Why Your Business Needs an AI Policy — And What It Costs You Not to Have One

By CT River Ops6 min read
Share

Your team is already using AI. Not because you rolled it out — because someone on staff pasted a client contract into ChatGPT to summarize it, or used an AI tool to draft a customer email, or ran a resume through a screening tool nobody reviewed. If you haven't written a policy for how AI gets used in your business, that's already happening without rules.

Connecticut just gave this problem a legal deadline. Senate Bill 5 regulates how AI can be used in hiring decisions, effective October 1, 2026. But SB5 only covers one slice of the risk. Hiring tools are the part the state is watching. Client data, financial records, and everyday AI use across your team is the part you're responsible for watching yourself.

Here's what an AI policy actually is, what it costs you not to have one, and what a first version looks like.

What an AI policy actually covers

An AI policy is a short, written document that tells your team three things: which AI tools are approved for business use, what information can and can't go into them, and who signs off before a new tool gets added to the workflow.

It is not a technology document. It's an operations document — the same category as a policy on who can sign a check or who reviews a contract before it goes out. If you already have basic operating procedures for your business, this fits the same shape.

For a Connecticut trade or service business, that usually means covering:

  • Which tools staff can use for customer communication, scheduling, or estimates
  • What client information is off-limits to paste into any AI tool
  • Who approves a new AI tool before it touches customer-facing work
  • What happens when an AI tool makes a mistake — a wrong estimate, a bad email draft, a missed detail

What it costs you not to have one

Client data ends up somewhere you didn't intend. Free and consumer versions of AI tools can use what you type in to train their models. A staff member pasting a customer's address, payment history, or a signed contract into a free chatbot to "clean it up" has moved that data outside your control — and you likely won't know it happened.

Nobody's checking the output before it reaches a customer. AI-drafted emails, quotes, or scheduling messages that go out unreviewed create real liability when they're wrong. A miscalculated estimate or a promise the business didn't actually make is now in writing, sent under your name.

You lose the discrimination defense SB5 was built around. If your hiring process touches any tool that scores, ranks, or filters applicants, and you don't have documentation showing you tested it for bias, "the software did it" is not a legal shield. Connecticut closed that door specifically.

Every employee is making their own rules. Without a written policy, each person on your team decides individually what's safe to type into an AI tool and what isn't. Some will be cautious. Some won't think about it at all. Consistency is the entire point of a policy — without it, your risk is only as good as your least careful employee's judgment.

What a starter policy looks like

You don't need a legal team to write a first version. Five things, in plain language, cover most of the exposure:

  1. Name the approved tools. List the specific AI tools your business allows for work — not "AI is fine" but "we use these three tools for these purposes." Anything else needs approval first.
  2. Draw the line on client data. Be specific: no Social Security numbers, no financial account details, no signed contracts, no health information go into any AI tool unless it's a business-grade version with a signed data agreement. Free consumer tools are the highest-risk category — treat them accordingly.
  3. Require a human check before customer-facing use. Any AI-drafted email, quote, or estimate gets reviewed by a person before it goes out. This is the single easiest rule to enforce and the one that prevents the most damage.
  4. Assign an approval step for new tools. One person — owner, office manager, whoever runs operations — signs off before a new AI tool gets added anywhere near hiring, customer communication, or financial work.
  5. Document what you're already doing. If you're using a hiring or screening tool, write down whether the vendor has published bias testing. If they haven't, that's a decision point, not a footnote.

This isn't about slowing AI down

A policy doesn't mean fewer tools or less automation. It means the automation you're already running has rules behind it, so a mistake doesn't become a liability problem on top of an operational one. The businesses that get hurt here aren't the ones using AI carefully — they're the ones who don't realize how much of it is already running unsupervised.

If you're not sure where AI is already touching your business, that's the actual starting point — not the policy document, the audit that comes before it.

Where to start

Pull up every tool your business uses for customer communication, scheduling, hiring, or financial work. Flag anything that uses AI to draft, score, sort, or recommend. That list is your policy's first draft.

If you want a second set of eyes on that audit — or want to know what's actually safe to put into an AI tool versus what isn't — give us a call.

This post is informational and does not constitute legal advice. For questions specific to your business, consult a Connecticut employment attorney.

Next steps

See where AI will actually pay off in your business.