AI and your data: a one-page policy any firm can use.

It's already happening, so write it down

Walk round most built-environment businesses today and you'll find people using AI tools without anyone deciding they should. Someone is rewriting a method statement in ChatGPT. Someone else is asking it to summarise a long email chain, or tidy up a quote, or draft a reply to a difficult client. None of them asked permission, because none of them thought they needed to.

That's not a discipline problem. It's a sign your team has found something useful. The risk isn't that they're using AI. The risk is that nobody has told them where the line is, so each person is guessing, and some of those guesses involve pasting things that should never leave the building.

A short written policy fixes that. Not because people are careless, but because "use your judgement" isn't fair to ask when nobody has explained what good judgement looks like here.

What the one page actually covers

A useful AI-use policy answers four plain questions. Which tools are we allowed to use, and where do we find the approved ones. What information must never be pasted into them. Who do I ask when I'm not sure. And what happens if I get it wrong.

The "never paste this in" list is the part that matters most, and it should name the things your business actually handles. Client pricing and your own margins. Personal data: names, phone numbers, anything tied to a real person. Tender specifics and anything covered by a confidentiality agreement. Contract terms, supplier rates, and commercially sensitive numbers. If in doubt, the rule is simple: if you wouldn't email it to a stranger, don't paste it into a public AI tool.

The other half is just as important: tell people what they can do. Drafting, rewriting, summarising general text, getting unstuck on a first draft. Most of the day-to-day use is completely fine, and saying so out loud stops people either over-worrying or quietly ignoring the policy altogether.

Why it stays to one page

A ten-page policy written in legal language gets filed and never read. Your site manager isn't going to scroll through clauses before deciding whether to paste a paragraph into a tool on their phone. If they can't take it in during a tea break, it won't change what they do.

One page, in plain English, on the wall of the office or pinned in your team chat, is the version that works. It should fit the way your people already work, not read like something a solicitor drafted for a company ten times your size.

Review it every quarter

The tools move fast. A platform that didn't keep your data last year might keep it this year, or the other way round. New tools arrive, paid versions behave differently from free ones, and what counts as the "approved" list changes. A policy written once and forgotten goes stale within months.

A quarter is about right. Fifteen minutes, four times a year, to check the approved tools are still the right ones and the rules still make sense. That's enough to keep the page honest without turning it into a project.

Pair it with a bit of training

Rules on their own get followed until they're inconvenient, then quietly bent. People stick to a policy when they understand why it's there. A short session, half an hour, walking the team through what these tools do with what you type, why client pricing and personal data are different from a generic draft, and how to use the approved tools well, does more than any list of don'ts.

Once people understand the reasoning, they make better calls in the situations the page didn't anticipate. That's the real aim. Not a team that follows four rules, but a team that gets why the rules exist and can be trusted in the grey areas.

Where to start

You don't need a consultant to write the first version. List the tools your team already uses, name the data that should never go near them, decide who answers the "am I allowed to" questions, and put it on one page. A typical light setup, the page plus a short team session, sits in the range of a few hundred pounds of someone's time, not a compliance budget.

The point isn't to slow your team down. It's to let them keep using the tools that are genuinely helping, with enough clarity that nobody accidentally puts your business or your clients at risk. A page and a conversation usually gets you there.