you want help drafting an AI acceptable use policy tailored to your business, or you want to review how AI tools interact with your Microsoft 365 environment, contact The Unite Group. We will help you put practical guardrails in place without slowing your team down.