ai security
starter kit.
Six documents that take a 5–250 person firm from "people are quietly using ChatGPT" to governed, defended, and drilled — in ninety days, mostly for free. No email gate. No vendor pitch. Take them.
Roughly half of employees now use AI tools their employer never approved, and about half of those have pasted non-public company data into them. Meanwhile agents — AI that acts, not just advises — are being wired into inboxes and ledgers by whoever watched the video first.
None of this needs a platform purchase or a consultancy engagement to get under control. It needs an inventory, one page of policy, a handful of settings, two fraud procedures and a quarterly hour. That is what this kit is: the sequence, written down, in the order I would do it.
Use the documents in order, or take what you need. If you only take one thing: document 02 goes on the wall, and payment changes get verified by a call to a number you already had.
The AI security roadmap for small business
Ninety days from "people are quietly using ChatGPT" to "we know what we run, we've decided what's allowed, and we'd notice if it went wrong." Four phases, roughly fifteen hours of effort, mostly settings and conversations. Start here.
AI at work — the staff cheat sheet
One A4 sheet for the wall. The do's, the don'ts, the three data bins, the three questions before you paste, and the one hard rule about money. Designed to be read in ninety seconds and remembered.
AI usage policy — template
A fill-in-the-brackets policy that stays on two pages, because one page of policy that gets read beats forty that don't. Approved tools, the three-bin data rule, eight rules, sign-off. Editable Word version included.
Securing AI agents & MCP
A chatbot advises; an agent acts. The five failure modes worth planning for, ten rules for running agents in a small firm, the six MCP hygiene rules, and a go-live checklist. Plain English throughout.
AI board & management briefing — template
The quarterly two-pager: where we use AI, the top three risks honestly stated, incidents and near-misses, money, and the decisions the meeting exists to take. Editable Word version included.
AI security self-assessment
Twenty-five questions across five domains, scored 0–2, with banded results and a quarterly score record. The test for every answer: could you show an outsider the evidence within five minutes?
Licence: CC BY 4.0 — use them, adapt them, rebrand the templates as your own, keep the attribution on the guides. General guidance, not legal advice; when AI touches decisions about people, take proper advice.
The kit pairs with the twelve-part Cyber security for the small business series, which covers the non-AI foundations — passwords, patching, backups, email — that this kit stands on. If your firm holds neither, start there; Cyber Essentials first, AI governance second.
Found a gap, or something that didn't survive contact with your firm? Tell me — the kit is versioned and reviewed like everything else here.