Your AI Content Policy Is About Ownership, Not Quality

The structural argument

Hacker News updated its guidelines this week to explicitly prohibit AI-generated or AI-edited comments. The change came after a year of complaints about "AI slop", comments that look superficially reasonable but add nothing to a discussion. Most coverage framed the policy as a quality bar.

It isn't. Or rather, the quality complaint is downstream of the real one. The real question, for HN, for newsrooms, for law firms, for therapy practices, for every organization whose value lives in its output, is this: once your staff routes their writing through a third-party model, who actually owns the result?

You. Legally, on paper. But "ownership" is not the same as "control," and the gap between them is the entire AI policy debate.

What you actually lose when staff route writing through a third party

Three things, in order of how often a small business gets bitten by them:

1. The voice. A model trained on the average of the public internet returns the average of the public internet. When a paralegal drafts an intake email through ChatGPT and a competing firm's paralegal drafts an intake email through ChatGPT, both emails sound like ChatGPT. Brand voice is the first thing AI homogenizes and the first thing customers stop trusting.

2. The accountability. "The AI said it" is not a defense in front of a regulator, an insurance carrier, or a judge. If a model invents a citation in a court filing, the lawyer who signed the filing is sanctioned. If a model invents a medication interaction in a patient handout, the prescriber is liable. Your staff still owns every outbound artifact regardless of who drafted it. The policy you write is the document that makes them act like it.

3. The data. This is the most obvious one and the most ignored one. Free-tier consumer AI accounts can train on user input. The policies vary by vendor and by tier and by the specific terms-of-service revision in force the day the prompt was sent. The only safe assumption for a small business is "if it's not on the business tier with a written DPA, it's training data." Which means every confidential client document anyone pasted into a free chat tab is now a permanent part of someone else's training corpus, and there is no recall.

Why a written policy matters

A surprising number of small businesses use AI heavily without ever having written down a policy. The result is predictable: inconsistency. One staff member uses ChatGPT to draft client emails. Another refuses to touch it. A third pastes confidential documents into a free chatbot without thinking. None of them are wrong by their own lights, because nobody told them what right looks like.

A one-page policy is not about restricting AI. It is about making the decisions someone is going to make anyway, made by you, in writing, before they happen.

The five questions a usable policy answers

Don't write a six-page policy. Nobody reads six-page policies. Answer these five questions clearly enough that staff can act on them:

1. Which AI tools are approved for business use? Name them. "Microsoft 365 Copilot, Claude Pro on the company account, Gemini inside our Workspace plan." Not "any tool you find useful." Naming the tools is what gives the policy enforcement teeth.

2. What data can go in, by classification? Public information, internal information, confidential client material, regulated data (PHI, PII, financials). Pair each classification with the approved tool list. Regulated data goes only to tools with a signed BAA or DPA. Confidential goes only to business-tier tools. Public can go anywhere.

3. What outputs require human review? Anything that goes to a client. Anything that goes into a contract. Anything that affects payroll or finance. Anything legal might see. Anything regulated. The bar is "would I want my name on this if it had a mistake?"

4. What disclosure is required? Some industries mandate it (court filings in several states now require AI-disclosure statements). Some clients ask. Some carriers require it. Decide once and write it down.

5. What happens if someone violates the policy? Coaching first, formal action later, standard escalation. The point isn't punishment. The point is that "I didn't know I couldn't" stops being an answer.

The ten-minute first draft

If you have ten minutes, sit down and answer these prompts. You'll have a usable first version:

• The approved AI tools for our business are: , , ___.
• Staff may put the following data into approved tools: , , ___.
• Staff may NOT put the following data into any AI tool: , , ___.
• All AI-generated content sent to clients must be reviewed by ___ before sending.
• AI usage will be reviewed quarterly by ___.

Save it. Share it with your team. Iterate next month. The first version is allowed to be incomplete, what's not allowed is no version.

Three risks the written policy specifically reduces

Confidentiality leaks. Free chatbots typically train on user input. A policy that names approved tools (which don't) prevents the worst case before it happens.

Reputation damage. AI-generated content that goes out to clients without review is uneven, occasionally inaccurate, and very recognizable. The review step is the cheapest possible insurance against the worst version of this.

Compliance exposure. HIPAA, GLBA, and PCI all care about where data goes. The AI policy is the first document an auditor will ask for in 2026 and beyond. Not having one will be treated the same way "we don't have a written incident response plan" was treated five years ago.

We help clients build these policies as part of vCIO and compliance work. The first draft takes about an hour with us in the room. The hardest part is enforcement, and that is mostly a matter of training and visibility, not technology.

The bottom line

Hacker News drew its line because the quality of the conversation was degrading. Your business needs to draw its own line for a different reason: because every AI-assisted document your staff sends carries your name and your liability, and "the AI did it" is not a position you want to find yourself defending in front of a client, a regulator, or a court.

A one-page AI content policy is the cheapest, highest-uses governance document you can write this quarter. Spend the hour. The first time it prevents an embarrassing client email or a regulated-data leak, it pays for itself by an order of magnitude.

Talk to us about drafting an AI use policy. You can also read our pieces on AI comprehension debt, supply-chain risk for AI tools, and the structural case for moving off ChatGPT.