Most firms do not have an AI policy. The ones that do, have a six-page document that no one has read.
There is a third option. A one-page policy your senior partners can defend in a meeting, your compliance team can sign off on, and your most junior associate can actually follow on a Tuesday afternoon.
We use a six-rule template. It is below. Print it. Tape it to the wall.
The whole policy, in six rules.
1. Never paste confidential, client, or material non-public information into a consumer model.
2. Use placeholders for names, numbers, and specifics:[Client A],[8-figure revenue],[Matter X].
3. AI is allowed to draft. A human is required to sign.
4. Final, client-facing work passes through a 15-minute senior review before it leaves the firm.
5. The firm maintains a Never Upload List, kept current by the partner responsible for risk.
6. Questions go to the partner-in-charge of AI, not to a slack channel.
That is the whole policy. Anything else is commentary.
Why one page.
Long policies fail in the same way long contracts fail. They give the appearance of coverage without producing behavior. The signature on the bottom does not actually change what people do on Tuesday.
A one-page policy works because it is read. The associate who joined three months ago, the partner who skipped the rollout meeting, the contractor on month-to-month, they can all read it in ninety seconds and remember the shape of it.
When a real question comes up, "can I paste this into Claude?", they can answer it themselves. That is the bar.
What each rule is doing
Rule 1 is the line. It is the only rule that, if broken, causes a fireable conversation. Everything downstream of it is recoverable.
Rule 2 is the technique that makes Rule 1 livable. Without placeholders, people get frustrated and start either uploading raw material anyway or refusing to use the tool at all. Placeholders give them a way to do real work safely.
Rule 3 separates drafting from signing. Drafting is cheap. Signing is the whole job. The policy says, in writing, that the firm understands the difference.
Rule 4 is the senior review protocol. Fifteen minutes per piece of work, before it leaves the firm. The protocol is in a separate one-pager. The policy just enforces that it happens.
Rule 5 moves the responsibility for keeping the Never Upload List current to a single, named partner. Not a committee. Not "IT." A name on the door.
Rule 6 is the escalation rule. When someone has a real question, they go to a person, not a forum.
The fillable one-page policy.
Members get the policy as a fillable PDF / Word file, with editable footer (firm name, partner-in-charge), the matching Never Upload List, and a one-page senior review protocol. Customise it on a Friday. Hand it out on a Monday.
The part that takes longer than the policy
The policy itself takes a Friday afternoon to write. The discipline takes a quarter. The senior partners have to be visible inside the policy, asking real questions about real work, in front of associates. If the partners do not behave like the policy is real, neither will anyone else.
That part is not in the document. That part is in the meeting after the document.
Filed under Enterprise · The Leverage Years · Vol. I, Issue 11.