Policy Playbook
AI Policy Checklist for Small Businesses
Last updated: February 23, 2026
Most teams start with a generic policy template and stop there. The checklist below is designed to move from document-only policy to operational governance.
Core policy checklist
- Define approved, restricted, and prohibited AI tools.
- Define what data can never be entered into AI tools.
- Define disclosure rules for AI-assisted outputs.
- Assign ownership for approvals, exceptions, and incidents.
- Document review cadence and change-control process.
- Collect policy attestation from all employees.
- Keep an exportable evidence trail for external diligence.
Operational checks that close the gap
- Discovery baseline refreshed on a recurring cadence.
- Reminders sent automatically for unacknowledged policies.
- Board/client-ready snapshot generated from real activity data.
Texas and Colorado policy updates (2026)
- Texas HB 149 (TRAIGA): Effective January 1, 2026 and requires disclosures when AI is used to interact with consumers.
- Colorado SB24-205: Effective date adjusted to June 30, 2026 through SB25B-004.
External policy references
- Texas Legislature: HB 149 enrolled text
- Colorado General Assembly: SB24-205
- Colorado General Assembly: SB25B-004 update bill
- EU AI Act framework overview (European Commission)
Snapshot current as of February 23, 2026. Treat this as an operations guide, not legal advice.
Related guides
View allEU AI Act for SMBs
What applies, which deadlines matter, and where to start operationally.
Read guideShadow AI Risk Guide
Top risk categories and concrete controls to reduce exposure quickly.
Read guideBuild your first draft in minutes
Start with a tailored policy draft now. After generation, request a launch invite for full governance workflows.