How to Communicate Your AI Policy to Your Team
AI Act, Compliance, SMB
Your sales team has been using an AI tool for client calls for months. Names, deal sizes, sometimes contract amounts. Nobody flagged it. You found out because someone mentioned it in passing during a meeting.
Sound familiar? Shadow AI isn't a rogue behaviour. It's what happens when people try to be productive and nobody has told them where the lines are.
Now you have something on your to-do list: this needs to change. But how do you tell your team a tool isn't allowed anymore without five frustrated replies in your inbox by morning? Or worse: people who just keep using it quietly?
This isn't solved by sending an email. It's about clarity, trust, and giving people something workable. Here's how to do it without losing their buy-in.
Why you can't skip this
You need an AI policy. Not as a bureaucratic document, but as an answer to a real problem.
Employees use AI tools. That's mostly good. But those tools sometimes process client data, contact information, or internal content. Without knowing which tools are running, you can't meet your GDPR obligations or comply with the EU AI Act. And if something goes wrong, the responsibility sits with the organization, not the employee who downloaded the app.
You probably already know the legal part. The hard part is talking about it.
Step 1: Understand before you ban
Before you communicate anything, you need to know what's already in use. Start with an inventory.
Ask your team an open question: "Which AI tools do you use to get work done?" Not as surveillance, but as the first step toward a shared picture. Keep it easy. A Slack poll, a shared spreadsheet, or fifteen minutes in a team meeting works fine.
What you hear will almost always surprise you. ChatGPT for emails, an AI transcription tool for client calls, an AI image tool for marketing. Some of those are fine. Others are processing more data than you'd want.
You can only communicate a useful policy once you know what you're actually dealing with. Go out too early and you'll write rules that don't match what's happening.
No AI inventory yet? Start with our step-by-step guide to building one.
Step 2: Decide what is and isn't allowed
Based on your inventory, make one of three decisions per tool.
If the tool doesn't process sensitive data and doesn't carry meaningful risk, it stays as is. If it's useful but needs clearer guardrails, it stays with conditions: only for internal content, no client data, review again in six months. If it uses prohibited AI techniques, processes sensitive data without proper agreements, or doesn't fit what you expect from vendors, it goes.
Write those decisions down. Not just for a future audit, but so you don't have to re-explain your reasoning every time someone asks.
Not sure how to assess a tool? Our tool approval guide walks through the evaluation process.
Step 3: Explain why, not just what
This is where most companies get it wrong. They send a message with the conclusion: "Tool X is no longer allowed." No explanation, no alternative, no context. People read that as arbitrary.
Give them the actual reason.
Not this:
"Due to compliance requirements, ChatGPT may no longer be used for client communication."
But this:
"We looked at how ChatGPT handles the data you put in. When you enter client names or deal details, that information may be used to train OpenAI's models. That's a problem under GDPR. So we're asking you not to use it for anything client-specific. For general writing it's fine. And we're currently looking at an alternative that meets our privacy requirements."
The difference isn't the word count. It's that you're treating people as capable of understanding the reason, not just following a rule.
Step 4: Offer a real alternative
If you ban a tool without replacing it, you don't solve the problem. You push it underground.
If people are using ChatGPT for client emails, fill that need another way. Maybe that's a paid version with stronger privacy guarantees. Maybe an internal writing template. Maybe a comparable tool that actually meets GDPR requirements.
If you don't have an alternative yet, say that honestly. "We know this tool was useful. We're looking for a replacement and we'll let you know when we find one." That's better than silence.
Your team will notice if compliance is treated as more important than the people doing the work. A ban with no way forward sends exactly that message.
Step 5: Pick the right channel and moment
A policy change doesn't go out on a Friday afternoon in a general channel. And you don't send a ten-point email when you need twenty seconds of context in a meeting.
For small teams under fifteen people, talk through it in a team meeting, leave room for questions, then send a short summary of what was decided. For larger teams or multiple departments, brief team leads first so they can field questions from their own people, then send a short email to the wider team with a link for anyone who wants more detail. For individual cases where one specific person is using a specific tool that's a real problem, handle it directly and privately, not in a group message.
On timing: don't do this during a busy period. A calm moment with clear communication works better than a reactive announcement after a near-miss.
Step 6: Make it easy to flag new tools
Your policy only works if people know how to submit a new AI tool for review. Make sure that process exists and that people know about it.
It doesn't need to be complicated. A form, a dedicated email address, or a standing item in your monthly IT meeting is enough. The point is a clear path for someone who wants to try something new.
And when someone does submit a tool: respond quickly. If people hear nothing for two weeks, they'll just start using it.
Using ComplianceHive? You can track your AI tool approvals in the AI system register, with the risk class and status for each system in one place. Everyone can see where a tool is in the review process without having to ask.
Step 7: Repeat, but not too often
You don't communicate a policy once and never mention it again. But weekly reminders will just become noise.
Build it into natural moments. During onboarding for new hires. When you update your software stack. When a new AI tool goes viral, because people will ask about it anyway. And after six months, a short check-in: "We updated our AI policy six months ago. Here's what's changed since then."
That follow-up can be two sentences. The point is that the policy doesn't disappear into a folder nobody opens.
What regularly goes wrong
The most common problem is vague rules. "Use AI responsibly" isn't a policy. Nobody knows what that means in practice. Close behind that is rules without explanation: people who don't understand why something isn't allowed will probe the edges. Then there's one-way communication: if there's no way to ask questions or raise concerns, people carry on and say nothing. And last, leaders who don't follow their own rules. If you're using ChatGPT for client emails while the rest of the team isn't allowed to, your credibility is gone.
Tracking what happens after the conversation
Writing a policy is step one. Keeping track of what happens next is the actual ongoing work.
In ComplianceHive, you register each AI system with its risk class, AI type, approval status, and whether it makes automated decisions about people. When an employee flags a new tool, you add it directly and track the review from there. You end up with a live picture of what's running in your organization, not just a document that says what should be.
Want to understand how the EU AI Act and GDPR overlap when it comes to employee software? Read our guide on GDPR and business software for employees.
Ready to get a handle on AI use in your organization? See what ComplianceHive can do or start a free trial.
This article is general information and does not constitute legal advice. Please consult a qualified legal professional for legal interpretation.