How to Design an AI Policy & Guardrails Pack for Small Teams

What this covers

• Data handling: What can/can’t be shared with AI tools—and how.
• Approved tool list: The only apps your team should be using.
• Do / Don’t rules: The quick-scan commandments.
• Review cadence: When and how this page gets updated.
• Incident playbook: What to do when something goes sideways.

1) Data Handling (keep it simple, keep it safe)

Classification

• Public: okay to paste (marketing copy, published docs).
• Internal: okay with approved tools if redacted (project codes, non-sensitive SOPs).
• Confidential: never paste (customer PII, financials, legal docs, credentials).
• Regulated (PHI/PCI/ITAR, etc.): never paste; follow system-of-record only.

Guardrails

• Strip names, IDs, contract $ amounts, and any unique identifiers.
• Use read-only links in prompts instead of uploading files when possible.
• Store outputs in your company drive, not personal devices.
• For training data: use sandbox/test data or synthetic examples only.

Minimum Security Settings

• Enforce SSO + MFA for all AI tools.
• Disable “Use data for training” where possible.
• Log who used what tool and when (basic audit trail).

2) Approved Tool List (the only tools that count)

Keep this tight; expand later as needed.

Create/Generate

• Writing: Company-approved ChatGPT/Microsoft Copilot account
• Images/Video: [Your chosen tools here]

Analyze/Automate

• Sheets/Docs add-ins: (e.g., Microsoft 365 Copilot, Google Duet)
• Automation: (e.g., Zapier/N8n instance owned by the company)

RAG/Knowledge

• Internal search/FAQ bot connected to your drive with least-privilege access.

Requests for New Tools

• Use a 3-question form: (1) Business outcome? (2) Data touched? (3) Who owns it?
• Default trial: 2 weeks, limited scope, then keep or kill.

3) Do / Don’t (the no-thinking checklist)

Do

• Ask AI to draft, outline, summarize, or QA—not to decide for you.
• Redact sensitive details; describe the pattern instead of pasting raw data.
• Keep the human-in-the-loop: review tone, claims, math, and citations.
• Label AI-assisted work: “Drafted with AI; reviewed by [Name], [Date].”
• For external content, run a quick fact check against primary sources.

Don’t

• Upload customer PII, credentials, contracts, or unreleased financials.
• Use unapproved browser extensions or personal accounts.
• Put AI outputs straight into production or send to clients without review.
• Claim AI-generated content is entirely human-written.

4) Review Cadence (version control for sanity)

• Weekly (5 min): Tool list changes + incident log check.
• Monthly (15 min): Spot-check outputs for accuracy and bias; refresh examples.
• Quarterly (30–45 min): Update the one-pager; re-train the team; confirm access/MFA/audit settings.
• Owner: Name + role. Back-up: Name + role. Version: YY.MM.DD.

5) Incident Playbook (what to do when something leaks—or might)

1. Stop the bleeding
   • Revoke tokens/keys, disable the app/session, rotate credentials.
2. Contain & assess
   • What data, whose data, which tool, who touched it, when?
3. Notify
   • Internal: Owner + leadership immediately.
   • External: Customers/regulators only via leadership/legal.
4. Remediate
   • Remove exposed files, update permissions, add missing guardrails, retrain.
5. Post-mortem (24–72 hrs)
   • What failed, what changes, who owns follow-ups, by when.
   • Log the incident on the one-pager (date + 1-line summary + fix).

How to Roll This Out (fast)

1. Draft this page with your actual tools and examples (10–20 minutes).
2. Share in Slack/Teams with a 3-minute Loom walkthrough.
3. Run a 15-minute live training: demo redaction, show an approved prompt, review the incident steps.
4. Pin the one-pager in your team hub; require “AI-assisted” label in deliverables.
5. Calendar the monthly/quarterly reviews.

One-Pager Template (copy/paste)

Title: [Company] AI Policy & Guardrails (vYY.MM.DD)
Owner / Backup: [Name/Role] / [Name/Role]

Data Handling:

• Public ✅ | Internal (redact) ⚠️ | Confidential/Regulated ❌
• Never upload: PII, contracts, credentials, unreleased financials.
• MFA required; disable training; outputs saved to [Drive/Folder].

Approved Tools:

• Gen: [Tool] | Analyze: [Tool] | Automate: [Tool] | RAG: [Tool]
• New tool request: link to 3-question form.

Do / Don’t:

• Do: draft/outline/QA; redact; label “Drafted with AI; reviewed by [Name].”
• Don’t: paste sensitive data; use personal accounts; publish without review.

Review Cadence:

• Weekly check, monthly QA, quarterly update & training.

Incident Playbook (TL;DR):

• Stop → Assess → Notify (internal → legal) → Remediate → Post-mortem.
• Incidents log: [Link].

Examples (keep 2–3 live):

• Good prompt: “Summarize this SOP into a 7-step checklist; exclude client names; output in bullets.”
• Redaction example: “ACME-12345 → [Client-ID]; $45,000 → [Amount].”

FAQs (30-second answers)

• Can I use my personal ChatGPT account? No—company account only, with MFA.
• Can I upload client reports? Only if fully redacted and classified “Internal.”
• Who approves new tools? The policy owner; 2-week trial; keep/kill decision logged.
• What if I’m not sure? Don’t paste it. Ask the owner in the same thread.

The payoff

You’ll reduce “Can I use this?” questions, cut risk from shadow tools, and ship more polished work—without slowing anyone down.

Ready to ship your AI Policy & Guardrails Pack?
Contact BoostMyAI to get started: we’ll tailor this one-pager to your stack, wire in the right defaults (SSO/MFA, logging, redaction patterns), and run a 30-minute rollout with your team.