Acceptable AI use at work: a practical policy for SMEs
Artificial intelligence (AI) tools have quietly entered most workplaces. Employees paste customer emails into AI chatbots, summarise contracts, and draft quotes, often without anyone deciding whether that is acceptable. This guide gives small and medium-sized enterprise (SME) owners a practical, five-step way to set the rules without banning the tools.
What is shadow AI, and why it matters
Shadow AI is the use of AI tools your business never sanctioned. An employee pastes a client contract into a free AI chatbot to summarise it, or uploads a spreadsheet of customer data for a quick analysis. The work gets done faster. The problem is what happens to the data.
- ! Data leaves your control. Once text is typed into an external tool, you no longer decide where it is stored, who can read it, or whether it is used to train someone else's model.
- ! Confidentiality promises break. Your contracts with clients promise to keep their information confidential. Those promises rarely contain an exception for AI chatbots.
- ! GDPR exposure. Putting customer personal data into a tool without a processing agreement is processing under the General Data Protection Regulation (GDPR) that you cannot account for. If a client or the regulator asks where their data went, "we do not know" is not an answer.
- ! Client trust. More and more clients ask their suppliers how data is handled. "We do not know which AI tools our staff use" loses deals.
There is a security angle too. Staff who are used to following instructions from tools and web pages without questioning them are easier to manipulate. The breach at the Dutch municipality of Epe (investigation published 5 June 2026, Security.NL) started with a so-called ClickFix lure: an employee was tricked into pasting a command that gave the attackers their initial access. Clear rules about which tools to trust, and which instructions never to follow, protect against more than data leaks.
A practical 5-step approach
You do not need a working group or a 40-page document. Five steps, each small enough to finish within a week:
1. Inventory which AI tools staff actually use
Ask, do not police. A short anonymous survey works: "Which AI tools do you use for work, and for what?" The goal is a real picture, not punishment. Expect more tools than you thought.
2. Classify what data may never go into external AI tools
Keep it concrete: customer personal data, financial records, passwords and access keys, trade secrets, and anything covered by a confidentiality agreement. If you already have a data classification for compliance work, reuse it.
3. Approve a short list of tools
Pick a small number of tools that cover the real needs from step 1. Check their terms: is your input used for training? Where is it stored? Can you get business accounts with admin control? Then say a clear yes to those tools.
4. Write a one-page acceptable-use policy
One page that says which tools are allowed, which data is forbidden, who labels AI-generated content, and who to ask when in doubt. The next section gives you the structure.
5. Train and revisit quarterly
Fifteen minutes in a team meeting is enough: show the policy, show one realistic example of what goes wrong, answer questions. AI tools and rules change fast, so review the tool list and the policy every quarter.
What belongs in the one-page policy
One page is enough, and one page gets read. Four elements:
- Allowed tools. Name the approved tools and require business accounts, not private ones. Everything not on the list needs approval first.
- Forbidden data categories. List what never goes into an external AI tool, with examples your staff recognise: customer names and addresses, payroll data, passwords, contract terms.
- Labelling duties. From 2 August 2026, Article 50 of the EU AI Act requires, among other things, that deepfakes and AI-generated text published on matters of public interest are clearly labelled, and that chatbots are recognisable as such. Assign one person to check this before anything AI-generated is published.
- Who to ask. Name one person for the question "may I use this tool, with this data?" Doubt should be cheap; a quick answer prevents quiet workarounds.
For the labelling element, our guide AI-generated content: the EU labelling rules explained covers exactly what must be labelled, by whom, and from when.
The MSP angle: offer this as a deliverable
If you are a managed service provider (MSP), the acceptable-AI-use policy is a natural addition to your service catalogue. It maps directly onto the information-classification and policy controls you already manage for compliance frameworks, so most of the building blocks exist:
- → Reuse the client's existing data classification for the forbidden-data list. If there is none, this policy is the reason to create one.
- → Bundle the policy with the security awareness training you already deliver; shadow AI fits naturally next to phishing.
- → The quarterly review fits the service rhythm you already run for patching and access reviews.
- → From 2 August 2026 your clients will ask about AI content labelling anyway. Walking in with a finished one-page policy answers the question before it is asked.
FAQ
Should we simply ban AI tools?
A ban is the fastest way to get more shadow AI, not less. Staff use these tools because they save time; forbid them and the use moves to private phones and private accounts where you have zero visibility. Approving a shortlist with clear rules keeps the productivity and removes most of the risk.
Is pasting customer data into an AI chatbot a GDPR problem?
It can be. Customer personal data entered into an external tool is processing under the GDPR, and without a processing agreement with the tool vendor you cannot account for it. The practical rule: treat customer personal data as forbidden in AI tools unless the tool is contractually covered, for example through an approved business account.
What changes on 2 August 2026?
The transparency obligations of Article 50 of the EU AI Act apply from that date. Chatbots must be recognisable as chatbots, providers of AI tools must mark AI-generated content machine-readably, and businesses that publish deepfakes or AI-generated text on matters of public interest must label it clearly. The European Commission published a voluntary Code of Practice on 10 June 2026 that describes how to do this in practice.
How long should the policy be?
One page. A policy nobody reads protects nobody. Allowed tools, forbidden data, labelling duty, one contact person. If your business has unusual risks, put the details in an annex and keep the page itself short.
Further reading
-
AI-generated content: the EU labelling rules explained →
The labelling duty from your policy, unpacked: what Article 50 of the EU AI Act requires from 2 August 2026, and who it applies to.
-
Why AI alone can't reach full NIS2 / CyFun compliance →
The other side of AI at work: what AI tooling can and cannot do for your compliance programme.
-
AI-driven cyber threats: what SMEs need to know →
How attackers use AI against you: phishing, deepfake fraud, and the defences that still work.