AI policy starter kit for 5–200 employee companies

“What’s your AI policy?”Have the answer before they ask.

The AI Governance & Acceptable Use Starter Kit is six editable documents — an AI Acceptable Use Policy, employee usage guidelines, data-handling SOPs, a vendor evaluation rubric, a client-facing AI disclosure template, and an incident response playbook — built for the 5 to 200 employee company that just got asked the question by an enterprise prospect, an insurer, a board member, or an auditor. Starting templates, not legal advice. Customize for your jurisdiction and industry, and run them past counsel before deployment.

Get the Kit — $39one-time · editable templates, not legal advice · 30-day refund
Six editable documents
AI Acceptable Use Policy
Boundaries
Employee Usage Guidelines
Day-to-day
Data-Handling SOPs
Data
Vendor Evaluation Rubric
Procurement
Client AI Disclosure Template
Client-facing
Incident Response Playbook
When it breaks
Built around
NIST AI RMF · EU AI Act · ISO/IEC 42001 · SOC 2
01.The Pressure Moment

You can draft the policy after they ask. Or you can have it ready.

Most 5 to 200 employee companies don’t have an AI policy. Not because they don’t care — because the structural drafting is a one-to-two week project that competes with everything else on the ops calendar.

Then a question lands. An enterprise prospect’s procurement team. A cyber insurance renewal application. A board member who just read an article. A SOC 2 auditor expanding scope. Suddenly the missing policy is in the critical path of a deal, a coverage decision, or an audit finding.

The kit ships the structural draft — six editable documents that get you past the blank-page problem. You still need to customize for your business and route them through counsel. You don’t need to start from zero.

What buyers usually have when the question lands
  • 01A Slack thread from six months ago that mentioned writing an AI policy
  • 02A Notion page titled “AI policy (DRAFT)” with two bullet points
  • 03A copy of someone else's policy borrowed from a friend at another company
  • 04A vague verbal understanding among leadership about “how we use ChatGPT”
  • 05A growing list of employees using AI tools in ways nobody's documented
  • 06An enterprise questionnaire on the COO's desk with a 10-day response window
Composite of common patterns from B2B SMBs. Yours may differ.
02.What's Inside

Six editable documents. Designed to be customized for your business.

01

AI Acceptable Use Policy

The master policy document — purpose, scope, approved tools, permitted uses, prohibited uses, data classification rules, training requirements, enforcement. The clause-by-clause document your prospect or insurer is asking for.

02

Employee AI Usage Guidelines

The human-readable internal-comms version of the policy. Quick-reference card, FAQ for common employee questions, do/don't examples drawn from real workflows. Built to actually get read.

03

Data-Handling SOPs

Operational procedures for AI + sensitive data: customer PII, employee data, financial information, internal IP. Step-by-step flowcharts and decision trees for the moments employees are most likely to make a mistake.

04

Vendor & Tool Evaluation Rubric

Scorecard for vetting third-party AI tools before approval — data residency, training-on-input policies, security certifications, contract terms, EU AI Act risk classification awareness. Notion database + PDF version.

05

Client-Facing AI Disclosure Template

Transparency-facing document for customers and partners — where you use AI, what data flows through it, how outputs are reviewed, what choices customers have. The kind of document procurement teams increasingly require.

06

Incident Response Playbook

What to do when something goes wrong — data inadvertently submitted to an AI tool, model hallucination affects a customer, vendor breach involves your data. Runbook, contact tree, notification templates, postmortem framework.

All six documents are starting templates designed to be customized. Each ships with inline annotations marking core clauses, scope-dependent clauses, and optional add-ons. Run them past your own counsel before deployment.

03.The Four Triggering Moments

When this kit pays for itself many times over.

01
~5–10 day response window

The Enterprise Security Questionnaire

A B2B prospect's procurement team sends a vendor security review with an AI controls section. Without a documented policy, you stall a six-figure deal at the security gate. With one, you respond same-week with attached PDFs.

02
~30–60 day cycle

The Cyber Insurance Renewal

Your carrier adds AI-use questions to the renewal application. Coverage scope and premium increasingly depend on documented controls. “We’re working on it” lengthens the underwriting cycle. “Here’s our policy” shortens it.

03
Usually triggered by news

The Board or Leadership Ask

Your COO, GC, or a board member surfaces the question — often after a data-leak incident in the news, an employee accidentally pasting customer data into ChatGPT, or a customer asking how you handle their information.

04
Annual or bi-annual audit

The Auditor's New Section

SOC 2 Type II, ISO 27001, and industry-specific audits increasingly include AI controls in scope. The auditor wants to see written policies, operational SOPs, vendor risk assessments, and an incident response plan. “We don’t have those yet” becomes a finding.

04.Inside a Policy

Sample excerpt from the AI Acceptable Use Policy. Annotations show how clauses map to real questionnaire items.

[Company Name] · AI Acceptable Use Policy
Version 1.0 · Effective: [Date] · Owner: [Head of Operations]

§ 3. Acceptable Use of AI Tools

§ 3.1 Approved AI Tools

The following AI tools are approved for company use under this policy:

  • (a) Claude (Anthropic) — content drafting, analysis, code generation;
  • (b) ChatGPT (OpenAI) — general productivity assistance;
  • (c) [Customize: list your approved tools and their permitted use cases].
§ 3.2 Permitted Uses

Employees may use approved AI tools for:

  • (a) Drafting first-pass content for internal review;
  • (b) Analyzing publicly available information or appropriately classified data;
  • (c) Generating code, subject to security review prior to merge;
  • (d) Preparing customer-facing communications, subject to § 4 disclosure rules.
§ 3.3 Prohibited Uses

Employees may NOT use AI tools for:

  • (a) Processing customer PII without explicit consent and applicable agreements;
  • (b) Generating final-form legal, financial, medical, or regulated advice;
  • (c) Submitting confidential company data to non-approved tools;
  • (d) [Industry-specific prohibitions — customize for healthcare, finance, etc.].
Excerpt only. Full policy is approximately 12 pages with definitions, training requirements, enforcement procedures, and references.
How clauses map
§ 3.1The approved-tools list is what enterprise vendor questionnaires explicitly ask for — “list the AI tools used in service delivery.” Fill in your actual stack.
§ 3.2(c)The “security review prior to merge” clause is what SOC 2 auditors increasingly want to see for code-generating AI workflows.
§ 3.3(a)The PII clause is the line item most cyber insurance applications now require. Insurers want to see this in writing.
§ 3.3(b)The “final-form regulated advice” prohibition is the most common gap in informal policies. Regulated industries especially need this clause documented.
Annotations ship inline in the kit’s documents — visible during customization, removed before deployment.
05.Framework Awareness

Informed by the standards your auditors and counterparties reference.

The templates draw structural language and risk concepts from established frameworks. This kit does not certify, attest, or guarantee compliance with any of them — that’s work your auditors, counsel, and operating practices do. What the kit gives you is documentation that speaks the same vocabulary your counterparties expect.

NIST AI RMF 1.0
Voluntary U.S. framework

Risk-management vocabulary, the Govern / Map / Measure / Manage functions, and the Generative AI Profile.

ISO/IEC 42001
AI management system standard

Structural management-system language for organizations operating AI in a governed way.

SOC 2 Type II
Service organization controls

Trust Services Criteria language now increasingly applied to AI use in service delivery.

EU AI Act
EU regulation

Risk-tier vocabulary referenced in the vendor evaluation rubric. Specialized counsel required for EU posture.

State and international AI regulations continue to evolve. The kit is updated when major frameworks ship material changes. Existing buyers get those updates included.

06.The Honest Truth

What this kit is. What it isn’t. So you can decide cleanly.

What it is
  • Six editable starting templates informed by published frameworks.
  • Documentation infrastructure most enterprise questionnaires expect to see.
  • A structural draft that saves the 1–2 week blank-page problem.
  • Annotated for clarity on which clauses are core vs. scope-dependent.
  • A foundation you customize, deploy, and operate consistently with.
What it isn’t
  • Not legal advice. Run everything past your own counsel before deployment.
  • Not certification. Does not make you compliant with GDPR, HIPAA, SOC 2, EU AI Act, or any other regulation or framework.
  • Not a substitute for industry-specific overlays (HIPAA BAAs, FedRAMP, GLBA, etc.).
  • Not turnkey. Templates require customization for your business, industry, and risk profile.
  • Not the finish line. Documentation alone doesn’t constitute compliance — your actual practices do.

We say this loudly because the failure mode in this category is buyers treating template policies as if they were certifications. Documentation gets you past the blank-page step. The work that actually reduces risk is operating consistently with the policies, having counsel review the customizations, and updating the documents as your practices and the regulatory landscape evolve.

07.Who This Is For

Be honest with yourself before you click buy.

Buy if
  • You’re a 5–200 employee company and you don’t have an AI policy yet.
  • You’ve recently been asked for one by a prospect, insurer, or auditor.
  • You have someone (ops lead, COO, GC, CISO, technical founder) who can customize.
  • You have counsel you can route the customized drafts past.
  • You want a credible structural draft, not blank-page paralysis.
Skip if
  • You want a certified or audited policy as the deliverable.
  • You expect the kit to make you compliant with a specific regulation.
  • You can’t get the customized drafts past counsel.
  • You’re in a heavily regulated industry without specialized counsel involvement.
  • You want a vendor-managed service, not a kit to own and customize.
08.Pairs Well With

Start the policy, then deepen and maintain it.

This is the starter set; go deeper when you’re ready. The AI Usage Policy Kit is the comprehensive single-document policy, the AI Acceptable-Use Policy Builder tailors the rules to your stack, and the AI Governance Maintenance Plan keeps it current as the tools and the law shift.

09.Common Questions

The questions buyers actually ask before customizing and routing past counsel.

No. The AI Governance & Acceptable Use Starter Kit is not legal advice and is not a substitute for counsel. The templates are editable starting points informed by published frameworks like NIST AI RMF 1.0 and ISO/IEC 42001, plus the questions that show up on enterprise vendor security questionnaires and cyber insurance applications. Have your own counsel review the policies for your specific jurisdiction, industry, and risk profile before you deploy them. The kit exists to save you the structural drafting week — not the legal review step.

Instant access · Lifetime updates · 30-day refund

Have the answer.
Before they ask.

The AI Governance & Acceptable Use Starter Kit is $39 once. Six editable documents. The structural draft your team would otherwise spend a week and three Slack threads producing.

Starting templates, not legal advice. Customize for your jurisdiction and industry. Run past counsel before deployment.
Sold by RedHub AI LLC · Secured by Stripe · redhub.ai