An AI Policy Template for Mid-Market Companies (Without a Forty-Page Document Nobody Reads)

The mid-market AI policy problem has a specific shape. Enterprise legal teams produce thirty-page documents that cover every contingency. Small businesses sometimes have nothing in writing at all. Companies between 50 and 500 employees sit in the gap: the risk profile demands a real policy, but there is no in-house team to draft one and no budget to engage outside counsel for forty hours of work.

This article is the template we use as a starting point in our AI Policy & Governance Sprint. It is intentionally short. The goal is something an employee can read in five minutes, remember the next day, and actually apply. A long policy nobody reads is worse than a short policy everyone follows.

A note before we start: this is a starting structure, not legal advice. Any policy your organization adopts should be reviewed and approved by your legal counsel, compliance function, and applicable governance bodies. AdoptionLab.AI’s engagements are facilitative — we research applicable frameworks, run the stakeholder conversations, and produce a draft. Your counsel signs off.

The two-part structure

Every AI policy worth following can be reduced to two questions:

1. What is not allowed, ever? (Red lines)
2. What is allowed, and under what conditions? (Approved use)

Almost every other AI policy section — risk management, vendor review, data classification, training, monitoring — is operational support for these two questions. Start with the answers and build the rest only as needed.

Part 1: Red lines

Red lines are absolute prohibitions. Violating one is a disciplinary issue, not a judgment call. The list should be short. If everything is a red line, nothing is.

Most mid-market companies need five to seven, drawn from this menu:

Never put protected information into a public AI tool. Define “protected information” specifically. For most companies this includes: any information regulated by HIPAA, FERPA, GLBA, PCI-DSS, or sectoral privacy laws applicable to you; customer PII (names tied to identifying information); internal financials before public release; M&A or strategic plans; source code with proprietary algorithms; personnel files; and anything marked confidential under an NDA. “Public AI tool” means a tool where your data is used to train future models or where you have not signed a business agreement that includes data protection terms.

Never use AI to make consequential decisions about people without human review. Hiring decisions, terminations, performance ratings, credit decisions, medical decisions, and disciplinary decisions all require a human reviewer who has read the underlying material themselves. AI can summarize, draft, or shortlist. It cannot decide.

Never present AI-generated content as your own original work where authorship matters. This covers regulated filings, expert testimony, sworn statements, academic submissions where AI use is prohibited, and any client deliverable where the engagement letter requires human authorship.

Never use AI to generate content that targets, deceives, or manipulates a specific person. This includes generating likenesses of real people, fake reviews, impersonation, and synthetic communication that misrepresents its source.

Never bypass the approved tool list. If the policy lists approved tools, those are the tools. Wanting to try a new one is a request through the approval process, not an exception you grant yourself.

You may want one or two industry-specific red lines. A healthcare company adds a red line about clinical decision support. A legal services company adds one about client privilege. A financial services company adds one about non-public market information. Keep the total under ten.

Part 2: Approved use

The approved-use section is where most policies fail by either being too vague (“use AI responsibly”) or too restrictive (“AI may only be used for the following twelve tasks”). The structure that works is a green list grouped by data sensitivity.

Public or non-sensitive content. Default-allowed for any approved AI tool. This is your largest category and includes drafting blog posts, generating internal team emails, brainstorming, summarizing public documents, learning new topics, generating example code that does not contain proprietary logic, and structured rewriting tasks (translation, tone adjustment, summarization of public material).

Internal but non-protected content. Allowed for tools where your organization has a business agreement with data protection terms. This includes drafting internal memos referencing internal projects, summarizing meeting transcripts, working with non-customer operational data, and analyzing aggregated metrics. List the approved tools by name.

Customer or regulated data. Allowed only with named tools that your organization has approved for the specific data class, with logging enabled. This is where you list the small set of enterprise-tier deployments — Microsoft Copilot with your tenancy, Anthropic Claude through your business agreement, ChatGPT Enterprise, your CRM-native AI, and so on. If the tool is not named, the answer is no until it is.

Source code. Allowed for AI coding assistants that have been reviewed by your security function, with named exceptions for repositories containing proprietary algorithms (which fall back to red line one). List the approved coding assistants explicitly.

For each tier, name a person or function someone can ask if they are unsure. Make the answer fast. The cost of waiting two weeks for a tool review is people quietly going around the policy.

The three operational sections

Beyond the two-part core, three short operational sections are usually worth including.

Disclosure to customers. When AI was used to generate or substantially assist content delivered to a customer, what is the disclosure standard? “Substantially assist” is the term we use because it is meaningful — drafting from scratch with AI is substantial; using AI to fix a typo is not. Most mid-market companies converge on something like: “AI-generated content reviewed by a human is acceptable to deliver. AI involvement does not need line-by-line attribution. AI-generated content delivered without human review must be labeled as such.”

Vendor review. New AI tools come through a defined process. Name the process owner, set a service level on response time (we recommend ten business days), and list the questions every new tool has to answer: what data does it process, where is it stored, who has access, what is the deletion policy, what does the contract say about training on customer data, what compliance certifications does it hold.

Incident response. What happens if a red line is crossed, intentionally or not? Who gets notified, in what order, on what timeline. The response should distinguish between accident (forgot, didn’t realize) and intent (knew, did it anyway). The first calls for retraining and process improvement. The second calls for HR.

Communication and rollout

The policy is the easy part. Adoption is the hard part. Three rules we use in every engagement:

Publish the policy in plain language, not legalese. The version you ship to employees should sound like it was written by a human. Have your most thoughtful operator read it aloud. If they stumble on a sentence, rewrite it.

Train through scenarios, not slides. The most effective enablement we have ever run is a 45-minute session where employees vote on five real-feeling scenarios — “is this allowed, not allowed, or maybe?” — and then discuss the answers as a group. People remember the conversation. They do not remember the deck.

Plan for re-issuance every six months. AI capabilities are moving fast enough that any policy older than six months is partially out of date. Calendar the review now. Even a thirty-minute working-group meeting that says “no changes needed” is more valuable than a stale policy in a SharePoint folder.

Where to take this

If your organization needs a real version of this policy — researched against the frameworks that apply to you (NIST AI RMF, state AI laws, industry-specific guidance), shaped through stakeholder conversations, and ready for legal review — that is exactly the scope of our AI Policy & Governance Sprint. Four to six weeks, scoped pricing, draft policy plus communication plan plus disclosure templates.

If you would rather build the capability to write and maintain this internally, the GenAI Black Belt and Master Black Belt programs include policy and governance infrastructure as core components.

And if you want to start tomorrow with what you have, the two-part structure above — five red lines, four green-list tiers — is a defensible v1 for most mid-market companies. Get it reviewed by counsel, ship it, and iterate.