How to write an AI policy in 60 minutes: a template-led walkthrough

Why one page and 60 minutes

The single biggest predictor of whether an SMB AI policy works is whether staff can summarise it in their own words after the training session. A one-page policy that fits in working memory gets followed. A 30-page enterprise template gets signed and forgotten.

Sixty minutes is the right time budget because beyond that, the marginal additions are usually theoretical edge cases that dilute the policy without adding real coverage. If you cannot write a working policy in an hour, you are probably adding things that should not be in it.

The six-section template

Section 1: Approved AI tools (10 minutes)

List the tools by name. Be specific:

• Claude.ai Teams (for general work)
• Claude Code (for engineering work)
• ChatGPT Plus (for the named seats only)
• Microsoft 365 Copilot (if you have it)
• The specific custom builds your team uses

Anything not on this list is not approved for work data without explicit sign-off. State that explicitly.

Section 2: Data categories (15 minutes)

Two columns:

• Green-light data: general business questions, public marketing copy, internal SOPs, public-domain reference material, drafts of communications.
• Red-light data: customer personal information, financial information about identifiable individuals, anything covered by NDAs, anything covered by client confidentiality, source code if engagement contracts restrict it, anything classified by your internal data scheme as restricted.

Binary list is easier to remember than a nuanced one. Skip the yellow column.

Section 3: Customer / client data and cross-border (10 minutes)

One paragraph stating the answer to: where is data being processed (Anthropic publishes this for Claude.ai Teams and Enterprise), is it used to train general-purpose models (it is not for Teams/Enterprise), and how long is it retained. State the answer once so staff do not have to ask IT every time.

If your business has specific APP 8 cross-border considerations, address them in one or two sentences.

Section 4: IP ownership (5 minutes)

One sentence: the company owns AI-generated content created by employees in the course of their work, the same way it owns non-AI work. Contractors should sign equivalent terms before getting access. Done.

Section 5: Training requirement (10 minutes)

State the training requirement explicitly. Mandatory 15-30 minutes covering this policy, the approved tools and the data handling rules. Build it into onboarding for new staff. Annual refresher for existing staff. Name the person who delivers and tracks the training.

Section 6: Breach reporting (10 minutes)

One paragraph. If a staff member suspects a breach (data put into the wrong tool, an AI output containing information that should not have been disclosed, a vendor incident), they report it to [named person] within [24 / 48] hours. Briefly describe what happens next - investigation, the relevant external reporting under the Notifiable Data Breaches scheme if applicable, remediation.

Sign-off and rollout

Three signatures: owner / CEO, IT lead, legal advisor (where applicable). For most SMBs that is two or three people - more is unnecessary and slows the work down.

Once signed, the policy goes out alongside the licence rollout. Mandatory 15-30 minute training before any first AI use on company data. Tick-box acknowledgement that staff have read and understood. The policy lives somewhere obvious (intranet, shared drive, etc.) where staff can re-read it any time.

Annual review

Same three signatories revisit the policy annually. Out-of-cycle updates when something material changes - a new approved tool, a new category of data, a regulatory change. Most SMB policies need real updates twice in their first two years and then once a year thereafter.

Common mistakes to avoid

• Copying an enterprise template. Long, generic, unmemorable. Write your own from the template above.
• Listing tools by category rather than by name. “Approved LLM products” is not specific enough; staff need to know which products specifically.
• Skipping training. The single highest-leverage governance investment is the 15-30 minute training, not the policy itself.
• Putting the policy out after rollout. Write and sign-off before licences land. Always.
• Theoretical edge cases. If a scenario has never happened and is unlikely, leave it out. The policy is shorter and stronger.

How XLev helps

For SMBs that want a working policy as part of an AI implementation engagement, we draft it during the strategy workshop and sign-off lands inside the first two weeks of the rollout. The template above is what we use. The policy is yours to own and maintain after we hand over.

Book a free 30-minute discovery call via the Contact page.