Your team is already using AI. They may be drafting emails in ChatGPT, summarising documents in Claude, or asking Gemini to clean up a report. Most of the time this is harmless and helpful. Sometimes it is not.
The problem is that without clear rules, staff make their own calls about what is safe to type into an AI tool. That is how confidential information ends up somewhere you cannot control. An AI use policy fixes this. It sets simple boundaries so your team gets the benefits of AI without putting your business, your staff, or your customers at risk.
This guide explains what an AI use policy is, why it matters right now, and what to put in one. We have also included a free template you can download and adapt.
What is an AI use policy?
An AI use policy is a short document that tells your team how they may and may not use AI tools at work. It names which tools are approved, what kind of information is safe to share, and what must never go into an AI tool.
A good policy is written in plain English. It is not a legal essay. The goal is for everyone, from the front desk to the directors, to read it once and understand exactly where the lines are.
Why your business needs an AI use policy now
AI has moved into the workplace faster than most rules have. That gap is where the risk sits.
Research shows that many staff already use free AI tools through personal accounts, and a large share have entered sensitive data into them. One study found that around 1 in 5 organisations had a breach linked to unapproved AI use, yet only about a third had any policy to manage it. Another found that while roughly 90 percent of companies use AI, fewer than 1 in 5 have proper governance in place.
In other words, the tools are everywhere and the guardrails are not. A clear policy is the cheapest and fastest way to close that gap.
SMB1001 2026 now requires one
There is also a compliance reason. The SMB1001:2026 update added a new control requiring businesses to put in place a formal policy for the responsible and secure use of AI. The standards body introduced it to address real risks like data leakage, loss of intellectual property, and privacy breaches.
If you are working towards SMB1001 certification, or you already hold it, an AI use policy is now part of the picture. Our SMB1001 guide explains how the framework fits together.
Understanding AI maturity levels
Not all AI carries the same risk. It helps to think of AI in three levels of maturity, from lower risk to higher risk.
Level one: generative AI
This is the AI most people know. You give it a prompt, it gives you an answer, and a person decides what to do next. ChatGPT, Claude, and Gemini all sit here. A human stays in control of every output, which keeps the risk manageable.
Level two: connected and integrated AI
At this level, AI is linked to your other tools and data through an integration or an API. It can read and write information across your systems. This is more powerful, but it also gives an outside tool access to your data, so it needs careful checking first.
Level three: agentic AI
Agentic AI can take actions on its own. It can make decisions, complete a chain of tasks, and run with little human involvement. This is the most capable form of AI, and the highest risk, because the person is no longer reviewing every step.
Our recommendation for SMBs
For most small and medium businesses, our advice is simple. Stick to generative AI to begin with. Use ChatGPT, Claude, or Gemini, with a person reviewing every output.
Do not move to agentic AI until you have run a proper AI risk assessment and put guardrails in place. The leap from a tool that suggests, to a tool that acts, is a big one. It deserves a deliberate decision, not a quiet trial that nobody signed off on.
Why human oversight matters
The phrase you will hear is keeping a human in the loop. It sounds reassuring. The catch is that it only works if the person actually understands what the AI is doing.
The Australian Securities and Investments Commission looked at how organisations govern AI and found a recurring problem. In some cases oversight did not appear to be strong enough, especially where the people in charge did not fully understand the models they were relying on. You can read the regulator’s findings in ASIC’s report on AI governance.
The lesson applies to every business, not just regulated ones. If you cannot explain why an AI tool produced a result, you cannot stand behind it. That is exactly why agentic AI is risky for a business that has not prepared for it. When AI acts on its own, the human in the loop can quietly become a passenger.
Third-party apps, integrations, and APIs
Plenty of everyday business apps now offer AI features, and many can connect to other AI tools through an API or integration. These connections can be genuinely useful. They can also hand an outside tool access to your data without anyone realising how much.
A single integration can change your risk profile overnight. That is why we recommend a clear rule. No AI integration goes live until someone has assessed it and approved it in writing.
Before you connect anything, do some basic due diligence. Ask what data the tool will access, where that data is stored, and who else can see it. Check what permissions the integration requests and whether they can be reduced. Look at the vendor’s security track record and privacy terms. We cover the wider danger of trusted tools turning risky in our articles on AI and supply chain attacks and compromised developer packages.
If you are not sure how to assess an integration, this is a good moment to bring in help. Our security consulting team can run an AI risk assessment and tell you what is safe to connect.
What to include in your AI use policy
A practical AI use policy covers the following:
- The approved AI maturity level, which for most SMBs is generative AI only to start with
- A list of approved tools, so staff are not guessing
- Clear rules on what data can and cannot be entered into an AI tool
- A requirement to use business accounts, not personal ones
- A rule that integrations and APIs must be assessed and approved first
- A human oversight rule, so every output is reviewed before it is used
- A simple way to report mistakes without fear of blame
- A review date, because AI changes fast
Our free template below includes all of these sections, ready for you to adjust.
Get your team to actually follow the policy
A policy that sits unread in a shared drive protects no one. The most common failure is not a bad policy. It is a good policy that nobody knows about.
The fix is to build awareness into your normal training. We recommend including a short, plain summary of your AI rules in your cyber awareness training so the whole team hears it, understands it, and knows where the lines are. We do this for our clients and tailor the training to how each business actually works.
New starters should read the policy during induction. And because the technology keeps moving, refresh the message whenever the policy changes.
AI use is part of a bigger picture
An AI use policy works best alongside your other controls. The same SMB1001 2026 update that introduced the AI policy requirement also strengthened expectations around third-party agreements and invoice fraud. Our guide to an invoice fraud prevention policy is a useful companion piece.
If your business runs on Google Workspace, our Google Workspace security service helps you control how AI features and integrations behave across your environment. And ongoing security monitoring helps you spot unusual activity before it becomes an incident.
Conclusion and next step
AI is one of the most useful tools your business has picked up in years. It is also one of the easiest ways to leak data if nobody has set the rules. An AI use policy is a small, cheap step that prevents a large, expensive problem.
Start with generative AI, keep a real human in the loop, and assess anything before you connect it. Then make sure your team actually knows the rules.
If you would like help, Sentry Cyber can create your AI use policy, run an AI risk assessment, or build AI awareness into your cyber training. Get in touch with our team for a straightforward conversation about what your business needs.
ย FAQ
What is an AI use policy?
An AI use policy is a short document that tells your team how they may and may not use AI tools at work. It names approved tools, sets rules for what data is safe to share, and explains what must never be entered into an AI tool.
Does my small business really need an AI use policy?
Yes. Your staff are very likely already using AI, often through free personal accounts. Without a policy, they decide for themselves what is safe to share. A policy gives them clear boundaries and protects your business from accidental data leaks.
Is an AI use policy required for SMB1001?
The SMB1001:2026 update added a control requiring businesses to have a formal policy for the responsible and secure use of AI. If you are working towards or maintaining SMB1001, an AI use policy is now part of what is expected.
Should my business use agentic AI?
For most small and medium businesses, not yet. We recommend starting with generative AI, where a person reviews every output. Only move to agentic AI after you have run an AI risk assessment and put proper guardrails in place.
What is the risk with third-party AI integrations?
Connecting an AI tool to your systems through an API can give an outside tool access to your data. A single integration can change your risk profile quickly. Always assess what data the tool can access and approve it in writing before going live.
How do I make sure my team follows the policy?
Build a short summary of the policy into your cyber awareness training, cover it during induction for new starters, and refresh it when the policy changes. A policy only works when people know it exists and understand it.