In partnership with
TL;DR:
Nearly half of US small businesses are now using AI in some form, with another 15% planning to in the next year. Most don't have a written policy. That doesn't mean they don't have one — it means their bookkeeper, their marketing person, and the founder writing proposals at 11 PM are each making it up as they go. And on September 28, Anthropic quietly flipped Claude's consumer plans to use your conversations for training by default — most owners paying for Pro on a personal account never noticed.
The watchout: The AI policies floating around LinkedIn right now were built for companies with compliance teams. Small businesses don't need them. They need something simpler, and something fit for purpose.
STAT WORTH SHARING
Nearly half of US small businesses are using AI right now — and another 15% are planning to within a year.
If someone on your leadership team needs to see this, forward it their way.
The Door You Forgot to Lock
You lock the front door at night. You shred old invoices. You don't leave the cash drawer open for anyone who walks in.
And then you, your bookkeeper, and your marketing person spend the rest of the day pasting client lists, financial summaries, and confidential proposals into AI tools nobody on the team has ever read the terms of service for.
That Fed survey at the top of the page isn't measuring "exploring." It's measuring daily use. AI is already inside half the small businesses in the country — pasting client lists, drafting proposals, summarizing contracts, replying to emails. The other half are about to be.
We've moved beyond the question of AI being in your business. It's already there. Either by you, or by someone servicing your business with your data. The point is that you haven't set any standards or rules — leaving everyone to make up their own, or none at all. That's how small businesses end up with big problems. Not just with AI, but in general.
You don't need a compliance team to fix this. You need three decisions and a quarterly review. One page. The whole thing should fit on a napkin.
The Three Decisions
Here are the three decisions you and your leadership need to align on.
One. What goes in — and what absolutely doesn't.
Customer information. Financials. Anything under contract. Anything you wouldn't want screenshotted and posted on LinkedIn. That stuff doesn't get pasted into random AI tools, full stop. Pick the two or three tools you actually trust, draw a line around the sensitive stuff, and write it down. Half a page. Not twenty.
Two. Humans sign off on anything that leaves the building.
AI drafts. Humans approve. Proposals, contracts, customer emails, social posts, invoices, anything with your name on it — a real person reads it before it goes out. AI is a fast assistant. It is not the face of your business. The number of small businesses that have already sent customers AI-hallucinated pricing, fictional case studies, or wrong invoice totals is not small, and it's growing.
Three. The policy is a living document, not a laminated poster.
The tools change every couple of months. The terms change without notice. Your team picks up new tools without telling you. So set a recurring 30-minute review every quarter. Ask what people are actually using. Update the list. Throw out the rules that don't match how the business actually works.
That's the structural part. Three decisions, written down, agreed on, revisited four times a year. If you stopped here, you'd already be ahead of most small businesses ten times your size.
And the next natural question I get every time I post about this is: "OK, but how do I actually use AI with my business data without making it useless? I need my information analyzed."
That's the right question. It's also a whole conversation on its own — paid tiers vs. free tools, what to strip before you share, where the data actually lives, what the terms of service really say. We're going to walk through all of it in the next newsletter. Keep an eye on your inbox.
The Rules Don't Ask Permission to Change
Here's why the quarterly review is best practice.
In late August 2025, Anthropic updated Claude's consumer terms so that Free, Pro, and Max users would have their conversations used for training by default, with retention extended from 30 days to five years. The opt-out toggle was on by default, tucked under an "Accept" button most people clicked without reading. Claude for Work — the commercial tier — was unaffected.
If you'd built your "AI policy" around Claude in early 2025 and assumed your data was safe, that assumption silently broke on September 28. Most owners I've spoken to didn't know it happened. Many were paying the Pro subscription on a personal account they used for work — exactly the kind of shadow-AI setup the consumer terms now apply to.
This is going to keep happening. Not just with Claude. Every major provider is under pressure to expand training data, and the path of least resistance is changing the consumer terms and hoping nobody reads them. A policy you wrote in January isn't going to protect you in October if nobody's looked at it since.
Wispr Flow
This issue is supported by Wispr Flow. My personal productivity has sky rocketed after using it. This is not your normal dictation that you always have to correct and never truly learns your speech patterns. Wispr Flow learns fast and adapts to your individual style.
Talk to your AI tools the way you'd talk to a colleague.
You don't send a colleague a three-word brief. You explain the context, the constraints, what you've already tried. But typing all that into ChatGPT takes forever — so you don't.
Wispr Flow lets you speak your prompts instead. Talk through your thinking naturally and get clean, paste-ready text. No filler words. No cleanup. Just detailed prompts that actually get you useful answers on the first try.
Millions of users worldwide. Works system-wide on Mac, Windows, and iPhone.
Why a One-Page Policy Beats a Twenty-Page One
Most of the AI policy templates floating around right now were built for Fortune 500 companies. They have legal teams, compliance officers, and IT departments that can enforce them. You don't. And it doesn't matter, because they don't actually need to enforce most of it themselves either — the document is mainly there to satisfy auditors.
Small businesses don't have auditors. You have a team that needs to know what to do on a Tuesday morning when they're trying to write a client email and ChatGPT is faster than thinking from scratch.
A twenty-page policy nobody reads is worse than no policy at all, because it gives you false confidence. You think you've handled it. You haven't. You've just made the problem invisible.
A one-page (okay it can be 2 pages) policy with three clear decisions, reviewed every quarter, beats it on every metric that matters. It gets read. It gets followed. It updates when the world updates. And — this is the part that actually matters — it builds the muscle of thinking about AI as something that needs governance instead of treating it as a tool you bought once.
The companies getting this right aren't the ones with the most sophisticated frameworks. They're the ones with the simplest frameworks they actually use.
Are you running an AI policy in your small business right now — even an informal one? Hit reply and tell me what's on it. Even "we don't have one yet" is useful — I'm collecting examples for a follow-up piece, and I read every response.
Final Thoughts
You're not going to write the perfect policy on the first try. Nobody does. The point is to start one, get your team to read it, and make it a habit to revisit it
Know someone making AI decisions at a traditional company who should be reading this? Forward it their way.
We are out of tokens for this week's context window!✋
- Hashi
Follow Hashi:
X at @hashisiva | LinkedIn
