Governance for AI: the minimum viable policy

Most businesses get AI governance wrong in one of two directions. Either there’s no policy at all and staff are pasting client data into whatever chatbot tab is open, or someone has produced a 40-page framework that nobody has read past the cover page and adoption quietly dies. Neither helps you. The useful version sits in the middle, and it fits on a page.

What a minimum viable policy covers

Four things, and you can write them in an afternoon.

First, what can go where. A plain list of which information is allowed in which tools. Customer records in this, public marketing copy in that, nothing sensitive anywhere off the approved list. Get this one rule right and you’ve headed off most of the trouble before it starts.

Second, a name against the decisions. Pick the person who owns AI choices for the business. The point is to turn “someone should probably look at this” into a specific human who actually does.

Third, a short list of tools you’ve said yes to. Approve a handful of good options out loud. If you don’t, people will go shopping on their own and you’ll find out which tool they picked the day something leaks.

Fourth, keep a person in the loop wherever the output drives a decision that matters. A draft quote, a summary that informs a call, a flagged invoice. AI suggests, a human signs off before it lands.

Start small, tighten later

A one-page policy people follow beats a thorough one they ignore. Write the four essentials, put a name against them, and tighten as you use AI more and learn where it bites. The whole point of governance is to make it safer to adopt AI, not to give everyone a reason to never start.