Good morning, or whenever this finds you. This is AI Law, on Terms.Law Radio, one oh one point three. Tonight's subject: the internal AI policy your business actually needs, and why it should fit on one page. Not eleven pages. One. Because the difference between one and eleven is not thoroughness. It is whether anyone remembers the policy at the exact moment they are about to paste something they should not into a tool nobody approved. Segment one: why one page wins. Think about when an AI policy has to work. It is not during the annual training. It is at four forty five on a Thursday, when someone on your team has a deadline, a client file open in one window, and a chat window open in the other. The policy either fires in that person's head in that moment, or it does not exist. An eleven page policy, full of definitions and committee language, does not fire. Nobody carries page nine around in their head. A one page policy with five clear rules can actually be remembered, which is the only thing that matters. There is a legal angle here too, and it cuts the way people do not expect. A long, ignored policy can be worse than no policy at all, because it is a document proving your company understood the risk, wrote it down, and then failed to manage it. If something goes wrong and the other side's lawyer holds up your own policy next to your team's actual behavior, the gap between them becomes the story. Write only rules you will actually enforce. The one page constraint forces exactly that discipline. Segment two: the five sections, and I will keep each one tight. Section one: approved tools. Name them. The actual tools, and just as important, the actual account tiers, because the business tier and the personal tier of the same product carry different data promises. The rule reads simply: work happens in these named tools, on company accounts, and nowhere else. Then name one human being who owns the list and can approve additions. Not a committee. A person with a name, so the request takes a day and people actually make it instead of routing around it. Section two: prohibited inputs. This is the heart of the page, the paste rule. Five categories, no exceptions without sign off. Client confidences and anything covered by an engagement or a contract. Personal information about real people, and anything health related gets treated as radioactive. Credentials: passwords, API keys, access tokens, none of it, ever. Unreleased financials and deal information. And anything under someone else's confidentiality agreement, because your NDA obligations do not pause while you draft faster. Give the team the rule of thumb version too: if you would not email it to a stranger, do not paste it into an unapproved tool. This is AI Law, on Terms.Law Radio. Section three: human review gates. Nothing AI drafted goes to a client, a court, a regulator, or the public without a named human who reviewed it and is willing to own it. Not skimmed. Reviewed, with names and numbers checked against sources. And the policy should say the quiet part in writing: the reviewer owns the errors. The machine did it has never once worked as a defense, professionally or legally, and your policy should make sure nobody on your team is the next person to test that. Section four: attribution and disclosure. When does your business say AI was involved? Externally, the honest baseline is: whenever a contract, a client, a court, or a platform requires it, and increasingly they do. Check your client agreements for clauses about subcontracting or automated processing. Check marketplace and publisher rules if you sell content. Internally, tag AI drafted material as it moves through your pipeline, so the reviewer in section three knows what they are holding and applies the right level of suspicion. Section five: incident reporting. Someone will eventually paste the wrong thing. The policy decides what happens in the next hour. The rule: report it the same day, to a named person, with three facts. What went in, which tool, which account. And the culture piece belongs in the policy text itself: reporting is a good act, not a confession, because a fast report lets you actually respond. Rotate the exposed credential. Use the vendor's deletion controls while the data is still inside the retention window. Notify a client if an agreement requires it, on your timeline instead of on discovery's. Punish the silence, never the report. Segment three: making the page stick, three moves. First, signatures. Everyone signs at onboarding, everyone re-signs when the page changes. Not because the signature is magic, but because signing is the moment the rules get read. Second, review the page quarterly. The tools change monthly, your approved list will rot in a year, and a policy that names dead tools teaches the team it is decorative. Third, understand that this one page is quietly an external document too. Customers now ask about AI use in security questionnaires. Insurers ask at renewal. Acquirers ask in diligence. When something goes wrong anywhere near AI, one of the first documents anyone asks for is the policy. The version you want to hand over is one page, current, signed, and boringly consistent with how your team actually works. That document says: this company took care. Eleven aspirational pages nobody followed say the opposite. Write the page this week. It is one meeting. Approved tools, prohibited inputs, review gates, disclosure, incident reporting. Five decisions a competent owner can make in an afternoon, and the whole company gets safer the day it ships. Before your team adopts the tool, upload the agreement to the free Terms.Law analyst and check the data, ownership, liability, and exit provisions. It is at terms dot law. That is AI Law for tonight. The fine print: this is general commentary and education, not legal advice about your company, and listening does not create an attorney client relationship. AI law moves fast, so verify the current rules before you rely on them. The analysis belongs to Sergei Tokmakov, California attorney. One page, five rules, signed. Good night.