One-page asset

AI Policy Checklist

This is the short version for small teams. If the answer to any item below is "not sure", that is usually the next policy gap to close.

Data and tooling

  • Can the team classify data as public, internal, sensitive, or regulated?
  • Is there a clear rule for what may be sent to hosted models?
  • Is there a local or isolated path for sensitive work?
  • Are approved tools named, instead of implied?
  • Does each tool have a clear job instead of vague all-purpose access?

Review and approvals

  • Is customer-facing output always reviewed by a named human?
  • Are legal, policy, and pricing claims explicitly gated?
  • Are production changes separated from drafting or research lanes?
  • Does the team know who approves exceptions?
  • Can someone explain the policy in plain English in under two minutes?

Evidence and operations

  • Do you keep a lightweight record of model, task, operator, and outcome?
  • Can you reconstruct how a risky output was produced?
  • Is there a short incident path when the model gets something badly wrong?
  • Do repeat exceptions trigger a policy update instead of a shrug?

Practical first month target

  • One shared page of rules.
  • One named owner for changes.
  • One weekly review of exceptions and tool sprawl.
  • One public-output lane with explicit sign-off.
  • One sensitive-data lane that stays local or isolated.

Want the fuller argument and the operating logic behind this list? Read Practical AI Policy for Small Teams.