Your company's AI policy should fit on one page. It probably doesn't exist.
Every company is using AI tools. Few have written down what's allowed. The legal team is drafting a 30-page policy that will take six months and nobody will read. Meanwhile, someone just pasted a customer's data into a public LLM, and nobody knows if that was okay.
A one-page policy is not inferior to a 30-page one. It's superior. People read it. People follow it. It covers the 90% of decisions that actually come up. The other 10% goes to legal.
This module is 90 minutes of drafting the policy your company needs. By the end:
- A one-page AI policy with the five things every company's policy must cover.
- A rollout plan that doesn't require an all-hands.
- A quarterly review so the policy doesn't rot.
Thinker.
Every AI policy covers five things. Skip any of them and you have a gap.
- Approved tools. Which AI tools employees can use, and for what.
- Data classes. Which data can be pasted into which tools. Customer PII, trade secrets, public info are different.
- Review requirements. Which outputs require human review before external use.
- Disclosure. When to tell customers, partners, or regulators that AI was involved.
- Exceptions. How to request approval for something outside the policy.
The one-page test
If the policy is under 600 words, most employees will read it. Over 1000, most won't. The terse version beats the exhaustive one on the only metric that matters: compliance.
Policy vs. compliance
Policy = what we intend. Compliance = whether we actually do it. A good policy is designed to be followed. An exhaustive policy that's ignored is worse than no policy at all.
Talker.
The policy draft prompt
You are drafting a one-page AI policy for [company]. Length:
under 600 words total.
Context:
- Industry: [...]
- Size: [N employees]
- Regulatory environment: [summary]
- Current AI tool usage: [what people are using today]
- Risk posture: [conservative | balanced | aggressive]
Produce a policy with exactly these sections:
## Approved tools
List tools by name. For each: approved for what, not approved
for what.
## Data classes
Define: public, internal, confidential, restricted. Which
classes can go into which tools.
## Review requirements
When must a human review AI output before it goes external?
Be specific.
## Disclosure
When must we tell customers or third parties that AI was used?
## Exceptions
How does someone request an exception? Who approves?
Rules:
- Plain language. No legalese.
- Bullet lists over paragraphs.
- Name the approver (role) for each exception type.
- Include one example per section to disambiguate.This produces a first draft in 2 minutes. Legal tunes. Leadership signs. Everyone reads it.
Rememberer.
The policy has a home.
[company-repo]/policy/
ai-policy.md (the current version)
changelog.md (every change, when, by whom)
exceptions/
2026-03-12-foo.md (one file per approved exception)The exception log
Every exception request is a markdown file. What was asked, who approved, what's the scope, when does it expire. Over time, exceptions tell you what your policy should cover next version.
Versioning
The policy is versioned. Changes go through PR. The changelog notes: what changed, why, who approved, effective date. Same discipline as a legal agreement.
Doer.
Twelve minutes. Draft v1 of your company's AI policy.
Step 1. Gather context (3 min)
Write down:
- What AI tools does your company actually use today? (survey the team if you don't know)
- What industry are you in? Any regulatory context?
- What's the risk posture? Conservative, balanced, aggressive.
Step 2. Run the policy prompt (2 min)
Paste from Talker with your context. Get a draft.
Step 3. Hand-edit (4 min)
Read every line. For each:
- Could a new hire on day one follow this?
- Is there an example that makes it concrete?
- Is anything missing that bit you last quarter?
Step 4. Legal review (async)
Send to legal. Ask for changes only where compliance requires. Resist the "let's add a paragraph" impulse.
Step 5. Ship (3 min)
Commit to policy/ai-policy.md. Send one-paragraph Slack announcement with a link. Pin in the relevant channel. Done.
A readable one-page policy. Shipped to the company. Under 600 words. Under one week of calendar time.
- Legal wants to add pages: negotiate. The reality is if it's 4 pages, no one reads it. Short policy + detailed appendix beats long policy.
- Employees ignore it: you skipped the announcement. Pin it. Mention in onboarding. Reference it in AI tool procurement.
- Exceptions pile up fast: your policy is too restrictive. Loosen v2.
Rookie.
Failure 1. The un-findable policy
Policy exists. It's in a SharePoint folder named Governance/Drafts/AI-Policy-v12.docx. No one finds it. No one follows it.
Fix: one canonical URL. Pin it. Link from onboarding. Reference in procurement.
Failure 2. Policy as compliance theater
The policy says "all AI outputs must be reviewed." No one reviews. The rule is violated 50 times a day.
Fix: policies describe the floor, not the aspiration. If you can't enforce it, don't write it. A weaker policy that's followed beats a stronger one that isn't.
Failure 3. No exception path
Policy says no customer data in public LLMs. Someone has a legitimate reason to do it once. No process. They do it anyway, silently.
Fix: every policy includes an exceptions section. Exceptions are signals, not failures.
Manager.
Rollout
- Announce in writing. One paragraph. Link to the policy.
- Mention in next all-hands (1 slide).
- Reference in onboarding.
- Touchpoint: mention when provisioning a new AI tool license.
Do not do a 90-minute training session. Nobody reads the training deck.
Exception handling
Name an approver per exception type. Data classes → CTO or CISO. Disclosure edge cases → Legal. Tool approvals → IT.
Target turnaround: 48 hours. Slower than that and people skip the process.
Quarterly review
Every quarter, the policy owner reads the exception log. Patterns emerge. Update the policy. Commit. Announce the diff.
Chief.
Risk 1. No policy is a policy
The absence of a policy is itself a choice: "employees decide." Regulators increasingly treat absence of policy as negligence. Plaintiffs' lawyers treat it as ammunition.
Governance: a one-page policy is infinitely better than no policy. Ship it.
Risk 2. Policy outdated the day it shipped
AI tools change monthly. Your policy written in January mentions tools that no longer exist by June.
Governance: quarterly review is the minimum. Every major tool change triggers a review, not a year-end cycle.
Risk 3. The exec shadow stack
Policy applies to everyone. When executives violate it (pasting board materials into public LLMs), you have both a compliance incident and a culture problem.
Governance: the policy must apply to executives equally. If leadership demands exceptions, write them in. No silent carve-outs.
Founder.
Solo founder: your policy is a Google Doc titled "AI at [Company]." 400 words. Written in an afternoon.
The solo version
- Approved tools: Claude, ChatGPT, whatever you pay for.
- Data: customer data goes only in paid / zero-retention tiers. Never in free consumer products.
- Review: public-facing content gets a second read before publish, even if you drafted it with an agent.
- Disclosure: case-by-case, err toward disclosing.
- Exceptions: ask yourself in the mirror. If the answer is "no really, it's fine," it's fine.
Five bullets. Done. Revisit quarterly.
Short policy people read beats long policy people ignore.
Everything about AI governance is counter to the legal instinct. The legal instinct is to cover everything. The practical instinct is to get it followed. Follow the practical instinct first. Add coverage later, as exceptions reveal gaps. One page, reviewed quarterly, beats 40 pages updated annually.