Your team is already using AI. Someone on staff pasted a draft into a chatbot last week to clean up the wording. Someone else is using it to summarize meeting notes. This is happening whether or not you have decided how you feel about it, and in my experience the organizations that pretend otherwise are the ones that eventually get surprised.
The answer is not to ban these tools or to look the other way. It is to write down a few clear rules so people know what is encouraged, what is off-limits, and what to do when they are unsure. A good AI use policy for a small business or nonprofit does not need to be long. One page is plenty. Here is what belongs on it.
Start With What You Are Trying to Protect
Before you list rules, name the thing you actually care about. For most of the organizations I work with, it comes down to three concerns: keeping sensitive information private, making sure the work is accurate, and being honest with the people you serve. Every rule below traces back to one of those. When you frame the policy this way, staff understand the reasoning instead of just following orders, and they make better judgment calls in situations you never anticipated.
Rule One: Define What Data Can Never Go In
This is the most important section, so put it first. Be explicit about what employees may not paste into a public AI tool. That list typically includes:
- Personal information about clients, patients, students, or donors
- Financial account details, payment information, or Social Security numbers
- Passwords, API keys, or anything that grants access to your systems
- Confidential internal documents and unreleased plans
The simplest test I give teams: if you would not post it publicly, do not paste it into a tool that might learn from it. That one sentence prevents most of the mistakes I see.
Rule Two: Name Your Approved Tools
An open-ended "use AI responsibly" is not a policy. Pick the specific tools your organization has vetted and list them. When you standardize on approved tools, you can review their privacy settings once, turn off training on your data where that option exists, and know where your information is going. Staff experimenting with a dozen random apps means a dozen different privacy policies you have never read.
Include a simple path for requesting a new tool. Someone will find something useful, and you want them to ask rather than go around you.
Rule Three: Require Human Verification
AI produces confident, well-written answers that are sometimes wrong. Your policy should state plainly that a person is responsible for checking anything before it goes out. That means:
- Verify facts, figures, and quotes against a real source
- Read any AI-assisted email or document before sending
- Never send AI output straight to a client, donor, or the public without review
The tool drafts. A human decides. That distinction protects both your accuracy and your reputation.
Rule Four: Set Disclosure Norms
Decide when your organization will tell people that AI was involved. For internal drafts, disclosure usually does not matter. For content that represents your voice to the outside world, or for anything where a person expects to be talking to a human, be thoughtful. You do not need an elaborate labeling scheme, but you should agree as a team on where the line sits so individuals are not guessing.
The Nonprofit Angle: Donor and Constituent Trust
Nonprofits carry an extra weight here. Donor data is not just private, it is the foundation of a relationship built on trust. A donor who learns their giving history was fed into an outside tool without care may not stay a donor. The same goes for the people you serve, who often share sensitive circumstances with you precisely because they trust your organization.
For mission-driven organizations, I add one line to the policy: any use of AI touching donor or constituent information gets reviewed before it starts, not after. It is a small friction that prevents a large breach of trust.
Keep It One Page and Actually Use It
The best policy is the one your team reads. Keep it to a single page, written in plain language, with the data rules at the top. Review it a couple of times a year, because the tools change quickly. And walk through it with your staff rather than emailing a PDF nobody opens.
If you want help drafting a policy that fits how your organization actually works, or training your team to use these tools well, that is exactly the kind of thing I help small businesses and nonprofits with. Take a look at my AI training and workshops, or book a free consultation and I will help you build a version tailored to your team.