Back OfficeBack Office
All insights
AI Policy

What a one-page AI policy looks like for a mid-market company

You do not need a forty-page governance document. You need one page that answers what AI is allowed to touch, who decides, and what happens when something goes wrong. Here is the version we use.

April 10, 2026·6 min read
A single page of typed policy notes resting on a desk

Governance that fits on one page

Most AI policies we are handed to read are written for the legal team by the legal team. They are forty pages long, internally inconsistent, and read by no one. They produce the appearance of governance without any of its substance, and they are usually obsolete the week they are signed.

What we actually use with mid-market companies is one page. It answers four questions, lives in a place every employee can find, and is reviewed every quarter by the exec team. It does not look impressive. It works.

Why one page

A policy that is not read is not a policy. It is compliance theater. The forty-page version exists because someone needed to demonstrate that the company has thought about AI. The one-page version exists because someone needed the front desk to know whether they are allowed to send an AI-drafted message to a customer.

Those are different goals. The short version forces specificity, which is the part the long version usually avoids.

The four questions

  1. 1What can AI touch on its own, with no human in the loop?
  2. 2What can AI touch with a human in the loop?
  3. 3What can AI not touch at all?
  4. 4Who decides when any of the above changes?

That is the whole document. The hard work is filling it in with specificity, and updating it when reality changes.

What a good row looks like

A row in this policy reads like an operations decision, not a values statement. It names a specific surface area, a specific level of autonomy, a named owner, and a review date. For example: "Customer SMS responses. AI drafts the reply and the front desk reviews and sends. Owner: VP of Operations. Reviewed quarterly."

Notice what is missing. No principles. No values statements. No paragraph about being thoughtful stewards of artificial intelligence. The policy is a map of what the business has actually decided to do, written so that a new hire can read it on day one and act on it on day two.

The hardest column to fill

The hardest column is the third one. What can AI not touch at all. Most companies want to leave it blank, because writing things down in that column feels like admitting a limit. We push hard the other way. A list of what AI is explicitly not allowed to do is more useful than a list of what it is allowed to do, because it sets a clear line that the rest of the company can plan against.

Examples that usually belong in that column: any communication a customer might reasonably believe is from a human when it is not. Any decision that affects someone's pay, benefits, or employment status. Anything covered by a regulation your industry has written down. Anything that touches the founder's name or the executive team's calendar without explicit sign-off. The list is short. It is also load-bearing.

Who owns the document

One person. Not a committee. The committee should review it. One person should write it, sign it, and answer for it. In most companies we work inside, that person is the COO or the head of operations. In smaller companies it is the founder. The title matters less than the fact that the name is on the page.

The quarterly review

Once a quarter, the exec team reads the document together. The conversation is not whether to update it. The conversation is what changed in the business, what changed in the AI landscape, and which rows need to move. Usually one or two rows move per quarter. Sometimes none. The discipline of revisiting it is what keeps it alive.

This is most of what we do in the policy space. Writing the first version takes a few hours. Holding the quarterly review honestly takes a year. By the end of that year, the policy is usually unrecognisable from the first draft, and the company has a real instrument it can lean on. That is the version of AI governance that holds weight.

Why this works better than the forty-page version

Because people read it, and people remember it. Because the act of writing it forces the exec team to make decisions they have been deferring. Because when something goes wrong, the document points to the named owner of the surface area where it went wrong, and the conversation starts from there instead of from "who was in charge of this."

It is not a complete answer. There are situations, particularly in regulated industries, where a longer document is also required for legal reasons. The short version is not a substitute for that. It is the version the company actually operates by. The longer one sits in a folder, where it belongs.