An SMB AI policy that actually changes day-to-day behaviour fits on one page and contains exactly eight clauses — sanctioned tools, prohibited data, human-review gate, client disclosure rule, prohibited uses, incident-report path, review cadence, and signature line — each closing a failure mode currently surfacing in regulatory guidance, court records, and breach disclosures through 2025-2026.

Status set to Partial at publication because the IAPP-cited 'order of magnitude lower remediation cost' figure in clause 6's commentary is annotated as our-estimate; the IAPP 2024 AI Governance Profession Report characterises the remediation-cost gap as material but does not publish a precise multiple. All other clauses are anchored on cited primary sources (ABA Formal Opinion 512, IRS Circular 230, FINRA AI key topics, HHS/OCR HIPAA AI bulletin, FTC AI guidance, SEC AI-washing enforcement, EEOC AI-in-employment, NIST AI RMF, EU AI Act Article 4). REVIEW: Peter to confirm whether the IAPP-derived multiple is sourceable to a more precise published figure or whether the commentary should be tightened to remove the multiplier framing entirely.