Service Business AI Policy Starter Checklist | Deskwire

This is not legal advice. Treat it as a starter framework, not a compliance document. Have your operations lead, attorney, or compliance team review before adopting it across your team.

// progress0 / 35 items reviewed

// approved

Approved uses

Use cases where AI typically helps with low risk when reviewed by staff.

Drafting internal SOPs and runbooks
Summarizing de-identified examples for training
Drafting staff-reviewed customer or client messages
Organizing lead, intake, or appointment checklists
Drafting follow-up sequences with human approval
Summarizing approved internal documents
First drafts of job posts, emails, and templates
Searching approved internal policies or procedures

// prohibited

Prohibited uses

Things AI should not do in your business without explicit approval and review.

Entering confidential information into unapproved AI tools
Sending AI-generated messages to customers or clients without human review
Making unsupervised professional, medical, legal, tax, or financial decisions
Using AI outputs without checking accuracy
Uploading sensitive customer, patient, employee, payment, legal, tax, or financial data into unapproved tools
Allowing AI to impersonate a staff member without disclosure or oversight
Auto-replying to inbound messages without a defined fallback to a human

// vendor-review

Vendor review

Questions to answer before approving a new AI tool.

Does the vendor touch confidential information?
What data is stored, where, and for how long?
Is data used for model training? Can that be turned off?
Are review logs available?
Can access be limited by role?
Can data be deleted on request?
What security documentation is available (SOC 2, ISO, BAA)?
For regulated industries: are additional agreements or safeguards required?

// human-review

Human review

Define who reviews what — before AI is allowed to send anything.

Who reviews AI outputs before they go to a customer?
What outputs can frontline staff approve?
What requires owner, manager, or licensed-professional review?
What must never be sent automatically?
How are errors reported and corrected?
How are AI-generated outputs tracked or logged?

// staff-training

Staff training

Make sure every staff member knows what is allowed and how to flag issues.

What tools are approved for which roles?
What tools are prohibited?
What information should never be entered into any AI tool?
How should staff report unsafe or unexpected AI behavior?
Who owns AI governance and policy updates?
How often will the policy be reviewed (recommended: quarterly)?

Industry cautions

If you handle regulated information, read this first.

The starter checklist is a baseline. Regulated industries need additional guardrails — and in some cases, specific vendor agreements before any AI tool touches client data.

Healthcare and wellness

Anything that touches PHI (patient names, conditions, dates of service, identifiers) requires a Business Associate Agreement with the AI vendor and HIPAA-aligned safeguards. Default to de-identified examples for any AI testing. Clinical judgment stays with licensed clinicians.

Legal services

Confidentiality and privilege rules apply to any tool that processes client information. Do not paste client matter details into general-purpose AI tools. Document your approved tools, retention behavior, and when AI-assisted output requires attorney review.

Tax and accounting

Returns, financial statements, and client communications carry confidentiality and IRS Section 7216 obligations. Vendors that touch return data need clear data-handling terms. Treat AI output as a draft to be reviewed by a credentialed preparer.

Financial services

Customer financial information falls under GLBA and state privacy laws. Review trails and access controls are non-negotiable. Avoid AI in any decisioning workflow (lending, suitability, advice) without compliance review and documented human oversight.

These are general cautions, not regulatory guidance. Confirm specifics with counsel and any industry-specific compliance lead before deploying AI in regulated workflows.

Next step

Need help turning this into an implementation plan?

The Deskwire AI assessment ends with a 90-day plan that includes guardrails, vendor review, and human-review checkpoints tailored to your business — so policy and rollout move together.

Start an AI assessment See how the assessment works

Service Business AI Policy Starter Checklist.