We write your AI usage policy with the people who actually use the tools, in one page they can read and edit when reality changes. Clear rules on what's allowed, what needs approval, what's off-limits — per tool and per data class. Owned by a named person, reviewed monthly. This is an operating document, not legal advice, employment policy, or a template to copy-paste.
Common pain points
Your team is already using AI tools daily, and you don't have a written rule on what data is acceptable in which tool.
Somebody drafted a policy six months ago, but nobody on the team has read it.
New AI tools show up in conversations every week, and there's no consistent answer on what needs approval.
Templates downloaded from policy sites use enterprise vocabulary that doesn't fit a 30-person team.
The policy and the actual day-to-day rules drift apart — the policy says one thing, the team does another.
Leadership wants a clear rule everyone can follow, without a legal team to write or maintain it.
An AI usage policy is an operating document, not a legal one. It tells your team what AI use is allowed, what needs approval, and what's off-limits — per tool and per data class — in language they understand. We write the policy with the people who use the tools, keep it to one page, and set up a monthly review so it stays current. The policy works alongside the AI tool inventory and approval flow — the rules apply to whatever the approval flow allows in. We're not lawyers. We don't draft employment policy or interpret privacy law. If your team needs that work, we'll say so on the call and point you to a specialist. This is the operating document your team will use.
What we deliver
Area 1
We run a working session with the people who use AI tools day to day, not just the leadership team. We map what they use, what data they touch, what they wish was clearer. The policy gets written from this conversation, not from a template.
Area 2
We write a policy that fits on one page. For each AI use case category, the policy names what's allowed without approval, what needs approval (and from whom), and what's off-limits. No legal vocabulary, no 30 footnotes.
Area 3
The policy is concrete: which tools (ChatGPT, Claude, Gemini, others) are acceptable for which data classes (public, internal, customer, secret). Rules are tool-specific because that's where reality lives, not abstract data classification frameworks.
Area 4
Every section of the policy has a named owner who can edit it. The policy lives in your team's existing tool (Notion, Confluence, Google Docs, whatever you already use), not in a PDF email attachment that nobody opens.
Area 5
We set up a 30-minute monthly review where the named owner walks through exceptions raised that month, new tools the team adopted, and rules that need updating. The policy stays current because the review is on the calendar.
Area 6
By the end of the engagement, your team has written rules in their own voice, understands why each rule exists, and runs the monthly review without us. No retainer, no permanent dependency.
Your team has one written page they can read in five minutes and reference when they're unsure.
The data class rules are concrete: what goes into ChatGPT, what goes into Claude, what does not go into either.
New tool requests get a consistent answer instead of being approved by whoever is asked first.
The policy stays current because someone owns it and reviews it monthly.
New hires get an onboarding document that fits in their first-day reading.
The team uses the policy because it was written with them, not for them.
One page. Sometimes one page plus a per-tool data class sheet. We don't deliver 60-page binders. If the policy doesn't fit on one page that someone can read in five minutes, it won't get used.
No. We start from your team's current AI use. Templates use enterprise vocabulary that doesn't match a 30-person team, and the policy that gets written from a template usually sits unread. We write the policy from the working session with your team.
No. This is an internal operating document — guidance for how your team uses AI tools day to day. It is not an employment law document, an HR policy template, or a labor-law-leaning agreement. If you need that work, you need an employment lawyer; we'll say so and point you to one.
No. We don't interpret law, opine on liability, or certify compliance against any framework. The policy is internal operating guidance. If you need formal legal review or compliance work, we'll tell you in the call and recommend a specialist.
We reference regulation only as context for awareness, not as a service promise. We do not interpret GDPR, implement EU AI Act requirements, or certify compliance. If your situation needs formal legal or privacy work, we'll say so and point you to a specialist.
Legal advice, employment law interpretation, GDPR or EU AI Act formal compliance work, cybersecurity audits, privacy impact assessments, AI model development, or enterprise GRC platform implementation. We do one thing: write an operating policy your team uses, with the people who use AI today.
We help your B2B team set up the operating rules, tool inventory, approval flow, and data handling rules you actually need to use AI safely — written with th…
Read moreKnow what's running, not a governance platformWe map every AI tool your team is actually using — including the ones leadership doesn't know about — and set up a lightweight approval flow for new tools an…
Read moreBook a call to scope your AI usage policy work. We'll talk through how your team is using AI today, what data classes are in play, and what rules will fit how the team actually works. If you need formal legal or HR work instead, we'll tell you and recommend a specialist.
Book a call