AI at work
A practical AI policy for small businesses: AI Act literacy and safe everyday use
In many small businesses, AI arrives from the bottom up: an employee pastes a contract into an assistant, sales generates a proposal, and support summarizes a ticket. Having no policy does not stop use; it only removes control.
A useful SME AI policy can fit on two pages. It should name approved tools, prohibited data, outputs that require review, and the person accountable for every use case.
Quotable definition
A small-business AI policy is a short operating guide defining approved tools, prohibited data, required output review, and accountability for every use of artificial intelligence.
Why the issue is urgent
In 2025, 20% of EU enterprises with at least ten employees used AI technologies, compared with 8.4% in Poland. Informal use of public assistants may still be invisible in official statistics and company systems.
Article 4 of the EU AI Act, which requires an appropriate level of AI literacy, has applied since 2 February 2025, with supervision and enforcement beginning in August 2026. This does not mean every business needs a large compliance programme. It does mean training and safeguards should reflect how the company actually uses AI.
Inventory real use first
Start by finding where AI is already used. A short survey or workshop should capture the tool, data type, purpose, users, and whether the output goes directly to a customer or influences a decision about a person.
The inventory is not there to punish employees. It separates a harmless brainstorming draft from a model processing employee, financial, health, or confidential customer data.
- tool name and business owner
- purpose and users
- types of data submitted
- where the output is used and the required review level
- retention settings, processing region, and supplier agreement
Four rules people can remember
A policy nobody understands will not change behaviour. Four rules cover many office use cases: use approved tools, do not enter prohibited data, review output before use, and do not delegate a decision for which a person remains accountable.
Make the prohibited-data list concrete. Name customer records, passwords and keys, unpublished financial data, employee files, and information covered by confidentiality agreements instead of saying only “do not paste sensitive data”.
Review should follow risk
An internal agenda draft has a different risk from legal guidance, a hiring decision, or an automatically sent quote. Assign each use case a simple level: low, elevated, or not allowed without further assessment.
The greater the impact on customers, employees, money, or people’s rights, the stronger the human review, source documentation, and audit trail should be. For some processes, deterministic rules will be better than AI.
- low risk: ideas, drafts, and summaries without confidential data
- elevated risk: customer communication, document analysis, and recommendations
- high risk: employment, evaluation of people, access to services, or material financial decisions
AI literacy is a practice, not a one-off quiz
Training should match the employee’s role and tools. Content staff need to understand errors and copyright, administration needs confidentiality rules, and process owners need accountability, monitoring, and incident procedures.
Keep the policy version, participant list, and examples discussed in training. This helps show proportionate action and, more importantly, gives the team a clear way to work.
A minimum 30-day plan
In week one, collect use cases. In week two, select approved tools and settings. In week three, write the two-page policy and escalation path. In week four, run short training using real examples from the company.
Update the policy after adding a tool, changing a workflow, or handling an incident. It is an operating guide, not a legal document left in a folder.
FAQ
Frequently asked questions
Does the EU AI Act apply to small businesses?
Some obligations can apply to SMEs that use AI systems. The scope depends on the company’s role and use case, so controls should be proportionate to the risk.
What does AI literacy require?
People using AI should have knowledge and skills appropriate to the tool, context, risk, and people who may be affected by its output.
How long should an SME AI policy be?
Two pages of clear rules can often work, supported by an approved-tool list, examples of prohibited data, and a path for reporting doubts or incidents.
Next step
Want to find the first workflow worth automating?
Bring one manual workflow or IT bottleneck. In 20 minutes, we will identify 3-5 improvements, estimate time saved, and tell you whether the right answer is automation, integration, an internal tool, or ordinary IT work.
Book a free workflow audit