Skip to content
Operations

Write the one-page AI policy

Most small businesses using AI have no written rules. A one-page policy that covers tools, data, approvals, and receipts without slowing anyone down.

  • Operations
  • fundamentals
  • Jul 1, 2026
  • 5 min read
  • SMB
  • Agents
  • Trust
Write the one-page AI policy visual summary

AI use in small businesses stopped being an early-adopter story. The 2026 QuickBooks AI Impact Report, run with the University of Chicago across 34,000 small businesses, found 77 percent using AI at least regularly, up from 48 percent in mid-2024. Goldman Sachs' March 2026 survey of its small business program put current use at 76 percent.

The written rules did not keep up. Industry research in 2026 estimates that roughly three in four small businesses using AI have no written AI policy. That means no approved tool list, no rule about what can leave the building inside a prompt, and no named owner when something goes wrong.

Why the missing page costs money

The failures are specific and repetitive.

Someone pastes a customer list into a free chat tool to clean it up, and that tool trains on inputs by default. An AI-drafted quote goes out with a wrong price because nobody was assigned to check it before send. Three people quietly subscribe to overlapping tools, which is how the typical small business ends up running five AI tools with no owner for any of them.

Each of those failures maps to one line on one page. That is the whole argument for writing the page.

One page, five sections

The policy below fits on a single sheet. Fill in the brackets, name real people, and post it where the team already looks.

The plan tier in section one is doing real work. Most free chat tools train on what you type unless you opt out, and the paid business plans usually turn that off by contract. Check the actual setting instead of assuming, then write down what you found.

The rules our own site runs under

A policy earns trust when code enforces it. The concierge agent on this site runs under written limits: 8 requests per minute per visitor IP, a daily token budget (800,000 tokens as of this writing), and an 1,800-character cap on each message. Every run writes a receipt into our CRM with the model ID, prompt hash, and token counts. When a client asks what an AI policy looks like in production, that is the artifact we show.

Client engagements follow the same posture. Each client gets an isolated agent with its own credentials held in a managed secret store, so the agent never holds a raw key and one client's data never rides along in another client's run. Those are policy lines first. The infrastructure just makes them true.

Keep it enforceable

A five-person shop does not need an AI committee, and a thirty-page policy is a way of having no policy. One page, one owner, thirty minutes to write, and a quarterly reread.

Two rules for the rules:

  • If a rule cannot be checked, rewrite it until it can. "Use AI responsibly" checks nothing. "No customer data in prompts" can be audited in five minutes of chat history.
  • If a rule has not triggered in ninety days, consider cutting it. A short page people follow beats a thorough one nobody opens.

Where to start

Write the tool inventory first. It takes ten minutes, it usually surprises the owner, and every other section depends on it. The AI readiness checklist covers the workflow-selection half of this decision, and the small business security checklist covers the credential half.

Then put the review date on the calendar. Tools change fast enough in 2026 that an annual policy is a stale one. Quarterly is enough, and the reread takes less time than one bad paste job costs.

Source notes