nerdster.ai
← All insights

Compliance & governance

The one-page AI policy every UK firm should have

Your team is already using AI. A one-page policy turns that from a quiet risk into something you control. Here’s the template, and the five blanks to fill in.

June 2026 · 5 min read

The short version

  • Your staff are already using AI. A one-page policy makes that safe instead of risky.
  • It answers three questions: which tools, what data, and when a human checks.
  • Copy the template below, fill in five blanks, and you’re ahead of most firms.

Most AI risk in a small business isn’t exotic. It’s someone pasting a client’s details into a free chatbot to “save time”. A one-page policy fixes that without banning the tools people find genuinely useful.

Why one page?

Because a twenty-page policy doesn’t get read, and an unread policy protects no one. The goal is a single sheet every new starter can absorb in two minutes and actually follow.

What it has to answer

Three questions, no more:

  • Which tools are approved? Name them. Everything else needs a quick sign-off.
  • What data can go in? And, more importantly, what never can.
  • When must a human review? Anything client-facing, financial or high-stakes.

The template (fill in the blanks)

1. Approved tools. Staff may use [list approved tools] for work. Any other AI tool needs sign-off from [name/role].

2. Data rules. Never enter [client personal data, confidential documents, anything under NDA] into a tool that isn’t on the approved list or isn’t contracted to keep our data private.

3. Human review. AI may draft, but a person must review and approve anything that goes to a client, a regulator or into a financial decision.

4. Ownership. [Name/role] owns this policy and the AI register, and reviews both every [quarter].

5. Questions. If in doubt, ask [name] before you paste.

What to pair it with

A policy works best next to an AI register, a living list of every AI tool in use and what data it touches. Together they’re what your compliance officer, and increasingly your clients, want to see. We cover both in the AI compliance guide.

This is an afternoon’s work, not a project. If you’d rather it was done with you and kept current as the rules change, that’s exactly what a fractional Head of AI handles, and what our audit sets up on day one.

Frequently asked

Do small businesses really need an AI policy?

Yes. If staff use AI at all (and they do), a short policy is the cheapest way to prevent a data leak or a compliance breach. It also reassures clients and regulators.

How long should an AI policy be?

One page. Anything longer doesn’t get read. It should name approved tools, banned data, and when human review is required, then point to who owns it.

What should never go into a public AI tool?

Client personal data, confidential documents, anything covered by NDA or regulatory confidentiality, passwords and trade secrets, unless the tool is contracted not to train on your data.

Want this sorted, properly?

Our 90-minute audit leaves you with a one-page action list: three things AI should be doing, what it will cost and what it will save. Keep the report either way.

Book a call More insights