NOTCONTENT / training
Back to Blog
Guide

The One-Page AI Policy Every Team Needs

Approved tools. Data boundaries. Human oversight. Disclosure. Four things, one page, reviewed regularly. Anything longer is a compliance manual nobody reads. With 75% of agencies still running client contracts that don't mention AI, the one-pager is the minimum viable guardrail.

Jeremy Somers
Jeremy SomersFounder, NotContent·Mar 31, 2026·5 min read

The Problem With "Real" AI Policies

I've seen a lot of agency AI policies over the last two years. Most of them are bad for the same reason.

They're too long.

Forty-page documents. Legal review committees. Approval chains. Quarterly audits. The works. Someone spends three months drafting it, leadership approves it, it goes onto a SharePoint nobody looks at, and the agency carries on exactly as it was before.

The document exists. The behaviour it was meant to shape doesn't change.

This isn't a governance problem with the team. It's a governance problem with the policy. A 40-page document will never be part of how people work. A one-page document can be.

Four Things, One Page

If I wrote your agency's AI policy today, it would have four sections. That's it.

Approved tools. List them. Which models and platforms are allowed for client work. Which are allowed for internal work only. Which are explicitly not allowed — for IP reasons, data reasons, or quality reasons. Name versions where the version matters. Update this quarterly.

Data boundaries. What can be processed through AI. What cannot. Specifically call out client assets, confidential briefs, and personally identifiable information. Explain what to do when a team member is unsure. "When in doubt, don't upload it" should be written down somewhere official.

Human oversight requirements. Where a human must review AI output before it leaves the agency. Where they don't need to. Specifics matter: a first-draft email for internal use is different from copy going into a live campaign. Draw the line clearly so people don't have to guess.

Disclosure standards. When you tell clients AI was involved. How that's handled in contracts. What your team says when a client asks directly. Pre-decide this, because the first time it comes up in a client conversation, you don't want three different answers coming from three different account leads.

Four sections. One page. Reviewed quarterly. Posted somewhere your team will actually see it — not buried on an intranet.

Why This Works When Long Versions Don't

Three reasons a one-pager beats a 40-pager, every time.

It gets read. A one-page document fits on a screen. A team member can absorb it in two minutes. That's all that matters for whether a policy actually influences behaviour in the moment of decision. Forty pages doesn't get read. Ever. By anyone.

It forces prioritisation. When you have to fit the policy on one page, you can't include every conceivable scenario. You have to pick the ones that matter most. That forces leadership to decide what the real risks actually are — which is a useful exercise in itself.

It gets updated. A one-page document can be rewritten in an hour when the landscape shifts. A forty-page document requires a committee, a review cycle, and six weeks. By the time the long version updates, the AI landscape has moved again. The one-page version stays current because staying current is cheap.

The Context: Why This Is Urgent

The Spark AI 2026 report found that 52% of AI activity across agencies is still informal — people innovating without any guardrails around them. At the same time, 75% of agencies have not updated their client contracts to reflect AI usage. (That stat comes from The Wow Company's Benchpress report, cited in Spark.)

Stack those two numbers. More than half your team's AI work is happening without organisational oversight, and three-quarters of your contracts don't mention AI at all. That's not a governance risk waiting to happen — it's a governance risk that's actively accumulating.

Meanwhile, formal AI policy is now a baseline client expectation. Procurement teams at enterprise clients are asking for it. M&A due diligence is asking for it. Growth partners are asking for it. The one-pager is the minimum viable thing you need to have in the room when any of those conversations start.

The Traffic-Light Companion

A one-page policy gets you most of the way there. The thing that operationalises it is a simple traffic-light system in your project management tool.

Three colours.

Green. AI-friendly work. The brief, the deliverables, and the data are all fine to process through approved AI tools. The team can use AI freely.

Amber. Internal use only. AI can be used for behind-the-scenes work — first drafts, research synthesis, internal analysis — but the final deliverables need to be produced without AI processing of sensitive elements. Team members might use AI to draft an internal memo summarising the brief, but shouldn't feed the brief itself into a model.

Red. Confidential briefs. No AI involvement at any stage. Everything stays manual.

Tag every project. Make it part of the project setup checklist. Make the tag visible everywhere the project shows up. This takes the decision off the individual team member — which is exactly where you don't want it sitting — and makes it an organisational standard.

What to Do This Week

Three tactical moves you can make this week, assuming you don't have any of this in place yet.

Draft the one-pager. You don't need to hire a consultant. You don't need a legal review yet. Get leadership in a room for an hour and write the first version. Four sections, one page, plain English. Ship it to the team by Friday.

Set up the traffic-light system. Add a status field to your project management tool. Write a short guide on how to classify. Default everything existing to amber until someone reviews it.

Schedule the quarterly review. Put it in the calendar for three months from now. That's when you revisit the document, update it for anything that's changed in the tools or the market, and reclassify any projects that need it.

The Through-Line

The best operational policies are the ones people actually follow. That almost never happens with long documents. It frequently happens with short ones.

A one-page AI policy is not a lesser version of a real policy. For most creative teams, it is the real policy — because it's the only version that will actually influence what people do on Monday morning.

Start with one page. Get it right. Iterate from there.

See how NotContent helps teams build AI governance that works inside how they actually operate

Jeremy Somers

Jeremy Somers

Founder, NotContent

15 years as a creative director (Spotify, Nike, Pepsi, Samsung, Mercedes-Benz). Built the first AI-assisted creative agency in 2022.

Blog not doing it for ya?

Try some of Jeremy's rants and predictions on LinkedIn.

Related Reading[NC]
Insight

Shadow AI Is the New Shadow IT

52% of AI activity inside your team is informal — people innovating without guardrails. The legal and IP risk is sitting on individual shoulders. When they leave, the custom workflows leave with them. This is the governance problem most leaders haven't named yet.

Apr 16, 20264 min read
Insight

89% of Your Team Saved Time This Week. Where Did It Go?

AI is giving creative teams up to ten hours a week back. The hours aren't being reinvested — they're disappearing into email, meetings, and doing more of the same faster. That's not efficiency. That's a race to the bottom.

Apr 21, 20263 min read
Insight

The Gap Inside Your Team Is Wider Than the Gap Between Agencies

45% of your team uses AI daily. 40% dip in and out. 15% barely engage. The divide inside one agency is now bigger than the divide between one agency and another. That's a standardisation problem nobody's named.

Apr 17, 20264 min read

See where your team stands

Take the 2-minute Readiness Scorecard and get a personalized program recommendation.

Take the Readiness Scorecard →