How to Write a One-Page AI Policy for Your Organization

Most companies that have an AI policy written will tell you it is 14 pages long, lives in a shared drive nobody visits, and was authored by legal with a compliance lens rather than an operations lens. It covers everything that could go wrong and nothing about how to actually work.

A one-page AI policy does the opposite. It answers the three questions every employee has but rarely asks out loud, in language they can use the day they read it. 

Here's how to write one.

Why One Page

The length is less of a constraint and more of a design principle.A 14-page AI policy signals that AI is a risk to be managed. A one-page policy signals that AI is a tool to be used, with clear enough guardrails that people don't need to guess. The first produces hesitation. The second creates action.Long policies also create a gap between the people who write them (legal, compliance) and the people who need to use them (everyone else). By the time a policy has gone through three review cycles and added two annexes, it no longer resembles anything a marketing manager or sales rep can apply in the moment.One page forces clarity. If you can't explain the rule in a sentence, the rule probably isn't clear enough to be a rule yet.

The Three Questions your Policy Needs to Answer

Question 1: What data can go into AI tools - and what can't?

This is Fence 1 of the Three Fences Model for AI Governance. (Read more on how to set it up here: How to Build an AI Governance Framework That Enables Speed, Not Bureaucracy) It's also where most AI incidents come from: an employee pastes a client contract, salary data, or proprietary research into a consumer AI tool without realizing the data agreement doesn't cover it.

Your policy needs to answer this in plain language. Something like:

Approved: internal documents, public information, your own work product. 

Not approved: client data, financial records, personal information, anything under NDA. 

Not sure? Ask [name/channel] before you paste.

That's it. One short paragraph. The goal is to give people a usable default and a clear escalation path for the grey zone not to cover every edge case.

Question 2: How do we check AI output before it leaves the building?

This is Fence 2. AI produces confident wrong answers. A policy that ignores this is a policy waiting for an incident.

The review standard needs to match the stakes of the output. A suggested framework:

  • Internal use, low stakes (meeting notes, first drafts, research summaries): spot check, use your judgment

  • External use, medium stakes (client-facing content, reports, proposals): one human review before it goes out

  • High stakes (legal, financial, compliance, anything that could create liability): human sign-off required, no exceptions

Three tiers. One paragraph. Employees can apply this the first time they read it.

Question 3: Who gets access to what, and what's expected of them?

This is Fence 3. Not every role needs the same tools or the same level of AI autonomy. And people who get access to AI tools without any training expectation attached tend to either not use them or use them badly.

Your policy should name: which tools are approved for use across the organization, which require specific training before access, and who to contact for questions about new tools employees want to try.

It needs to give people a clear path: here's what's available, here's what's expected, here's the door if you want something different.

The Structure: What Goes on the Page

One page, four sections. Each section should take under 30 seconds to read.

Section 1: Why this policy exists (2-3 sentences)

A plain-language statement of intent: "We want our team to use AI confidently and well. This page gives you the guardrails you need to do that without guessing." The tone sets expectations for everything that follows.

Section 2: Data handling (the approved/not approved list)

Short, specific, scannable. Include the grey zone escalation path. This is the highest-stakes section - spend the most words here, but still keep it to a short paragraph.

Section 3: Output review (the three-tier standard)

Internal, external, high-stakes. One line each. If your organization has specific functions with specific review requirements (legal, finance, regulated industries), name them explicitly.

Section 4: Access and questions

Approved tools. Training requirements, if any. Who to ask about new tools or edge cases. One named contact or channel, not a committee.

That's the whole document. It fits on one page because those four sections are genuinely all that most employees need to work confidently with AI.

What to Leave Out

A one-page policy is not the place for:

Definitions of AI. Employees don't need a technical definition of a large language model to know how to check their output before sending it to a client.

Exhaustive tool lists. Tools change faster than policies get updated. Name categories and specific approved platforms, not every possible product.

Disciplinary procedures. These belong in HR documentation, not in the working policy employees consult daily. Mixing them in signals that the policy is primarily about accountability rather than guidance.

Liability disclaimers. Again, legal's document. Your one-pager is an operational tool. Keep it operational.

Who Writes It and Who Signs Off

The person who writes the one-pager should be the person who owns AI adoption in the organization - the COO, CMO, or designated Head of AI. Not legal as primary author.

Legal reviews it. Legal makes sure it doesn't conflict with compliance obligations, data privacy law, or contractual requirements. But legal shouldn't write the first draft because legal writes for risk managers, not for the employee who's about to paste something into ChatGPT and needs to know in three seconds whether that's fine.

The sign-off is straightforward: operational owner approves the content, legal clears the compliance exposure, leadership endorses it. Then it gets published somewhere everyone can find it - not buried in a policy repository, but linked from wherever your team talks about AI tools.

Keeping It Current

A one-page policy also gets stale faster than a 14-page one, because it's specific enough to date. Build in a quarterly review - 20 minutes, one person, check three things: have any of the approved tools changed, has anything happened that the current data guidance doesn't cover, and is the output review standard still fit for how the team is actually working?

If the answer to any of those is yes, update it. The update takes 10 minutes. The point of keeping it short is that keeping it current is easy enough that it actually happens.

A Starting Template

Here's a bare-bones structure you can adapt:

****

Our AI Policy - [Company Name]

We want our team to use AI tools confidently and well. This page tells you what you need to know.

Data: You can use AI tools with internal documents, public information, and your own work product. Do not enter client data, financial records, personal information, or anything covered by an NDA into any AI tool. Not sure? Ask [name or channel] before you paste.

Output review: For internal use, use your judgment. For anything going to a client or external audience, have a human review it before it goes out. For legal, financial, or compliance-related outputs, get explicit sign-off from [name or role].

Tools: Our approved tools are [list]. New tools need approval from [name] before use. Training is required before [specific tools, if applicable].

Questions: Contact [name or channel] for anything this page doesn't cover.

Last updated: [date]. Next review: [date].

****

Short. Specific. Usable the day someone reads it.

If you want to see where your organization's governance gaps are before you write the policy - which data handling risks are already live, which review gaps exist, which functions have no training yet the NorthLight AI Readiness Audit gives you a structured picture in about 10 minutes. Run the audit now.


Next
Next

The Biggest Mistakes Companies Make When Rolling Out AI