The perfect AI policy your board doesn't have is worth less than the adequate one it adopts on Thursday. Here's how to produce a usable AI acceptable use policy for a UK board in a single afternoon: two pages, three tiers, no consultants.

I've watched organisations spend six months producing forty-page AI governance frameworks that nobody (including, on honest inspection, their authors) has read since. Meanwhile their directors carried on pasting board papers into free chatbots, because the forty pages never answered the only question anyone actually had: what am I allowed to do?

A board-level AI policy has one job: to draw three clear lines. Always fine. Fine with safeguards. Never. If a director can't recall the policy's substance from memory, the policy doesn't function. Two pages is not the compromise: it's the design goal.

Before you write: fifteen minutes of truth

A policy written against imagined usage will miss the real risks. So start by finding out what's actually happening. Send every director and senior executive three questions, anonymously if that's what it takes:

  1. Which AI tools have you used in the last month, for anything work-related?
  2. Have you ever put company or board material into one of them?
  3. What do you use them for that you'd like to keep doing?

The third question matters most. A policy that only prohibits gets ignored; a policy that protects the uses people value gets followed. (If you suspect the answers you'd get back wouldn't be candid, that's a culture finding in itself, and a facilitated session works better than a survey. I've written about what those sessions surface.)

The three tiers

Green: always acceptable

  • Using approved AI tools for drafting, research, and summarising public or non-sensitive material
  • Preparing questions and lines of enquiry ("what should a director ask about X?")
  • Learning: using AI to understand unfamiliar topics, technologies, and regulation

Amber: only with safeguards

  • Internal company material in the approved enterprise tool only, meaning one with a contractual commitment that your data is not used for model training
  • AI-assisted summaries of internal documents, provided the human reads the source before relying on the summary in any decision
  • Meeting transcription, with the consent of everyone present and a defined retention period

Red: never

  • Board packs, minutes, or committee papers in any free or personal-account AI tool
  • Personal data of staff, members, or customers in any AI tool without a documented UK GDPR basis
  • Legal advice (privilege is easier to lose than to assert), M&A material, and anything market-sensitive
  • Credentials, keys, or security configurations, in any tool, ever
  • Presenting unverified AI output to the board as fact

Adjust the specifics to your organisation, but keep the architecture. Three tiers survive contact with reality; ten categories don't.

The afternoon, hour by hour

  1. Hour one: usage and tools. Review the survey answers. Decide on one approved tool (an enterprise subscription with a no-training agreement; most major providers now offer this as standard on business tiers). Every director gets access; the sanctioned route must be easier than the shadow one.
  2. Hour two: write the lists. Draft the Green, Amber, and Red lists against your actual usage. Be concrete: "board packs" and "member data", not "sensitive information assets".
  3. Hour three: accountability. Name an owner (company secretary or one nominated director). Set a review cadence: six-monthly, because this technology doesn't sit still. Define the incident route: who a director tells, within what timeframe, if material goes somewhere it shouldn't. Make it blame-light; you want disclosure, not concealment.
  4. Hour four: the wrapper. Add the four framing paragraphs: purpose (one paragraph, citing the board's duty of care under section 174 of the Companies Act); scope (directors, officers, and anyone handling board material); the principle that the human remains accountable for anything AI helped produce; and adoption details. Done.

What the policy should deliberately leave out

Resist the urge to legislate for the company's entire AI strategy. This document governs conduct around board material. Product decisions, customer-facing AI, procurement standards, and supplier AI risk (75% of UK firms worry about it; only 28% audit for it, per QBE's 2026 research) all matter, but they belong in management policies and the risk register, not in the two pages a director is meant to remember. A policy that tries to do everything does nothing.

Adopt it properly

Table it at the next meeting. Discuss it; fifteen minutes is enough if the pre-work was honest. Adopt it formally and minute the adoption: the minute is the evidence that the board recognised the risk and acted, which is precisely what a regulator, insurer, or claimant's lawyer will one day ask about. Then add the corresponding risk register entry, with the policy owner's name on it and the review date attached.

And six months later, actually review it. The tools will have changed; the EU AI Act's obligations will have crept further into scope for anyone trading in Europe; your directors' habits will have evolved. Twenty minutes, twice a year. That's the maintenance cost of being able to say, truthfully, that your board governs its own use of AI.

Two pages. Three tiers. One afternoon. The bar really is that low, which is exactly why there's no excuse for not clearing it.