The Margin LabsThe Margin Labs

All sectors

An AI governance policy that fits an SME (and what your acceptable-use policy should cover)

Most SMEs we work with do not need a 40-page AI governance framework. They need a one-page acceptable-use policy that ships in week one, and a quarterly review. Here is the template we use.

Luke Austin4 min read

Why a one-page AUP matters before any tool ships

We have seen the consequences of skipping this both ways. The SMEs that wrote an acceptable-use policy first ended up with a healthy AI footprint and a defensible audit trail. The SMEs that bought tools first ended up with shadow ChatGPT accounts, client data pasted into consumer products, and a director quietly working out whether to disclose it to the ICO.

The acceptable-use policy is not a compliance artefact. It is the simplest tool we know for keeping a fast-moving team coherent.

The four categories of risk to cover

A useful SME policy covers four categories of risk, no more. If your draft has fifteen sections, the team will not read it.

  • Data leakage: what data can and cannot be put into which class of tool, and how to handle client data and personal data in particular.
  • Model error: where humans must remain in the loop, what 'review' means, and what cannot be auto-actioned at all.
  • Intellectual property: what the firm owns, what the vendor owns, and what cannot be trained on or shared with third parties.
  • Compliance: which regimes apply (UK GDPR, sectoral rules, contractual obligations) and where to find the underlying obligation if challenged.

The one-page policy template

Our working SME template has six numbered sections, each one paragraph long. We tune the wording per client. The structure is fixed.

  • Acceptable use: a permitted-tools list, a forbidden-tools list, and a default position for anything not yet classified.
  • Data handling: a classification (public, internal, confidential, restricted) mapped to which tool classes are permitted for each, with worked examples.
  • Model selection and audit log: the named models the business is using, the named purpose for each, and how usage is logged.
  • Human in the loop: a short list of decisions that may not be taken by AI alone, with named owners. Includes anything safety-critical, legally binding, or customer-affecting at scale.
  • Incident response: what to do if data is leaked or an error reaches a customer, who to tell, and within what window.
  • Review: who owns the policy, when it is reviewed, and how changes are communicated.

UK-specific compliance touchpoints

For UK SMEs the picture is more concrete than it sometimes feels. UK GDPR continues to govern personal data, and the ICO has published practical AI guidance that is genuinely usable, not just principled. The EU AI Act applies extraterritorially to a number of common SME scenarios, particularly where the firm offers an AI-enabled service to EU users or processes EU personal data. NIST's AI Risk Management Framework is voluntary in the UK but is becoming the de facto reference enterprise procurement uses to evaluate suppliers.

We map every policy clause to one of those three sources, so the policy stops being our opinion and starts being a defensible position.

How to roll it out without bureaucracy

Rollout fails when it becomes a project. We have had the best results with a thirty-minute all-hands, a Slack pin, and a single named owner for questions. The policy is short enough to read in a coffee break, and the named owner reduces the friction of asking 'can I use X for Y' down to a message.

We follow up with one short scenario-based session per team in the first month. Sales runs through three live examples. Finance runs through three. The team that operates the tool runs through five. After that, the policy is part of how the firm works.

Reviewing the policy every quarter

The model landscape changes fast enough that an annual review is too slow. We review the policy quarterly, which sounds heavy and is not in practice, because most quarters the only change is the permitted-tools list.

Every review checks three things: are the named tools still appropriate, has the risk picture moved (regulator action, incidents in the sector, new model classes), and has anyone in the firm tripped over the policy in the last quarter. The last question is the most useful one.

When to escalate to a consultant

Most SMEs can write and run this policy themselves. The two cases where we recommend bringing in outside help are when the firm handles category-sensitive personal data at scale (health, finance, children, legal), or when a regulator has already asked questions. In both cases the AUP is the starting point, not the finishing line, and a specialist will save you time.

Sources

Want this same lens on your business?

The free AI Profit Roadmap is the same thinking, applied to your operation. Thirty to forty-five minutes on a call, your roadmap within a week.

Get my free AI Profit Roadmap