AI Policy
•
AI Policy •
AI Policy
1. Our approach to AI
Artificial intelligence tools offer genuine opportunities for productivity, efficiency, creativity, and growth. We want our team to use these tools to do their best work, and to provide maximum value to clients while retaining the value that we add as humans.
We are aware that AI tools also introduce new risks, from data leakage, to trust and copyright issues, that can affect our business, our clients, and our reputation. This policy is here to make sure we use AI safely, responsibly, and in line with the values that matter to us, including our commitment to Māori Data Sovereignty.
2. What AI is great for
AI is at its best when it handles work that the operator/human is already an expert in.
Examples of where we encourage you to use it:
Strategising and planning. Use AI as a thinking partner to brainstorm, structure ideas, and pressure-test plans.
Document production. First drafts of reports, proposals, policies, and communications - especially documents that have several examples to replicate.
Conflict and scenario review. Run a difficult message past AI for a balanced perspective before sending.
Repetitive administration. File naming, digital filing, data formatting, meeting summaries, email triage, automating repetitive tasks.
Digital editing and design tools. Tools that help make editing videos or images faster.
Research and analysis. Summarising long documents, comparing options, extracting key points, learning tone of voice or sentiment.
Writing and editing. Improving clarity, checking tone, adjusting for different audiences.
Learning. Explaining unfamiliar concepts, understanding new processes, upskilling on tools.
The goal is to free up your time for the work that requires your judgement, your relationships, and your expertise. The things AI cannot do.
3. Key definitions
AI tool
Any software that uses artificial intelligence or machine learning to generate, summarise, transcribe, classify, or otherwise process content. Includes generative AI (e.g. ChatGPT, Claude, Gemini), AI features built into other tools (e.g. Canva Magic Media, Grammarly), AI meeting recorders, and AI dictation software.
Generative AI
AI that creates new content (text, images, audio, video) based on prompts.
Hallucination
When an AI tool generates information that sounds confident and plausible but is incorrect or made up.
Learning features
Settings that allow an AI tool to use your inputs to train its underlying model. These must always be disabled.
Shadow AI
Use of AI tools that haven't been approved by Little & Loud for company work, or AI work that has been hidden on purpose.
The 10-80-10 rule
Our core working principle for AI. You provide the idea and context (10%), AI does the heavy drafting (80%), you review, refine, and add your judgement (10%).
Commercially sensitive
Information that is not publicly available and could cause competitive, financial, or reputational harm to the client or Little & Loud if disclosed, including but not limited to: unreleased campaigns or product launches, financial data, strategic plans, supplier or partner details, and personal information about identifiable individuals (staff, customers, or members of the public).
4. Personal responsibility
You are responsible for the accuracy, legality, and privacy of any work you submit, whether AI helped create it or not.
AI is a tool, not a colleague. Think of it as a fast, eager junior assistant. It does not know our business, our clients, or our standards the way you do. Always review its work with a critical eye.
Work to the 10-80-10 rule (see section 3). You frame the task. AI does the heavy lifting. You review and approve. If your name is on it, you own it. We always communicate in our own voice, not the voice of a tool. Check every output for AI giveaways and tone of voice before it goes anywhere.
You are not expected to be an AI expert, however we do ask that you keep an open mind about how AI tools can support your work and ask for help when you need it.
We do expect that you have conversations with clients and colleagues when significant AI input has occurred. For example “Hi Lucy, I have summarised our meeting notes with AI.” or “ Hi Steph, I have used AI to compile media stories and relevant media contacts for this job.”
Internal transparency
Across all work, share how and when you used AI with the rest of the team. Internal transparency is separate from client disclosure and applies even when the client does not need to be told.
5. Scope
This policy applies to all forms of AI use in our work, including:
Web-based tools (e.g. ChatGPT, Claude, Gemini)
Browser extensions (e.g. grammar checkers, page summarisers)
Operating system features (e.g. Copilot in Windows, Apple Intelligence)
Meeting recording and transcription tools
AI features pre-installed on company devices or built into apps we already use
6. Approved AI tools
To keep our data and our clients' data safe, we manage which AI tools are used for company work. Company work refers to anything that includes information about our clients or our business.
Using unvetted tools creates shadow AI risk, where company or client data is quietly sent to train public models or stored on servers outside our control. Free-tier subscriptions across multiple unmanaged AI tools is one of the biggest data risks small businesses face.
You should only use AI tools that have been approved by Little & Loud for company work.
Expenses for unapproved AI tool subscriptions will not be reimbursed. All tools must be used through paid work accounts, not personal accounts.
Approved tools
ChatGPT
Claude
Gemini
Perplexity
Gamma
Descript
Plaud
Whisper Flow
Teams
Voice note recorders
Canva Magic Media
Squarespace AI
Hemingway
Requesting new tools
We encourage you to suggest new AI tools. Raise it with the Managing Director for review. We will assess the tool for privacy, security, and data handling before adding it to the approved list.
You may trial a tool on a free version as part of a request, but it must not be used on client or confidential work until it is approved.
To request a tool, email the Managing Director and Office Manager with the tool name, intended purpose, and version. We will review for cost, privacy, security, and whether an existing approved tool already covers the use case.
As an in-house team without an external IT provider, we rely on each other to flag risks early. If something feels off about a tool, ask before you use it.
7. Data classification
Before entering anything into an AI tool, think about the type of data it is. If you are unsure how to classify something, ask the Managing Director before entering it into an AI tool.
Classification
Examples
AI use
Public
Published media releases, public web copy, event details, newsletter articles already approved for release
OK to use with most AI tools as long as not being used to generate new work. Anything ‘new’ should only happen within approved tools.
Internal
Internal notes, draft content, general working documents not yet public, meeting notes
OK with approved AI tools and learning features disabled. Use judgement.
Confidential (approved AI use by clients)
Client strategy documents, commercial information, unreleased campaigns, financial information, contextual information
Can be used within Gemini and Claude (our two primary operating systems).
Confidential (unapproved for AI use)
Client strategy documents, commercial information, unreleased campaigns, financial information, contextual information
Do not use with any AI tools unless permission explicitly given
Restricted
Māori-related content/ data, personal information, anything covered by an NDA, anything a client has asked us not to share. Personal information about clients or team members. Highly sensitive topics.
Do not enter into AI tools under any circumstances.
Personal information refers to any information that cannot be Googled or easily found. Work emails do not come under personal information.
Confidential vs sensitive
When we think about confidential information and our primary approved AI tools (i.e Claude/ Gemini), it might help to think about them in the same way we think about how we file things in our Google Drive/ laptop storage.
We are comfortable filing confidential client information in a secure folder in our work Google Drive, but wouldn’t be comfortable filing confidential client information on our families shared laptop desktop. Think critically about where and when you use information in AI tools with the aim and intention of confidential information staying confidential and not being inadvertently shared with people or tools you didn’t intend.
As an example; you might have a meeting transcript that you want to use to create a brief for a new job. Before you input it into Claude, you manually remove the part of the conversation that talked about the client’s personal medical information that she shared with you at the start of the meeting. You then generate the brief using Claude in a shared project. You delete the transcript from your device and file the brief as usual in your Google Drive.
Another example is that a client is looking for advice re: a highly sensitive restructure. We want to use Claude to research best practice for this type of restructure. Instead of providing Claude with the context documents (i.e proposal for change from the client) which are sensitive, we research using instructions that do not contain details about the client, industry or any identifying information.
By using approved, paid, enterprise level AI tools like Claude, the advice we have had is that the data we input is as secure as our Gmail or Google Drive (likely more so!). However, understanding this requires literacy from the client and we will go at their pace to ensure they are comfortable with the tools we are using.
All recordings, transcripts, summaries, prompts, and outputs created using company AI accounts are company property. Store them in approved Little & Loud locations. Do not save them to personal drives or accounts.
8. Māori data sovereignty
We do not use AI tools for Māori-related content. This includes te reo Māori content, mātauranga Māori, iwi or hapū information, kaupapa Māori work, or any work where the cultural authority over the content sits with Māori.
This is to protect Māori data sovereignty. AI tools train on, store, and process inputs in ways that are inconsistent with tikanga and with the principle that Māori retain authority over Māori data.
If a project involves Māori content and you are unsure where the line sits, ask the Managing Director before using any AI tool.
9. Client contract requirements
If a client contract prohibits or restricts the use of AI, that takes priority over this policy. Before using AI on client work, check the relevant agreement. When in doubt, ask.
Client contracts and service agreements should explicitly cover our use of AI where possible. Flag any gaps to the Managing Director so they can be addressed in the next contract review.
10. Meeting recorders and transcription
AI-powered meeting recorders are useful when used well. The tools we use are Plaud, Whisper Flow, Teams, Gemini, and voice note apps on cell phones.
Rules for meeting recording:
All meeting participants must be notified that recording is active before it starts.
They should be notified what tool is being used, and where the recording will be stored, and who will have access to this recording.
External participants must give consent before recording begins.
If a client does not want an AI tool active during a meeting, take manual notes instead.
Do not use personal or unapproved recording tools in business meetings.
If an unauthorized recording bot joins a meeting, the host should remove it immediately.
Storage and ownership of recordings, transcripts, and summaries are covered in section 7.
11. Browser extensions
Installing browser extensions that use AI features is not permitted unless the extension has been approved by Little & Loud. Many extensions require full read access to web traffic, including email, banking, and confidential client portals, which creates significant data exposure.
12. Verification and financial risk
Two related risks sit under one rule: AI gets things wrong, and AI is now used to commit fraud. In both cases, verify before you act.
AI hallucinations
AI models sometimes generate incorrect information with complete confidence. This is called a hallucination, and it is a known limitation of every AI tool.
Verify AI-generated content against primary sources before relying on it. This is especially important for:
Legal information or regulatory requirements
Financial figures or calculations
Factual claims, statistics, or citations
Quotes or attributions
Technical specifications
If you make a business or client decision based on AI output, validate the underlying data first.
If an unverified AI error does reach a client, treat it as an incident and follow the steps in section 17.
Financial and credential requests
Deepfake technology is now used to commit fraud. Any urgent request for funds (wire transfers, gift cards, invoice payments) or credential changes received via voice, video, or email requires secondary verification through a known, trusted channel.
If something feels off, verify before acting.
13. Intellectual property and copyright
AI-generated content sits in a complex legal area. Keep these principles in mind:
Do not use AI to deliberately reproduce copyrighted material or trademarks.
Be careful with AI-generated images or media representing client brands or our own. AI often introduces subtle errors that undermine professionalism.
14. Voice cloning and deepfakes
Using AI to clone, simulate, or mimic the voice or likeness of any person (staff, clients, suppliers, or public figures) is prohibited unless explicitly authorised in writing by the Managing Director. This includes text-to-speech tools trained on a specific individual's voice.
Deepfakes are increasingly hard to spot. If you accidentally act on a deepfake on behalf of Little & Loud or a client, let the Managing Director know immediately.
15. Human oversight of AI decisions
AI lacks judgement, ethical reasoning, and business context. A human must review and approve any decision where AI has contributed to the analysis, including:
Hiring and employment decisions
Financial approvals
Strategic recommendations for clients
Professional advice (legal, medical, financial)
Client-facing deliverables
16. Access and accountability
Mobile and personal devices
Avoid entering confidential or restricted client data into AI tools on personal devices or personal accounts. If you need to use a personal device for AI work, log in to the company-provisioned account, not your own.
Usage review
Company-provisioned AI accounts are company property. We may review usage patterns to help the team get more value from AI tools and to identify potential security risks early. Prompts, inputs, and outputs on company AI accounts may be reviewed.
This is not about monitoring individuals. It is about protecting company and client data.
Training
Access to company AI tools may require completion of internal AI training, including security awareness, effective usage, and ethics. Little & Loud reserves the right to adjust AI access for anyone who has not completed required training.
Contractors and vendors
Contractors, freelancers, and vendors working on Little & Loud or client data must use secure Little & Loud-approved AI tools and accounts. Use of personal or free AI accounts on our work is not permitted without explicit written approval from the Managing Director. Contractors must review and acknowledge this policy as part of onboarding.
When you leave
All prompts, inputs, and outputs generated using company AI accounts are company property. On departure, your AI accounts will be archived. Do not delete, export, or transfer AI conversation history to personal accounts.
17. Non-negotiables and incident reporting
No discriminatory, hateful, or malicious use
AI tools must not be used to generate discriminatory, explicit, hateful, or harassing content, or to facilitate cyberattacks, phishing, or malicious software. This sits within our existing code of conduct.
No jailbreaking
Attempting to bypass safety filters, content moderation, or security guardrails of any AI tool (commonly known as jailbreaking) is a violation of this policy.
Report incidents immediately, without penalty
If you accidentally enter restricted or confidential data into an AI tool, suspect an unauthorised tool has accessed company or client data, or notice serious hallucinations, shortcomings, or client concerns, report it to the Managing Director immediately.
Self-reporting mistakes is encouraged. It lets us fix problems quickly. There is no penalty for honest, prompt reporting of an accident.
If an AI error reaches a client
If something containing an AI error (a hallucinated fact, a wrong figure, a fabricated quote or citation) has already gone to a client, the priority is speed and honesty. A slow or hidden response does more harm to our reputation than the error itself.
Take these steps, in order:
Tell the Managing Director straight away, before deciding anything about the client.
Correct the record with the client promptly. The default is to disclose, unless the Managing Director agrees the error is immaterial. How much is said is decided together, based on the client and the severity.
Log the incident briefly so we can see if errors are getting through repeatedly, which would point to a review-process gap rather than a one-off.
18. Policy review
AI evolves rapidly. This policy is reviewed at least monthly, or whenever significant new capabilities or risks emerge.
The team will be notified of major updates. The approved tools list may be updated more frequently.