Using AI Without Losing Control

AI use inside an SMB is often invisible from the top down. There is usually no approval step. The owner may only see the result: a cleaner draft, a faster summary, a payment request, a transcript, a script, a client answer, or an action already taken.

By the end of this guide, your business should be able to see AI use clearly, decide what to permit, and respond when something goes wrong.

Some of that AI use is already valuable. Staff are saving time, improving first drafts, cleaning up repetitive work, and finding better ways to handle information. The problem starts when the business gets AI adoption without ownership: no approved tool list, no data rules, no review of vendor terms, no permission cleanup, no incident path, and no clear answer when a client asks how AI is being used.

Who this is for

This guide is for businesses that:

• Have staff using AI, even informally.
• Use Microsoft 365, Google Workspace, CRM, accounting, payroll, HR, project, document, or support tools.
• Handle client, employee, financial, legal, regulated, credential, or confidential business data.
• Need to answer client, insurer, buyer, vendor, or regulator questions about AI.
• Want AI productivity without losing control of data, access, approvals, and records.

The guide assumes no security expertise. It explains technical terms when they affect a business decision, then brings the reader back to the operational question: what does the business need to own, approve, verify, or stop?

Regulatory framing defaults to Alberta PIPA and the Alberta OIPC. The underlying mechanisms apply broadly; readers outside Alberta should annotate against their local privacy laws.

Where to start

If your business...	Start with
Has staff using ChatGPT, Claude, Gemini, browser AI, phone AI, or other AI tools	01. Shadow AI and 02. Sensitive data
Uses Microsoft 365, SharePoint, Teams, Google Workspace, CRM, or document search with AI	03. Connected AI
Lets AI summarize emails, documents, web pages, meeting notes, applicant material, or vendor proposals	04. Prompt injection
Uses meeting bots, AI notetakers, platform transcription, or recorded meeting summaries	05. Meeting AI
Handles payments, payroll, vendor banking, account recovery, or executive approvals	06. Phishing and payment fraud and 07. Voice and video impersonation
Relies on SaaS tools that have recently added AI features	08. Vendor AI features
Is testing AI agents or automations that can send, share, delete, book, approve, buy, submit, or change records	09. Agentic AI
Has staff asking AI for scripts, commands, macros, automations, installs, extensions, or coding help	10. AI scripts and automation and 11. Developer workstations
Sends AI-assisted work to clients, customers, regulators, partners, or the public	12. Wrong AI output
Has sales, finance, HR, payroll, executive support, departing staff, or staff with broad confidential access	13. Insider misuse
Has already had an AI-related mistake, exposure, fraud, suspicious output, unexpected action, or recording issue	Incident response
Wants a controlled path for AI adoption over the next year	Adoption path

How to use this guide

Read the articles that match your business first. Keep a list of the policy rules at the end of each article. Those become the first draft of your AI usage policy.

Then use the incident-response playbook in Incident response to decide what staff should do when an AI issue appears. Use the adoption guide in Adoption path to turn the controls into a staged plan: what to do first, which AI uses are ready for most SMBs, which require investment, and which should wait until the business or vendor can support them.

AI use should be visible, owned, bounded, reviewed where consequence is high, and reported quickly when it goes wrong. A business that can do those things is in a much better position than one that learns about its AI use only after something goes wrong.

Why AI is different

SMBs have been through major technology changes before. Email, cloud software, smartphones, remote work, online payments, and SaaS tools all created risk, and businesses adapted.

AI is different in a practical way.

Unlike prior business tech, AI arrives through staff behavior, personal accounts, browser tools, mobile apps, meeting bots, vendor features, connected assistants, and automations.

AI also sits across several old control points at once:

• It can receive sensitive data.
• It can search or summarize information staff already have access to.
• It can create records, messages, summaries, code, and decision support that looks polished even when it is wrong.
• It can process outside content that contains hidden instructions meant to manipulate the tool.
• It can make fake voice, fake video, and polished messages cheap enough that familiar-looking requests are weaker proof than before.
• It can be connected to tools that send, share, delete, approve, buy, submit, or change records.
• It can leave the evidence of what happened inside vendor systems, saved chats, meeting transcripts, browser tools, or logs the business does not normally review.

AI changes who can introduce a tool, what the tool can touch, how convincing bad output looks, how quickly actions happen, and where the evidence lives afterward. "We survived the last technology wave" does not cover this one on its own.

What's in the guide

The guide has thirteen risk articles, one incident-response playbook, and one adoption guide.

By the time you finish, your business should be able to answer the questions a deliberate AI operating model depends on:

• Which AI tools are approved, who owns them, and how staff request a new one.
• What data may enter each tool, and what data is never allowed in any tool.
• Which outputs require review before they leave the business.
• Which actions require human approval before AI completes them.
• How payment, banking, payroll, credentials, and account recovery requests are verified.
• How meeting AI and recording is handled.
• What staff do in the first hour when something goes wrong.

The thirteen policy rules build into a written AI usage policy. The closing pieces then show how to respond when something goes wrong and how to adopt AI deliberately.

Common questions about AI usage policies

The questions that come up most often when a small business considers writing an AI usage policy.

Do we actually need an AI policy if we haven't formally rolled out AI yet?

Most businesses need an AI policy before they think they do, because staff use of AI starts before any formal rollout. The first three or four months of informal AI use, with personal accounts and unapproved tools, are usually where the most exposure builds up: client data going into chat tools, prompts and templates living in personal accounts, and vendor questionnaires the business cannot answer accurately. An AI policy is most useful when it is written while the situation is still small enough to fix, not after a problem surfaces.

Isn't a 13-rule AI policy overkill for a small business?

A 13-rule AI policy is shorter than it sounds. Most of the rules are decisions the business already makes implicitly: which tools staff may use, what data goes into them, what gets reviewed before it leaves the business, and how to handle a request that turns out to be a fraud attempt. The policy does not add new decisions; it writes down the ones the business is already making by default. Done well, a small-business AI policy fits on a few pages and reads as plain operating guidance staff can actually use.

What if we just leave it to staff to be sensible?

Leaving AI use to staff judgment usually produces a different AI policy for every staff member. Most staff are trying to do good work, but without a shared rule, each one decides for themselves which tool is fine, what data is fine to share, and which output is fine to send. The business inherits a set of individual habits, not a policy. When something goes wrong, the answer to 'what does the business allow?' becomes 'depends on who you ask,' which is the answer a client, insurer, or regulator finds hardest to accept.

Will an AI policy slow down how staff use AI?

A well-built AI policy usually speeds AI use up, not down. The productivity loss in most small businesses comes from staff hedging by using AI quietly because they are not sure if they should, hiding what they used, redoing work the AI already did, and asking the owner ad-hoc questions about whether a specific use is okay. An approved tool list, clear data rules, and a fast way to request something new remove the hesitation. The slowdown only happens when a policy is written as a list of prohibitions without giving staff an approved path, which is the wrong way to write one.

Can we just use an AI policy template instead of going through all this?

A template can save time on wording but cannot make the underlying decisions for the business. The decisions an AI policy depends on are specific to how the business operates: which tools are approved, what data may enter them, which outputs require review, which actions require human approval, how high-risk requests are verified, and what staff do in the first hour when something goes wrong. A generic template will either omit those decisions or guess at them. Using a template as a starting structure and then filling in the business's actual decisions is reasonable.

How is an AI policy different from our existing IT or security policy?

An AI policy covers control points that older IT and security policies usually do not. Existing policies focus on devices, networks, passwords, and access to systems. An AI policy adds rules for who may use which AI tool, what data may enter it, which AI-generated output requires review, which actions an AI is allowed to take, how high-risk requests are verified, and how vendor AI features inside approved software are evaluated. What matters is whether those decisions are actually made and written down. The format can sit alongside the existing IT or security policy as a separate document, or be added as a section.

Who should own the AI policy in a small business?

The owner or a senior manager should own the AI policy in most small businesses. Day-to-day administration can be shared with IT, the office manager, or an outside MSP, but the decisions inside the policy are business decisions: which tools to approve, what data to allow, what gets reviewed, what gets escalated. Those decisions belong with someone who can speak for the business when a client, insurer, or regulator asks. Splitting ownership across multiple roles usually leaves no one accountable for the policy as a whole, even when each piece has a stated owner.

How long does it take to put an AI policy in place?

Most SMBs with limited prior AI use and one decision-maker can get a first usable version in four to six weeks of part-time effort. Businesses with heavy existing AI use, multiple stakeholders, or regulated data take several months. The longest part is usually making the decisions: which AI tools to approve, what data goes into them, which outputs to review, and how to handle high-risk requests. The policy still needs to be revisited as approved tools change, vendor features shift, and new use cases come into play.

If we write an AI policy, will staff actually follow it?

Staff follow AI policies that give them an approved option for the work they were already going to do, and route around AI policies that do not. The most common failure pattern is a policy that says 'no unapproved AI tools' without naming any approved AI tools, or with an approval process that takes weeks for a simple writing use case. Staff respond by hiding their AI use rather than stopping it. A policy with a short list of approved tools, company-managed accounts, and a fast intake path for new tools is the one that actually changes behavior, because the legitimate path is now easier than the workaround.