Home / Blog / Responsible AI

Responsible AI

A responsible AI policy your team can copy today

By Morgan DeBaunMay 20, 20267 min read

A responsible AI policy for work is a short set of rules that says what your team can put into AI tools, what has to be checked before it ships, and who signs off on the risky stuff. You do not need a legal document. You need one page that answers five questions: what to disclose, what data is off limits, what to verify, what needs approval, and which tools are allowed. Below is a version you can copy today and adapt by dinner.

Most small teams skip this because "policy" sounds like something a 500-person company writes. Then someone pastes a client contract into a random chatbot, or ships a blog post with a made-up statistic, and suddenly the rules would have been cheaper than the cleanup.

What should a small business AI policy cover?

Long policies get ignored. The trick is to cover only the decisions your team makes every week, and to make each rule a sentence a busy person can remember without rereading it.

Five areas cover almost everything that goes wrong:

  • Disclosure: when a human needs to know AI was involved
  • Data: what you never paste into a tool
  • Verification: what gets fact-checked before it leaves the building
  • Approval: who signs off on money, promises, and public voice
  • Tools: which named tools are approved, so people stop pasting into whatever is open in a browser tab

Here is the whole thing in one callout. Copy it, change the bracketed parts, and you have a policy.

That is the policy. The rest of this post is how to roll it out without it becoming a document nobody opens again.

How do you roll out an AI policy in a week?

A design shop I'll call Meridian has four people: the owner, two designers, and a part-time operations hire. They were all using AI, none the same way, and nobody had said a word about rules. The owner got nervous after a designer nearly sent a proposal with a competitor's client name still in the AI-generated draft. Recycled prompt, wrong details. Caught it by luck.

She rolled the policy out in five days. Here is the schedule she used.

DayMoveTime
MondayPaste the 5 rules into a shared doc, fill in the brackets30 min
Tuesday20-minute team call, read it out loud, take questions20 min
WednesdayEveryone lists the AI tools they currently use15 min
ThursdayPick the 2 or 3 approved tools, retire the rest20 min
FridayAdd the doc link to onboarding and the team wiki10 min

Total hands-on time was under two hours across the week. The Tuesday call did most of the work, because that is where the operations hire admitted she had been pasting invoices into a free tool to reformat them. Invoices have client names, addresses, and amounts on them. That is exactly the data the second rule is about.

Nobody's week got wrecked. And the one conversation about invoices was worth the whole exercise.

What does the disclosure rule really mean day to day?

Disclosure trips people up because they think it means slapping "written by AI" on everything. It does not. It means a human owns the final version and stands behind it.

A designer who uses AI to outline a client presentation does not need a disclaimer. She read it, fixed it, and put her judgment on top. A different case: emailing a client an AI-drafted strategy recommendation you never read is the problem, because now the client is trusting thinking that no human on your team has checked.

The line is ownership, not authorship. Ask one question before anything ships: did a real person read this and would they defend every line of it. If yes, you are fine. If no, it is not ready.

How do the approval gates keep you out of trouble?

The fourth rule is the one that saves money, so it is worth being specific. Three categories should never go out on AI's say-so alone.

Pricing is first. An AI assistant quoting an old rate can cost you real revenue, and if a customer acts on the quote, you often have to honor it. Second is promises: turnaround times, deliverables, guarantees. AI is confident and will invent a two-day turnaround you cannot hit. Third is public voice: the posts, captions, and campaigns with your brand on them.

For each, name one person who approves it. Not a committee. One human who reads it and says go. If you are handing these tasks to tools that act on their own, tighten it further with real guardrails for your AI agents before anything reaches a customer. And if you want the deeper thinking on why people belong at specific spots in each workflow, human-centered AI walks through exactly which tasks a person should own.

The verification rule pairs with this one. Approval catches judgment calls, and verification catches facts. You want both, because a beautifully approved post with a fake statistic in it still embarrasses you. There is a full method for that in how to fact-check AI before you publish.

Rolling this out is easier when you are not writing every template from scratch. The 100+ templates inside the WorkSmart OS include policy and SOP starters you can adapt in an afternoon, plus monthly trainings on how other owners handle the same approval calls.

A one-page policy people remember beats a ten-page one they signed and forgot.

Do this next

Open a blank doc, paste the five rules from the callout, and fill in your two or three approved tools and the name of the person who approves pricing. That is a working policy, and you can finish it in the next twenty minutes. The WorkSmart OS gives you the SOP and policy templates plus monthly AI trainings, so you can pressure-test your version against how owners at your stage run theirs.

FAQ

Do I need a written AI policy if it is just me?

Yes, a short one. Even solo, a written rule stops you from pasting a client's private data into a tool at 11pm because you were moving fast. It also becomes the training doc the day you hire your first contractor, so writing it now saves you the conversation later.

What is the single most important rule to start with?

The data rule. A disclosure slip is awkward, but pasting client identifying information, passwords, or unreleased financials into a consumer tool is the mistake that can genuinely harm a client and your reputation. Lock that one down first, then add the others.

How often should I update the policy?

Review it when you add a new tool or hire someone, and otherwise every quarter for fifteen minutes. Tools change and your team's habits drift, so a short check keeps the approved-tool list honest. The five areas rarely change. The specifics inside them do.

Will an AI policy slow my team down?

Barely, if it is one page. Most of the rules are things a careful person already does. The verification and approval steps add minutes to risky work and nothing to routine work, which is the trade you want.

Share this

The shortcut

Stop learning this alone.

The WorkSmart OS gives you the full video course, live monthly calls with Morgan, 17 AI tools, every prompt pack and 100+ templates. One system instead of a hundred open tabs.

Join the WorkSmart OS $399/yr best value · or $49.99/mo

Keep reading