AI Policy Starter Kit for Small Teams (Templates + Order of Operations)
Most teams do not need a forty-page policy pack on day one. They need clarity, speed, and a single owner so AI usage does not fragment into ungoverned shadow workflows. This starter kit is the same sequence we use with lean teams: inventory first, policy second, proof third.
Who this is for
- 5–50 people shipping software, services, or operations work with LLM assistants
- No dedicated compliance hire, but real customer data and real reputational risk
- Leaders who want audit-friendly evidence without enterprise program theatre
The kit (what you will ship)
- AI use-case inventory — a living list of tools, owners, and data classes touched
- Acceptable use policy — one page your team can actually skim
- Vendor pass/fail checklist — used before every new subscription
- Incident response note — who to page and what to freeze when something breaks
- Monthly review slot — fifteen minutes, same calendar invite, no exceptions
If you only do three items this month, do inventory, acceptable use, and monthly review.
Order of operations (do not skip steps)
Step 1 — Run a fourteen-day inventory sprint
Shadow AI appears when people optimize for speed. Your job is not to ban tools; it is to make usage legible.
- Post a short internal form: tool name, use case, data types, paying customer or not
- Merge duplicates and assign a business owner per tool
- Flag anything touching health, credit, HR, or children for a follow-up risk pass
Use the AI usage audit workflow when you are ready to formalise the rhythm.
Step 2 — Draft the policy around data—not hype
Policies fail when they read like marketing copy. Anchor yours in data classes and decision rights instead.
Cover, in plain language:
- Approved vs trial tools and who can spin up a trial
- Never-paste rules (customer PII, trade secrets, regulated datasets)
- Human review thresholds—especially for customer-facing output
- Retention: may conversation logs be stored? where?
Start from the AI acceptable use policy template and tailor names, tools, and geography in under an hour.
Step 3 — Vendor due diligence before you standardise a tool
Once a tool wins internal adoption, it becomes expensive to rip out. Run a 30-minute diligence pass before you declare it approved stack.
The goal is not perfect security review; it is documenting that you asked the obvious questions: data processing, training opt-out, subprocessors, and exit. Use the vendor evaluation checklist verbatim, then store the completed file next to the subscription invoice.
Step 4 — Publish a one-page incident note
Incidents are when ambiguous policies become lawsuits or front-page stories. You need a single paragraph chain of command plus links to your security broker and counsel.
If you do not have a bespoke playbook yet, clone the AI incident response playbook and swap in names.
Step 5 — Calendar the operating rhythm before you declare victory
Governance decays without a heartbeat. Minimum viable cadence:
- Weekly (async): new tool proposals land in a dedicated channel with checklist status
- Monthly (15 minutes): owner reviews inventory deltas + incidents/near misses
- Quarterly (60 minutes): rerun the governance checklist and refresh templates
The AI governance checklist (2026) is the agenda for the quarterly session.
How this connects to regulation (without turning you into lawyers)
Teams operating globally should assume they will need evidence of proportionate controls, not perfection. If you are mapping EU AI Act obligations, pair this starter kit with how to build a governance framework and the EU-focused posts in the Governance category—then escalate edge cases.
Next actions
- Schedule the inventory sprint owner and due date today
- Fork the acceptable-use template and circulate a marked “draft” for forty-eight hours of comments
- Subscribe to the newsletter if you want the monthly checklist refresh—we ship one actionable asset per issue
When you outgrow spreadsheets, re-read AI monitoring tools for small teams before you buy observability you will not staff.