Most AI policies are not policies. They are vendor templates with the company name swapped in. They ban entering passwords into ChatGPT (correct, but you didn't need a policy to know that). They say staff must "use AI responsibly" (true of everything). They are silent on the questions the business actually has to answer, which is what AI is for here, who decides, and what good looks like.
Brian Meeker put a sharper version of this point recently, aimed at engineering leaders measuring AI adoption by token counts: "tokenmaxxing is a vanity metric masquerading as leadership." His piece is about software teams, but the underlying argument applies to any organisation writing an AI policy. The policy is supposed to express what you believe about how the work should be done. If it doesn't, you've written a checklist, not a policy.
What most templates get wrong
Three things, repeatedly.
They optimise for the wrong reader. The template is written for the auditor, not the staff member with a question at 4pm on a Tuesday. The staff member wants to know "can I paste this client email into Claude to draft a reply?" The template tells them about responsible use principles. They paste it anyway.
They treat AI as one thing. A policy that lumps "generative AI" together is going to over-restrict the safe uses (summarising a public document) and under-restrict the risky ones (an agent with access to your CRM). The categories that matter are what data goes in, what action comes out, and who's accountable.
They don't reflect any actual decisions. A real policy says what the organisation has chosen and what it has chosen against. "We use Microsoft Copilot for Office tasks and don't use other tools without approval." "We don't use AI to draft client deliverables." "Junior staff don't use AI on training tasks for the first six months." Each of those is a position. A vendor template avoids positions because positions might be wrong for the next customer.
The NCSC's own guidance for managers says the same thing in dryer language: access to generative AI should be restricted by default, allowed by exception, with a written usage policy and staff training behind it. That only works if the policy actually says something specific to the business.
What a coherent SME policy looks like
Short. One side of paper for most small businesses. It needs to answer five questions plainly.
Which tools are approved. Name them. "ChatGPT Team, Microsoft Copilot, GitHub Copilot." If a tool isn't on the list, it isn't approved, and the policy says how to ask for it to be added. Help Net Security reported last month that 31% of staff get no AI training from their employer at all. A named tool list is the floor.
What data can go in. Public information, yes. Internal but non-sensitive, with the approved tools. Customer personal data, contracts, source code, credentials: no, unless a specific tool has been approved for that purpose and the contract terms allow it. The reason 47% of generative AI use happens through personal accounts is that the work account makes it harder than the personal one. Fix that and most shadow AI disappears.
What AI cannot be used for. This is where coherence shows. Meeker's example for engineering teams is that AI-generated code is your code, you are responsible for understanding it, and junior engineers should be doing more reps and less prompting. Translate that to your context. A legal firm might say AI cannot be used to draft client advice. A copywriting agency might say AI drafts must be substantially rewritten before client delivery. A bookkeeper might say AI cannot touch reconciliations. These are business decisions, not security ones, but the policy is where they get written down.
Who decides. One named person, or a small group. They approve new tools, they handle questions, they update the policy when things change. Without a name, the policy is no-one's job and nothing happens.
How disagreements get raised. Staff will find uses you didn't anticipate. A good policy has a route for "I want to use X for Y, here's why" that ends in a decision, not silence. The alternative is shadow AI, which is what you get when the sanctioned route is harder than the unsanctioned one.
The harder question underneath
Meeker's deeper point is that an AI policy reveals what the business actually values. If the policy is "use it as much as possible, we're tracking adoption," the business is telling staff that AI use is the goal. If the policy is "use it where it helps the work, here's what counts as help," the business is telling staff that the work is the goal.
Most SMEs don't need a fashionable policy. They need a policy that a new starter can read in five minutes and act on. That is a low bar, but the vendor templates currently in circulation are not clearing it.
How Steelwise can help
Writing a one-page AI policy that reflects what your business actually does, names the tools you actually use, and gives staff a clear answer to the 4pm Tuesday question is the kind of thing we do for clients. Get in touch.
Further reading
- Brian Meeker: Have a coherent AI policy
- NCSC: AI and cyber security, what you need to know
- Help Net Security: Shadow AI risks deepen as 31% of users get no employer training