Does Our Company Need an AI Policy? Here's the Honest Answer.

Every company with more than 25 employees needs a written AI policy in 2026, even if it is one page. The minimum viable AI policy covers four areas: approved tools, prohibited uses, data handling rules, and an escalation path. Companies without one face three compounding risks: data leakage, IP contamination, and discoverable shadow AI in litigation.

A CEO of a $60M industrial supplier emailed last month with a single question: "Do we actually need an AI policy, or is this consultant-bait?" Her IT director was pushing for a 40-page document. Her general counsel wanted a bulletproof governance program. Her CFO wanted to know what it would cost. She wanted to know if any of it was real.

The honest answer is that she needed a written AI policy three months ago. So does almost every mid-market company reading this. But she did not need the 40-page version, and the consultant quote of $85,000 to write it was theatre.

The honest answer (yes — and here's the threshold)

Every company with more than 25 employees needs a written AI policy in 2026. The reason is not regulation, although the EU AI Act, the Colorado AI Act, and sector-specific guidance from OSFI, the SEC, and the FTC are tightening quickly. The reason is operational: roughly 78% of knowledge workers now use generative AI tools at work, and a majority of them do so without IT approval, according to Microsoft and LinkedIn's 2024 Work Trend Index. ISACA's 2025 State of Privacy survey shows the same gap from the governance side: 82% of organizations say AI is being used internally, but only 28% have a written policy that covers it.

The threshold is not industry. It is not regulated status. It is whether you have employees who can paste data into a browser. If yes, you need a policy.

What happens to companies without a policy

Three failure modes show up reliably, and they compound. None of them is hypothetical — each has played out at companies whose names are now in news stories.

1. Data leakage. The Samsung incident is the best-known example: engineers pasted proprietary source code into ChatGPT in 2023, and Samsung had to ban the tool internally and treat the leak as a permanent exposure. The smaller, quieter version of this happens every week at companies under $500M, where someone uploads a customer list to a free AI tool to "summarize the sales pipeline." That data is now outside your control.

2. IP contamination. Trade-secret protection requires reasonable measures to keep information secret. Pasting it into a third-party AI tool with no enterprise agreement breaks that requirement. If you ever try to enforce a trade-secret claim, the absence of a policy becomes the defense's first slide.

3. Discoverable shadow AI in litigation. In any meaningful lawsuit, opposing counsel now asks for AI usage logs by default. A company without a policy cannot answer the basic question "what did your employees do with AI on the relevant dates" — and that gap, in a courtroom, looks like negligent supervision.

The four sections every AI policy must contain

A useful AI policy has exactly four sections. Anything else is decoration. If you cannot articulate each section in two paragraphs, the policy is too long to be enforced.

Section 1 — Approved tools. Name them. Not categories, products. ChatGPT Enterprise is approved; ChatGPT Free is not. Microsoft Copilot for M365 is approved for documents containing internal data; Copilot Studio agents require a separate review. Each tool is paired with the data classes permitted inside it.

Section 2 — Prohibited uses. Be specific and concrete. "Do not paste customer PII, payroll data, M&A documents, source code, or attorney-client privileged material into any AI tool not on the approved list." Examples beat principles every time.

Section 3 — Data handling rules. Two rules cover most cases: (a) public, internal, confidential, and restricted data classes, with a chart showing which class is allowed in which tool, and (b) the rule that any AI output used in customer-facing or board-facing material must be reviewed by a human before it leaves the company.

Section 4 — Escalation path. A named person, a 24-hour response commitment, and a no-blame reporting channel for "I think I just pasted something I shouldn't have." Without this, the policy is enforcement theatre — employees will hide incidents instead of surfacing them.

What you do NOT need (the over-engineering trap)

The 40-page AI policy industry is real, expensive, and mostly counterproductive for mid-market companies. You do not, in your first version, need:

• A full ISO 42001 certification program
• An AI ethics committee with a charter and quarterly minutes
• An algorithmic impact assessment template for every internal use
• A separate model governance framework distinct from the use policy
• A bias-testing protocol for tools you did not build

All of these have a place — eventually, at scale, in regulated industries. Trying to install them as version one guarantees the policy never ships. Companies that over-engineer the first version typically have no enforceable policy 18 months later. Companies that ship a one-page version in week two have a working governance program by month six.

A one-page AI policy you can adapt this week

The outline below is the version we use as a starting point with mid-market clients. It is not a substitute for legal review. It is a substitute for another six months of "we should write something."

1. Purpose (3 lines). Why this policy exists, who it covers, when it takes effect.
2. Approved tools (a table). Tool name. Vendor. Approved data classes (Public / Internal / Confidential / Restricted). Last reviewed date.
3. Prohibited uses (a list of 8–12 specific examples). Each bullet is a verb plus an object: "Do not upload customer contact lists. Do not paste source code. Do not generate marketing claims about safety, efficacy, or financial returns without legal review."
4. Data handling rules (4–6 lines). The data classification chart, plus the human-review rule for any external-facing output.
5. Escalation (3 lines). Named person. Email address. 24-hour SLA. No-blame reporting commitment.
6. Review cadence (1 line). Reviewed quarterly by the accountable owner; tools list updated monthly.
7. Acknowledgement (1 line). Annual sign-off by all employees with system access.

That is a one-page policy. It can be drafted in a week, reviewed by counsel in a second week, and rolled out in a third. The first version of this document is more valuable than the final version of the 40-page alternative.

When to escalate from one page to a full governance program

Three triggers should move you from the one-page policy to a fuller program:

• You start building or fine-tuning models on company or customer data. Now you need model governance, not just usage governance.
• You operate in a regulated sector — financial services, healthcare, critical infrastructure, federal contracting — where NIST AI RMF or ISO 42001 alignment will be expected by examiners or customers within 12 months.
• Your customers begin asking for it in vendor security reviews. Once the third RFP requires AI governance attestation, the one-page policy is no longer commercially sufficient.

Until one of those three triggers fires, additional governance machinery typically adds cost and friction without measurably reducing risk. The goal of version one is enforceability, not comprehensiveness. For the broader governance lens behind this, see the AI Savvy Readiness Framework and the four-failure taxonomy in Why Enterprise AI Pilots Fail.

If you want help drafting yours

A working policy can be drafted in a single working session. If you want a second pair of eyes — or an operator who has watched this go wrong at twenty other companies — that is what strategic advisory is for. Bring your draft. Leave with a defensible version.