AI in the Real World

A short shadow AI policy small teams can actually follow

A plain-English AI usage policy for small businesses that need staff guidance without creating a document nobody reads.

27 Jun 20263 min readJames MackieUpdated 29 Jun 2026

Shadow AI is what happens when staff start using AI tools before the business has decided what is approved. In a small team, that can happen quickly and quietly.

Someone rewrites an email. Someone pastes meeting notes into a summariser. Someone asks a chatbot to improve a proposal. Someone tests a browser extension because it saves time.

The answer is not to panic. The answer is to give people rules they can remember.

Keep the policy short enough to use

A small business AI policy should fit on one page. If staff need legal training to understand it, it will not work in the moments that matter.

Start with five plain rules:

  1. Use approved tools for business work
  2. Do not paste sensitive customer, staff, financial or confidential data into unapproved tools
  3. Check AI output before it leaves the business
  4. Ask before connecting AI tools to company accounts or shared drives
  5. Report mistakes, leaks or unusual outputs quickly

That is enough to change behaviour while the business builds a more mature approach.

Define sensitive data in normal language

People need examples. "Confidential data" can sound abstract. Say what it means for the business.

For many small businesses, off-limits data should include customer lists, invoices, contracts, passwords, employee information, unpublished financials, private emails, supplier agreements and anything covered by a non-disclosure agreement.

This is also where AI readiness is not buying Copilot matters. Buying a tool does not answer the data handling question by itself.

Make output checking explicit

AI output should be treated as a draft, not a decision. Staff should check facts, tone, calculations, customer promises and anything that could create legal, financial or reputational risk.

This rule is especially important for customer-facing work. A polished answer can still be wrong. A confident summary can still miss context.

Control plugins and connected apps

The riskiest AI usage is often not the prompt box. It is the tool that asks to connect to email, files, calendars, CRM data or browser activity.

Small businesses should have a simple approval step before any AI tool is connected to company systems. That approval does not need to be bureaucratic. It does need to ask what data the tool can see and who owns the decision.

Give people a safe way to report mistakes

If someone pastes the wrong data into a tool, the business needs to know quickly. A blame-heavy policy makes people hide problems. A practical policy gives them a route to say what happened so the business can respond.

For a small team, that might be as simple as reporting to the business owner, operations lead or IT contact.

Review it every quarter

AI tools change quickly. The policy should be reviewed regularly, especially when new tools are adopted or suppliers start using AI in their own service delivery.

The aim is not perfect governance. The aim is a clear baseline that makes good decisions easier.

Related field notes

Back to Insights