Why you need one, even with three staff
Your team is already meeting AI whether you have a policy or not. In New Zealand, 97% of workers have heard of AI but only 34% can clearly explain what it is (Verian / MBIE worker survey, 2024). That gap between exposure and understanding is exactly where the risk lives: well-meaning staff pasting a customer's details into a free chatbot to draft an email, without knowing where that data goes.
A policy is not about slowing people down. It is about letting your team use these tools confidently because the lines are clear.
The five questions your policy must answer
Which tools are allowed?
A short, named list. Tools on the list have been checked: who owns them, where data goes, whether it trains on your inputs. Anything off-list needs a quick approval, not a workaround.
What data can go in?
The bright line: no customer personal, financial, or health information into tools that have not been checked and set up properly. Check each tool's data settings and turn off training on your inputs where the option exists. General drafting with no real names is fine almost anywhere.
What needs a human sign-off?
Anything a customer sees, anything involving money or pricing, anything legal or contractual. AI drafts. A person approves. This single rule prevents most of the stories that end up in the news.
Who owns this?
One named person approves new tools, reviews the list twice a year, and is the one staff ask when unsure. In a small business that is usually the owner, and that is fine. It just has to be written down.
What happens when something goes wrong?
Wrong message sent, wrong data pasted, weird output published. The rule: tell, do not hide. Fast disclosure turns most incidents into small ones. A policy that punishes honesty guarantees you find out late.
Two working rules you can steal
I run every one of my own businesses on two rules, and they transfer directly to any AI policy.
Nothing goes live without sign-off, and your data stays yours. Approval gates on anything that touches money, customers, or reputation, and a clear answer at all times to the question "which tools hold what data, under whose account".
Prove it small before you spend big. New tools get a small trial with an end date and a keep-or-kill decision. That applies to a chatbot as much as to a policy: start with one page, live with it for a quarter, then improve it.
A one-page starter policy
Adapt this freely. It is deliberately short enough that people will actually read it.
1. We use AI tools to work faster and better. Used well, they are encouraged.
2. Approved tools are listed below. Want something new? Ask [owner]. The answer is usually yes once we have checked it.
3. Never enter a customer's personal, financial, or health details into any tool not on the approved list. When in doubt, leave real names out.
4. Anything a customer will see, and anything about money, pricing, or legal matters, gets checked by a person before it goes out. No exceptions.
5. If something goes wrong, say so straight away. We fix problems, we do not punish honesty.
6. [Owner] keeps this list current and reviews this page every six months.
If you are a professional or regulated firm
One page covers a trade or retail business. If you hold client files, confidential information, or professional obligations, you need more: how AI use sits with your confidentiality duties, what your professional body and insurer expect, proper due diligence on any vendor touching client data, and a record of what was checked and when. The five questions above still form the spine. The depth of the answers changes.
This is also the area where independent advice earns its keep fastest, because the person helping you write the rules should not be the person selling you the tools the rules apply to.
Why take this from me
I advised clients on New Zealand projects for ten years, and I have run my own businesses on AI every day since 2022, six ventures in all. Every one of them runs on the two rules above: human sign-off on anything that matters, and a straight answer at all times on where the data lives. I test everything on my own money before I bring it to a client, and I sell advice, not tools, so nothing in this article is a pitch for software.
Common questions
Want your AI rules sorted properly?
The call is free. Guardrails are part of every AI Plan I write: which tools hold what data, what needs sign-off, and the rules your staff can actually follow. Independent, because I do not sell the tools the rules apply to.
Book a free call