anaboo.ai
A single sheet of paper on a clean desk, lit in deep purple and bright orange, suggesting one simple guiding rulebook for a small team
← All posts
AI EthicsAI Governance

Responsible AI for Small Teams: The One-Page Policy That Covers 90% of the Risk

11 June 2026Brett Alegre-Wood5 min read
responsible AIAI policyAI governanceSMEdata privacy
Listen to this article0:00 / 5:35
Two AI hosts discuss this article. Generated from the text.Download

TL;DR

Most AI risk in a small business comes from a few everyday habits, not exotic edge cases. A one-page responsible AI policy that says what data never goes in, who checks the output, and who owns the decisions will cover roughly 90% of the danger, and your team will actually read it.

Why does a small team even need an AI policy?

Because your staff are already using AI, whether you have a policy or not.

Someone in your office has pasted a client email into ChatGPT to "tidy it up". Someone has dropped a spreadsheet into a free tool to summarise it. Someone has asked an AI to draft a contract clause and copied the answer straight in. None of them are trying to cause harm. They are busy, the tool is right there, and it makes their day easier.

That is the real picture in most SMEs I talk to. The risk is not some dramatic robot-takeover scenario. It is ordinary people making small, reasonable-looking decisions with no shared rules to guide them.

A policy is not about control. It is about giving your team a clear line they can see, so the helpful ones stop worrying and the careless ones stop guessing. You want AI to augment how your people work. You cannot do that safely if everyone is improvising on their own.

What does the one-page policy actually cover?

It covers four things: what data is off-limits, what always gets checked by a human, what tools are approved, and who to ask when unsure.

That is it. Four sections, one side of A4. If it runs longer, nobody reads it, and a policy nobody reads protects nobody.

Here is the shape of it:

  1. What never goes into a public AI tool. Client personal data, financial details, passwords, anything covered by a confidentiality agreement, anything you would not email to a stranger. Spell out the examples so nobody has to interpret.
  2. What a human always checks before it leaves the building. Anything sent to a customer, supplier, or the public. AI drafts; a person signs off. No exceptions for "it looked fine".
  3. Which tools are approved. A short named list. If a tool is not on it, someone has to ask before using it for work.
  4. Who owns this. One name. The person who answers questions, approves new tools, and reviews the page every quarter.

Write it in plain English, the way you would explain it to a new starter over a cup of tea. No legal language. The point is that a smart sixteen-year-old could read it once and follow it.

Start here

See where AI fits in your business. Free.

A 45-minute audit. We map the highest-value automations and what they're worth in time and money. No pitch, no pressure.

Why does "what data never goes in" matter most?

Because data leaking out is the mistake that is hardest to undo, and the easiest to make.

When someone pastes information into a free, public AI tool, that data can be stored on someone else's servers and, depending on the tool's terms, used to train future models. You cannot pull it back. If it was a client's personal details or a confidential quote, you now have a data protection problem that started with a single copy-and-paste.

This is the line to be strictest about. At EzyTrac, our property business, the rule is simple: tenant and landlord personal details never go near a public tool, full stop. If we want AI help with that kind of work, it happens inside a private, contained system where the data stays ours.

For your team, make the banned list concrete. Don't write "sensitive information". Write "no customer names, addresses, payment details, or anything from a signed NDA". People follow rules they can picture. They ignore rules they have to decode.

How do you stop AI mistakes reaching a customer?

You put a human between the AI and the outside world, every single time.

AI is brilliant at first drafts and terrible at knowing when it is confidently wrong. It will invent a figure, misread a date, or soften a clause in a way that changes its meaning, and it will do all of that in a tone that sounds completely sure of itself.

So the rule is plain: AI can write anything internal at speed, but nothing goes to a customer, a supplier, or the public until a named person has read it and is willing to put their name to it. The AI does the heavy lifting; the human owns the result.

This one rule quietly removes most of the embarrassing failures you read about. The wrong refund amount, the made-up policy detail, the email with a client's name spelled wrong, all of it gets caught at the check. It costs a few seconds per item and saves you the calls you really don't want to make.

Who should own the policy, and how often does it change?

One named person owns it, and they review it roughly every quarter.

Shared ownership means no ownership. Pick someone, the owner or a sensible manager, and make it their job to answer "can I use this tool for that?" when it comes up. They keep the approved-tools list current, they handle new requests, and they are the single point staff go to instead of guessing.

The quarterly review matters because the tools move fast. A free tool that was fine in spring may change its terms by autumn. New tools your team wants to try will appear. Fifteen minutes every few months to re-read the page, update the approved list, and check nothing has drifted is plenty. This is not a document you write once and bury in a shared drive.

What about the 10% a one-page policy won't cover?

The one page handles the everyday risks. The remaining slice is the specialist stuff, and it needs proper attention rather than a bullet point.

If you handle large volumes of personal data, work in a regulated sector like finance or healthcare, or want to build AI into a product you sell, you are past what a single sheet can carry. That is the point to bring in your data protection adviser, and to think about contained systems where the AI runs on your data without that data ever leaving your control.

The honest message is this: don't let the missing 10% stop you doing the 90%. Plenty of businesses freeze because they cannot write the perfect, lawyer-proof policy, so they write nothing, and their team carries on pasting client data into public tools in the meantime. A simple page you adopt this week beats a perfect one you never finish. You can always tighten it as you grow.

Where to start

Block out an hour. Write the four sections in your own words, name the owner, list the three or four tools your team can use, and send it round. You will have covered most of your real exposure before lunch.

If you would like a second pair of eyes on it, or you are weighing up a private, contained setup so your team can use AI on real client data safely, we offer a free AI audit. We will look at how your people are already using these tools and where the quiet risks sit, with no pressure and no jargon. Book one whenever it suits you.

Live with passion & AI,

Brett

Podcast

Host a podcast? Have Brett on as a guest.

Straight talk on implementing AI in real SMEs, no jargon, plenty of receipts from the businesses we run.

Pitch the podcast →

Frequently asked questions

Do small businesses really need an AI policy?

+

Yes, but it can be one page. A short policy prevents the common mistakes, like staff pasting client data into public tools, without slowing anyone down.

What is the biggest AI risk for a small team?

+

People feeding confidential or personal data into public AI tools, where it may be stored or used to train models, often without anyone realising it happened.

How long should a responsible AI policy for an SME be?

+

One page. If it runs longer than a single side of A4, nobody on your team will read it or remember what it says.

Who should own the AI policy in a small business?

+

One named person, usually the owner or a manager. They approve new tools, answer questions, and review the policy every few months as things change.

Does a one-page policy keep us compliant with data protection law?

+

It is a strong start, not a full legal sign-off. For regulated work or large personal datasets, check with your data protection adviser before relying on it alone.

Brett Alegre-Wood, founder of Anaboo
About the author
Brett Alegre-Wood

Brett is a four-time founder (Darra Tyres, Gladfish, EzyTrac, Anaboo) and the operator behind AIOS, Anaboo's AI Operating System. He writes from inside the build, installing AI in his own businesses first and reporting back what actually moves the numbers. Based between Singapore, the UK and Australia.

More on ai ethics

Abstract conceptual illustration of a fractured digital human face split into authentic and synthetic halves in deep purple and bright orange tones
AI Ethics
Deepfakes and Your Brand: Protecting Your Name in the AI Era
14 June 2026
A wide, fast road with clear painted edge lines under deep purple and bright orange light, suggesting speed kept safe by guardrails rather than barriers
AI Governance
Control It or Guardrail It: How to Govern AI Without Falling Behind
12 June 2026
Abstract editorial illustration of orderly purple data blocks flowing into a clean funnel against a deep purple background with bright orange accents.
AI Data
Garbage In, Garbage Out: A 30-Minute Data-Quality Check Before Any AI Project
12 June 2026

WE USE AI: All images are made with programmatic AI (a prompt is used rather than real photos) so when you meet Brett and the team they may look slightly different from these images. This is done to show you what's possible.

Want Augment AIOS in your business?

Free 60-minute audit. We'll show you what's worth automating first.