Simple team AI rules for everyday work

Team AI rules work best when they are short enough for people to remember and specific enough to shape everyday behaviour. Most teams do not need a full policy document before they can use AI responsibly. They need a shared operating rule that says what AI can help with, what information must stay out of tools, and what a person must check before anything leaves the team.

That matters because informal use spreads quickly. One person uses a chatbot to tidy meeting notes. Another pastes customer details into a free tool because it saves time. A manager asks for a draft update and assumes someone checked the source material. None of those choices has to be reckless on its own, but without a clear rule they can turn into shadow AI, confused accountability and avoidable privacy risk.

This guide is not a legal policy template. It is a practical starting point for a small team that wants a one-page working rule before habits become messy.

The Short Version

A useful team rule should answer five questions:

• What tasks can AI help with?
• What data must never be entered?
• Which outputs need human checking?
• Who decides when a new tool is allowed?
• How will the rule be reviewed as tools and work change?

If a rule cannot answer those questions in plain English, it will probably be ignored. The goal is not to make AI use feel heavy. It is to make the safe route easier than the improvised one.

What Team AI Rules Need To Decide

The first decision is scope. A team AI rule should not try to describe every possible technology, model or vendor. It should describe the behaviours your team expects. That makes the rule easier to apply when tools change.

For example, the rule can say that AI may be used to summarise public information, prepare a first draft, create a checklist or suggest alternative wording. It can also say that AI must not be used to process confidential files, customer records, employee information or commercially sensitive material unless an approved tool and process is in place.

The ICO’s AI and data protection guidance is a useful guardrail here because it keeps attention on personal data, risk and organisational controls. The NCSC’s AI and cyber security guidance is also relevant when teams are thinking about sensitive data, misleading output and prompt injection risks. Those sources should frame caution, not turn this into legal or security advice.

Start With Allowed Work

Rules are easier to follow when they include positive examples. Instead of beginning with a long list of bans, start with ordinary tasks where AI can help without taking over judgement.

A team might allow AI for rough first drafts, agenda outlines, plain-English summaries of public material, spelling and tone checks, and brainstorming questions for a meeting. That keeps AI in the role of assistant. It can speed up preparation, but it is not the author of the final message and it is not the decision maker.

This is where the rule should connect to your wider approach. If the business already has a broader simple AI policy, the team rule should sit underneath it. The policy sets the organisation’s position. The team rule translates that position into everyday habits.

Set The Data Boundary

The data boundary is the most important part of the page. People need to know what not to paste before they are under pressure.

A simple version might say: do not enter customer data, employee details, passwords, financial records, contracts, unpublished strategy, confidential documents or anything you would not be comfortable sharing with an external supplier. If an approved enterprise tool has different controls, name that tool and explain the limit clearly.

This is not only a privacy point. It is also a trust point. Once a team agrees what information stays out, people spend less time guessing. If your team handles files, pair the rule with a practical read on using AI with confidential documents. If the main concern is personal information, link it to your workplace AI privacy guidance.

Decide What Must Be Checked By A Person

Every AI rule needs a review standard. AI can produce fluent text that still misses context, invents details, overstates certainty or sounds more confident than the evidence allows. The rule should say which outputs need checking and what checking means.

For ordinary drafts, checking might mean reading for accuracy, tone and missing context. For numbers, it means checking against the original source. For customer-facing or staff-facing communication, it means a named person owns the final wording. For sensitive topics, it may mean not using AI at all unless a manager has approved the route.

The line should be blunt: AI is a drafter, not the author or decision maker. A person remains responsible for what is sent, saved or acted on.

Write The Rule In Plain English

A one-page rule should sound like something the team would actually say. Avoid abstract phrases such as acceptable use framework unless they are already familiar. Use concrete verbs: draft, summarise, paste, check, approve, send.

Plain language also helps with enforcement. If someone breaks the rule, the conversation can focus on a specific behaviour rather than a vague principle. Did they paste customer data into an unapproved tool? Did they send AI-written advice without checking it? Did they use a new tool without asking? Those questions are easier to handle than a broad debate about whether someone used AI responsibly.

A One-Page Team AI Rules Example

Here is a simple structure a manager could adapt:

• Allowed: AI can help with rough drafts, summaries of public material, meeting preparation, checklists and tone improvements.
• Not allowed: Do not enter customer data, employee data, confidential files, passwords, contracts, financial records or unpublished plans into unapproved AI tools.
• Review: A person must check every AI-assisted draft for accuracy, tone, source support and missing context before it is shared.
• Tools: Use only approved tools for work material. Ask before trying a new AI tool for team tasks.
• Ownership: The person who sends or uses the output owns the final result.
• Review cycle: Revisit this rule every quarter or when the team changes tools.

That example is deliberately modest. It does not try to solve procurement, employment policy, data protection compliance or information security on its own. It gives the team a shared baseline while those bigger questions sit with the right owners.

Keep Shadow AI In View

The rule should make it easy for people to ask for help. If the only message is do not use AI, staff may still use it quietly when deadlines bite. That is how shadow AI at work becomes the default.

A better rule says: if AI would help but the current rule blocks it, raise the use case. That gives managers a way to spot demand, approve safer tools and update guidance. It also treats staff as people trying to get work done, not as a problem to police.

Keep It Alive

Team AI rules should be reviewed as real work changes. After a month, ask what people used AI for, where the rule helped, where it felt unclear and whether any task needs a tighter process. A short review is better than a perfect document that nobody revisits.

The best sign is not that every AI use has stopped. It is that people know the boundary, ask before crossing it, and check outputs before they rely on them. That is how a small rule becomes a useful working habit.

Sources: ICO guidance on AI and data protection; NCSC guidance on AI and cyber security.

Related Reads

• How to create a simple AI policy for a small business
• How to Avoid Shadow AI Becoming the Default at Work
• Workplace AI Privacy: The Information to Keep Out
• AI Confidential Documents: The Safe Way to Use Work Files