TBPN
0
← Back to Blog
Founder Tactics11 min read

How to Write an AI Policy for a 10-Person Startup Without Killing Productivity

A practical, copy-paste-ready AI policy template designed for small startups. Covers data classification, approved tools, and human review without enterprise bloat.

By TBPN Editorial Team

How to Write an AI Policy for a 10-Person Startup Without Killing Productivity

You are a founder with ten people. You do not have a CISO. You do not have a compliance team. You probably do not even have a dedicated IT person. But your engineers are using Copilot, your marketing lead just discovered Midjourney, and your head of sales is writing every follow-up email with Claude. You need an AI policy, and you need it to fit on two pages, not two hundred.

The problem is that every AI policy template you find online was written for Fortune 500 companies. They reference "cross-functional governance committees," "quarterly risk assessments," and "enterprise AI steering groups." None of that applies to you. What you need is a lightweight, practical document that protects your startup without adding bureaucratic overhead that your team will ignore.

This post gives you exactly that: a copy-paste-ready AI policy template specifically designed for small startups, along with explanations of why each section matters and how to customize it for your specific situation. This is the kind of tactical, unglamorous founder knowledge that gets discussed on TBPN during their deep dives into startup operations, the stuff that is not exciting enough for a keynote but critical enough to sink your company if you get it wrong.

Why Enterprise AI Policies Fail for Startups

Before we get to the template, it is worth understanding why you cannot just adopt an enterprise policy and trim it down. Enterprise AI policies fail at startups for three fundamental reasons.

They assume headcount that does not exist

Enterprise policies reference roles like "AI Ethics Officer," "Data Protection Officer," and "AI Governance Board." At a 10-person startup, the CEO is also the AI Ethics Officer, the Data Protection Officer, and the entire governance board. A policy that requires dedicated roles to function is dead on arrival at a small company.

They prioritize control over speed

Enterprise policies are designed to minimize risk in environments where a single mistake can affect millions of customers and trigger regulatory action. They achieve this through extensive approval workflows, mandatory reviews, and centralized decision-making. At a startup, this level of control is not just unnecessary; it is actively harmful. Your competitive advantage depends on moving fast, and a policy that adds three approval steps to every AI interaction will be ignored within a week.

They are too long to read

The average enterprise AI policy runs 20 to 40 pages. Nobody at a 10-person startup is going to read 40 pages of policy documentation. Your policy needs to be short enough that every employee can read it in one sitting and remember the key points afterward. Two to three pages is the sweet spot.

The Lightweight AI Policy Template

Here is the complete template. Each section is followed by an explanation of why it matters and how to customize it. The template is designed to be copied directly and adapted to your company with minimal changes.

[COMPANY NAME] AI Acceptable Use Policy

Version 1.0 | Effective [DATE] | Last Updated [DATE]

Owner: [CEO/CTO NAME]

1. PURPOSE

This policy establishes guidelines for the use of artificial intelligence tools at [Company Name]. Our goal is to enable everyone to benefit from AI productivity tools while protecting our customers, our intellectual property, and our company.

2. DATA CLASSIFICATION

All company information falls into three categories:

OPEN (Green): Information that is public or would cause no harm if shared externally. Examples: published blog posts, open-source code, publicly available market research, job descriptions.

INTERNAL (Yellow): Information that is not public but would cause limited harm if exposed. Examples: internal process documents, non-sensitive business logic, general architectural patterns, internal meeting notes (non-confidential).

RESTRICTED (Red): Information that would cause significant harm if exposed. Examples: customer data (PII, usage data, billing info), proprietary source code and algorithms, financial projections and fundraising details, unreleased product plans, security credentials and API keys, employee personal information.

3. RULES BY DATA CLASSIFICATION

OPEN data: May be used freely with any AI tool.

INTERNAL data: May be used only with approved AI tools (see Section 4).

RESTRICTED data: Must NEVER be entered into any external AI tool. No exceptions. If you need AI assistance with restricted data, talk to [CEO/CTO] about self-hosted or enterprise options.

4. APPROVED AI TOOLS

[List your approved tools here. Examples:]

- ChatGPT Team/Enterprise (for text generation, analysis, writing)

- GitHub Copilot Business (for code completion and generation)

- Claude for Business (for text generation, analysis, research)

- [Add your specific tools]

Using AI tools NOT on this list for any work-related purpose requires approval from [CEO/CTO]. Request approval via [Slack channel/email].

5. HUMAN REVIEW REQUIREMENTS

All AI-generated output used in the following contexts MUST be reviewed by a qualified human before use:

- Customer-facing communications (emails, support responses, marketing materials)

- Code committed to production repositories

- Legal documents, contracts, or compliance materials

- Financial reports or projections

- Any content published externally

You are personally responsible for the accuracy and appropriateness of any AI-generated content you use.

6. SOURCE CODE RULES

- Approved coding assistants (e.g., Copilot Business) may be used for code generation and completion.

- NEVER paste proprietary source code into non-approved AI tools.

- AI-generated code must pass the same review standards as human-written code.

- Do not use AI to generate code for security-sensitive functions (authentication, encryption, access control) without security review.

7. CUSTOMER DATA

Customer data is ALWAYS classified as RESTRICTED. Never enter customer names, emails, usage data, billing information, or any other customer-identifiable information into any external AI tool. This applies even to approved tools unless they have a signed Data Processing Agreement (DPA) with our company.

8. LOGGING AND TRANSPARENCY

- If you use AI to substantially generate customer-facing content, note it for your own records.

- If you are unsure whether a particular use of AI is appropriate, ask in [Slack channel] or contact [CEO/CTO]. Asking is always better than guessing.

9. POLICY UPDATES

This policy will be reviewed quarterly. AI tools and capabilities change rapidly. If you encounter a situation not covered by this policy, use your best judgment and then let [CEO/CTO] know so we can update the policy.

Explaining Each Section: Why It Matters

Data classification: The foundation of everything

The data classification section is the most important part of your policy because it turns abstract risk into concrete, actionable categories. Without clear classification, every AI interaction becomes a judgment call, and people under deadline pressure will consistently make the wrong judgment.

The three-tier system (Open, Internal, Restricted) is deliberately simple. Enterprise organizations often use five or more classification levels, but at a startup, complexity kills compliance. Three tiers are enough to cover the meaningful risk boundaries while being simple enough for everyone to remember and apply in real time.

Customize this section by listing specific examples relevant to your company. The more concrete your examples, the fewer edge cases your team will encounter. If you are a healthcare startup, explicitly mention that patient data is always Restricted. If you are a fintech company, call out transaction data. Specificity prevents ambiguity.

Rules by classification: Making decisions automatic

The rules-by-classification section translates the abstract categories into concrete behaviors. The key insight is that most AI usage involves Open or Internal data and should be freely permitted. By clearly delineating what is allowed, you prevent the chilling effect where employees avoid AI entirely because they are unsure what is permitted.

The "no exceptions" language for Restricted data is intentional. When it comes to customer data and proprietary source code, you want a bright line, not a judgment call. Gray areas in data handling create liability.

Approved tools: The positive list approach

Listing approved tools rather than banned tools is a critical design choice. A "banned tools" list is impossible to maintain since new AI tools launch daily. An "approved tools" list is manageable and creates a default behavior of checking before using something new.

When selecting your approved tools, prioritize those that offer:

  • Enterprise data handling agreements (the provider commits to not training on your data)
  • SSO integration (so you can manage access centrally)
  • Admin controls and audit logs (so you can see how tools are being used)
  • SOC 2 compliance or equivalent (baseline security assurance)

Human review: The liability firewall

The human review section exists primarily for liability protection. AI tools hallucinate. They generate confident-sounding incorrect information. They can produce content that is biased, legally problematic, or simply wrong. By requiring human review for all externally-facing and high-stakes content, you create a check that catches these issues before they become problems.

The line "You are personally responsible for the accuracy and appropriateness of any AI-generated content you use" is the most important sentence in the policy. It establishes that AI is a tool, not a decision-maker, and that the human using it retains full accountability.

Source code rules: Protecting your core asset

For most startups, your source code is your most valuable asset. The source code section provides specific, practical rules for how engineers can use AI coding tools while protecting proprietary code. The key distinction is between approved coding assistants (which have enterprise data handling agreements) and general-purpose AI tools (which do not).

The note about security-sensitive code is worth emphasizing. AI-generated authentication logic, encryption implementations, and access control code should always receive additional scrutiny. These are areas where subtle bugs create exploitable vulnerabilities, and AI tools are known to generate plausible-looking but insecure implementations.

Customer data: The hardest line

Customer data receives its own section because it is the area of greatest regulatory risk. Depending on your jurisdiction and industry, mishandling customer data through AI tools could trigger GDPR violations (fines up to 4% of global revenue), CCPA penalties, HIPAA violations, or other regulatory consequences.

The emphasis on Data Processing Agreements is important even for approved tools. Just because a tool is on your approved list does not mean it is approved for customer data. Many AI tools have enterprise tiers that include DPAs and consumer tiers that do not. Make sure your team understands the difference.

Logging and transparency: Building trust

The logging section is deliberately lightweight for a startup. Enterprise organizations require extensive audit trails for AI usage. At a 10-person company, the overhead of formal logging outweighs the benefit. Instead, this section encourages transparency and creates a culture where asking questions about AI usage is welcomed rather than punished.

Common Mistakes When Creating AI Policies

Having reviewed dozens of startup AI policies, and drawing on the operational insights regularly shared on TBPN's founder-focused segments, here are the mistakes that come up most often.

Mistake 1: Being too restrictive

The most common mistake is creating a policy that is so restrictive it kills AI adoption entirely. If your engineers cannot use Copilot, your writers cannot use Claude, and your designers cannot use Midjourney, you are not protecting your company. You are handicapping it while your competitors accelerate.

Restrictive policies also backfire because they drive usage underground. Employees who genuinely need AI tools to be productive will use them regardless of policy. You just lose visibility into what they are doing.

Mistake 2: Being too loose

The opposite extreme is a policy that is so permissive it provides no meaningful protection. "Use AI responsibly" is not a policy. Your team needs concrete rules about what data can go where and which tools are sanctioned.

Mistake 3: Writing it once and forgetting it

AI capabilities change dramatically every few months. A policy written in January may be completely inadequate by June. Build regular reviews into your operating rhythm. Quarterly reviews are the minimum cadence for a field moving this fast.

Mistake 4: Not involving your team

A policy created by the founder in isolation will miss important use cases and edge cases that your team encounters daily. Before finalizing your policy, share the draft with your team, solicit feedback, and incorporate their input. This also builds buy-in since people are more likely to follow rules they helped create.

Mistake 5: No enforcement mechanism

A policy without consequences is a suggestion. You do not need to be draconian, but your team should understand that policy violations are taken seriously. For most startups, a progressive approach works well: first violation gets a conversation, second gets a formal warning, third gets escalated to whatever consequence is appropriate for the severity.

Real Examples of Startups That Got It Right

Several startups have become models for effective AI policy implementation. Common patterns among the successful ones include:

The "AI Champions" approach

One Y Combinator-backed startup designated one person from each team (engineering, marketing, sales) as an "AI Champion." These champions were responsible for evaluating new AI tools, training their team on approved usage, and flagging policy edge cases. This distributed the governance burden without creating a centralized bottleneck.

The "Show and Tell" approach

Another startup implemented weekly AI show-and-tell sessions where team members shared how they were using AI tools. This served multiple purposes: it spread best practices, it provided natural oversight of usage patterns, and it created a culture where AI usage was visible and celebrated rather than hidden. Violations were caught naturally because everyone could see what everyone else was doing.

The "AI Budget" approach

A third startup gave each employee a monthly AI tool budget and let them choose their own tools from a pre-approved list. This provided autonomy and flexibility while maintaining guardrails. Employees felt trusted, adoption was high, and shadow AI was virtually eliminated because the company was actively funding the tools people wanted to use.

How to Update Your Policy as You Grow

The policy template above is designed for a 10-person startup. As your company grows, your AI policy needs to evolve. Here are the key transition points.

At 25 employees

At this size, you need to formalize the approved tool list and assign someone to manage it. You should also implement SSO for all approved AI tools and begin maintaining basic usage logs. The policy itself can remain largely the same, but the operational infrastructure around it needs to mature.

At 50 employees

At 50 people, you likely need a more formal data classification process, possibly with a brief training module for new hires. Consider implementing DLP tools to monitor for sensitive data in AI interactions. Your approved tool list should include specific usage guidelines for each tool, not just a list of names.

At 100+ employees

At this point, you are approaching enterprise territory. You will need dedicated security resources to manage AI risk, more granular access controls, formal vendor security reviews, and potentially industry-specific compliance measures. But your lightweight policy served its purpose: it protected you during the critical early growth phase when you were most vulnerable and least resourced.

Building a startup that takes AI seriously, both as a tool and as a risk, is the kind of founder mindset that TBPN champions daily. And if you are building that kind of company, show the world you are part of the community. Grab a TBPN hat or a mug for those long policy-drafting sessions, because good founders know that operational excellence is just as important as product innovation.

Frequently Asked Questions

Do I really need an AI policy if I only have a few employees?

Yes. In fact, small companies are often more vulnerable to AI-related data exposure because they lack the security infrastructure of larger organizations. A lightweight policy takes less than a day to create and can prevent catastrophic data leaks. The template above can be customized and deployed in a single afternoon. The time investment is trivial compared to the risk it mitigates.

What should I do if I discover an employee has already violated the policy?

Treat the first discovery as a learning opportunity, not a disciplinary event. Assess what data was exposed and evaluate the actual risk. If customer data or critical IP was involved, consult with a lawyer about notification obligations. Then use the incident to reinforce training and clarify any ambiguous parts of the policy. A punitive response to early violations will drive behavior underground rather than correcting it.

How often should I review and update the AI policy?

Quarterly at minimum. Major AI model releases, new tool launches, or changes in your business (new customers, new industries, fundraising) should trigger an immediate review. Set a recurring calendar reminder and treat the review as a 30-minute exercise where you scan for new tools your team is using, new risks that have emerged, and any policy gaps that recent experience has revealed.

Should the AI policy be part of the employee handbook or a standalone document?

At a small startup, keep it standalone. The employee handbook is something people read once during onboarding and never look at again. A standalone AI policy is easier to update, easier to circulate, and easier to reference. Link to it from your internal wiki or Slack channel so it is always accessible. As you grow and formalize HR processes, you can incorporate it into the broader handbook while maintaining the standalone version for easy reference.