How to Write an AI Use Policy Your Team Will Actually Follow (in Two Pages)
By Gabriel Tan | May 2026
Most AI use policies I have seen fall into one of two categories. Either they are 40-page documents that nobody reads, written by a compliance team that does not regularly use the AI tools they are writing compliance for. Or they do not exist at all, because the MD keeps meaning to get around to it.
Both positions carry the same risk. When something goes wrong, there is no documented standard to fall back on. No record of what was expected. No basis for accountability.
The fix is a two-page policy. Short enough that every person in your firm reads it on their first day. Specific enough that it answers the three questions your team actually has: Can I use this tool? Can I put this data into it? Who do I tell if something goes wrong?
Why two pages
The EU AI Act introduced an AI literacy obligation that took effect on 2 February 2025. If your firm has EU-listed clients or a London office, you need documented policy and training. Not a suggestion. A legal requirement.
The requirement does not say the policy needs to be long. International standards for AI management and risk frameworks say organisations need documented roles and controls. None of them say the documentation needs to be complex.
The principle is borrowed from military operations planning: if the person executing the plan cannot remember the key rules under pressure, the plan is too complicated. Two pages makes that possible.
The seven sections
Section 1. Purpose and scope. One paragraph. What the policy covers (all AI tools used on client work), who it applies to (everyone, including contractors and freelancers), and when it took effect.
Section 2. Approved tools. Name the specific AI tools your firm permits for client work. Name the account tier for each. If only the Enterprise tier of ChatGPT is approved, say so. The most common failure is a policy that says "use AI responsibly" without naming which tools are in and which are out.
Section 3. Data classification. Your team needs to know what can go into which tool. Three tiers work for most firms.
Tier 1 is data that never goes into any AI tool, regardless of account tier or contractual protections. This category is deliberately narrow. It covers three things: data where the client has explicitly prohibited AI processing in their engagement terms, access credentials and passwords (login details, system tokens), and personal identification numbers (national ID, passport numbers). If it gives someone access to an account or lets them steal an identity, it stays out of every tool.
Tier 2 is data that can only go into enterprise-tier tools where your firm has signed a Data Processing Addendum (a DPA, which is a contract that binds the vendor to specific data handling, security, and breach notification obligations). This is where most of your actual client work lives: confidential materials, draft earnings releases, unpublished financial figures, investor presentations in preparation. All of this is manageable through enterprise AI tools because those tools carry the same contractual protections as your enterprise email and cloud storage. You already trust Gmail or Outlook with client data because of the contracts in place. Enterprise AI with equivalent protections deserves equivalent trust.
Tier 3 covers publicly available information where a non-enterprise tool may be better suited for the job. For example, using Grok to search content on X because it is better at that than your enterprise tools, or using an image generation tool on a free account for a non-client internal graphic. The data is public. The risk is minimal. The one guard rail: do not add client-identifiable context to the prompt. Searching for publicly available articles about a listed company is fine. Adding "summarise this for our client's board report" is not, because now you have disclosed a client relationship and an upcoming corporate event on an uncontrolled tool.
Governance that treats every task the same, regardless of sensitivity, is governance people ignore. Matching control intensity to actual risk is what the international standards require.
Section 4. Workflow requirements. Two rules cover most situations. First, any AI-assisted deliverable must be reviewed by a named person who knows AI was used and checks the output for accuracy. Second, the drafter logs which tool was used and what data was entered. This log becomes your governance record.
Section 5. Disclosure. State your firm's position on telling clients about AI use. "We disclose proactively in the engagement letter," "we disclose on request," or "we disclose when the tool contributed substantially to the output." Whatever you choose, document it so every team member gives the same answer when a client asks.
Section 6. What to do when something goes wrong. If client data enters an unapproved tool, the person who discovers it tells [named person] within [timeframe]. That person assesses whether client notification is required. This section does not need to be long. It needs to exist.
Section 7. Review and training. The policy is reviewed every six months. All staff complete a briefing within their first week and an annual refresher. Attendance is recorded.
The three-question test
Once the policy is written, test it. These are the questions your team will face at speed on a Tuesday afternoon:
Can I use this tool? (Section 2.)
Can I put this data into it? (Section 3.)
Who do I tell if something went wrong? (Section 6.)
If your policy answers all three clearly, it works. If any answer requires interpretation, rewrite that section.
Print the three questions on a card. Pin it where the work happens.
How to get this done this week
Draft the seven sections using the structure above. Fill in your firm's specific tool names, data tiers, and named contacts. Two to three hours.
Circulate to your senior team for one round of feedback. Not for perfection. For accuracy. Are the approved tools correct? Is the data classification clear? Is the escalation contact right?
Finalise and distribute within a week. Set the six-month review date now.
If you find yourself stuck on Section 3 (data classification) or Section 5 (disclosure), those are the sections where most firms need a second opinion. Both carry regulatory implications worth getting right the first time.
The policy itself is the easy part. Getting it right so it holds up under scrutiny is the part worth investing in.
Gabriel Tan is the founder of Mekong Bridge Advisory. He builds structured execution systems for PR and communications firms.
