If your team has started using AI tools without a clear set of rules, you are not alone, and you are exposed. Staff paste customer data into chatbots, draft contracts with tools nobody has vetted, and make decisions based on outputs nobody has checked. An AI governance framework is the practical answer. It is a written agreement on what AI your business will use, what it must never do, who signs off on new uses, and how you keep a human accountable for the result. This guide gives you a framework you can adapt, plus an outline AI usage policy template you can copy and fill in.
Governance sounds heavy, but for a mid-sized UK business it does not need to be. The aim is not to slow people down. It is to let them use AI confidently, knowing where the boundaries sit. Done well, a framework is a one-time investment that removes the daily "is this allowed?" friction and protects you when a regulator, client or auditor asks how you control AI.
Why a mid-sized business needs an AI governance framework
Large enterprises have legal teams, risk committees and compliance officers to manage AI. Sole traders carry little exposure. Businesses in the middle, roughly 30 to 250 staff, are caught awkwardly between the two. You have enough people using AI for shadow usage to be a real risk, but rarely a dedicated function to govern it. That gap is exactly where data leaks, contract breaches and reputational mistakes happen.
The "so what" for leadership is straightforward. A governance framework reduces three concrete risks: confidential or personal data leaving your control, decisions being made on unverified AI output, and inconsistent practice that you cannot defend if challenged. If you want the wider context on how AI tools fit a business of your size, our pillar guide on Claude AI agents for business sets the scene. This post is the control layer that sits underneath it.
The five pillars of a practical framework
A governance framework for a mid-sized business does not need dozens of sections. Five pillars cover the ground that actually matters. Each one answers a question your staff are already asking, whether out loud or not.
1. Acceptable use
This pillar defines what AI may and may not be used for. Be specific. List the tasks you actively encourage, such as drafting internal documents, summarising research, or generating first-draft code. Then list the tasks that are off limits without sign-off, such as final legal or financial advice, decisions affecting employment, or anything that could be presented to a customer as fact without a human check. Clarity here prevents the two failure modes: staff avoiding AI entirely out of fear, or using it for things it should never touch.
2. Data rules
This is the pillar that protects you under UK GDPR. State plainly what categories of data may be entered into AI tools and what must never be. Personal data, customer records, commercially sensitive information and anything covered by a confidentiality clause should have clear handling rules. For most businesses the safest default is: no personal or confidential data into any consumer tool, and only into approved business tools that offer the right contractual protections. For a deeper look at this, see Is Claude safe for business?, which covers security, GDPR and data controls in detail.
3. Approval
This pillar answers "who decides?". You need a named owner for AI decisions, often a director or operations lead, and a lightweight route for staff to request a new tool or use case. The point is not bureaucracy. It is one person or small group who can say yes or no, keep a simple register of approved tools, and stop the proliferation of unvetted apps. A request that takes ten minutes to submit and a few days to clear is enough.
4. Human oversight
This pillar keeps a person accountable. The rule is simple: AI assists, a human decides. Define which outputs require a human review before they are used, especially anything customer-facing, contractual, financial or legal. Make clear that the named employee remains responsible for the work, not the tool. This is also where you address bias and accuracy, because the human check is your defence against an AI getting something confidently wrong.
5. Review
This pillar keeps the framework alive. AI tools change quickly, and a policy written and forgotten becomes useless. Set a review cadence, quarterly to begin with, where the owner checks the approved-tool register, reviews any incidents, and updates the rules. Record the date of each review so you can demonstrate the framework is maintained, which matters if you are ever audited or asked by a client.
An outline AI usage policy template
Below is the skeleton of an AI usage policy you can copy into a document and adapt. Keep it short. A two-page policy that people read beats a twenty-page one that nobody opens. Treat this as a starting structure rather than legal advice; have your usual adviser check it before you publish it internally.
| Section | What to put in it |
|---|---|
| Purpose and scope | One paragraph on why the policy exists and who it applies to (all staff, contractors, anyone acting for the business). |
| Approved tools | A named list of AI tools staff may use, with a note that anything not listed needs approval. Link to the live register. |
| Acceptable use | Bullet lists of encouraged uses and prohibited uses. Keep examples concrete and relevant to your work. |
| Data handling | What data may and may not be entered into AI tools, referencing your UK GDPR obligations and confidentiality terms. |
| Approval process | How to request a new tool or use case, who decides, and the expected turnaround. |
| Human oversight | Which outputs require human review, and a clear statement that the employee remains accountable for the result. |
| Breaches | What to do if something goes wrong, who to tell, and that honest reporting is encouraged rather than punished. |
| Review | How often the policy is reviewed, by whom, and where the version history is kept. |
A small note on Claude usage policy specifically. If your business standardises on Anthropic's Claude, your policy can name it as an approved tool and point staff to the business-grade version rather than consumer chat apps, where data handling and admin controls differ. The same five pillars apply; you are simply naming the tool you have chosen.
How to roll it out without resistance
The framework only works if people follow it, and people follow rules they understand and helped shape. Share the draft with a few staff who already use AI, take their input, and frame the final policy as enabling safe use rather than banning it. A short briefing and a single page of "dos and don'ts" pinned somewhere visible does more than a long document filed away.
If you are at the very start and unsure which tasks to govern first, our guide on where to start when you have 30 to 250 staff helps you pick the right first use cases. Govern those well, learn, then extend the framework as your AI use grows.
Where SpotDev fits
Writing a governance framework is the easy part. Embedding it into real, working AI that staff actually use is where most businesses stall. SpotDev is a UK consultancy specialising in Anthropic's Claude, with an in-house engineering team and more than 300 technology projects delivered. We build governance into the rollout from day one, so your approved tools, data rules and human-oversight checks are baked into the systems we deliver rather than bolted on afterwards.
Our work begins with an AI and Data Readiness Assessment, which reviews your data, your risks and your readiness to govern AI properly. From there, our AI Foundations package puts safe, governed Claude use into your business, with a first rollout typically live in two to three weeks. If you would like to discuss this, you can talk to a Claude engineer about our packages.
Frequently asked questions
What should an AI governance framework include?
At a minimum it should cover five things: acceptable use (what AI may and may not be used for), data rules (what information can be entered into AI tools), approval (who signs off on new tools and uses), human oversight (which outputs a person must review), and review (how often the framework is updated). For a mid-sized UK business, a short, clear framework covering these five pillars is far more useful than a long, unread document.
Is an AI usage policy a legal requirement in the UK?
There is no single UK law that requires a standalone AI usage policy. However, your existing obligations under UK GDPR and data protection law apply to how AI tools handle personal data, so a policy is the practical way to demonstrate you are meeting them. Many clients and insurers now ask how you govern AI, so having a documented framework is increasingly expected even where it is not strictly mandated.
How is a Claude usage policy different from a general AI policy?
The structure is the same. A Claude usage policy simply names Anthropic's Claude as your approved tool and directs staff to the business-grade version, which offers stronger data handling and administrative controls than consumer chat apps. Standardising on one well-governed tool makes the policy easier to enforce than trying to oversee many different tools at once.
How often should we review our AI governance framework?
Quarterly is a sensible starting cadence for a mid-sized business. AI tools and their terms change quickly, so a review every three months lets you update the approved-tool register, check any incidents and adjust the rules. Record the date of each review so you can show the framework is actively maintained if a client or auditor asks.
Work with a Claude specialist
SpotDev designs, builds and deploys custom Claude agents and enterprise Claude rollouts for UK businesses, with fixed packages from £8,000 to £45,000 and a first rollout live in two to three weeks. Explore our Claude implementation packages or talk to one of our engineers.
Stay Updated with Our Latest Insights
Get expert HubSpot tips and integration strategies delivered to your inbox.