Policy & oversight structures
Minimum viable governance: one policy people actually read, one intake path, one review board with teeth, one inventory, one incident route — and no theater.
Governance earns its existence by making good AI adoption faster — safe paths that are easier than shadow paths — while stopping the deployments that would burn trust. Over-built governance is theater that pushes usage into the shadows; under-built is a screenshot waiting to happen. The minimum viable set is five pieces:
- The acceptable-use policy — one page, verb-first. What anyone may do today (approved tools, internal drafting, the data classes allowed in them), what needs review (anything customer-facing, anything with personal data), what's forbidden (feeding confidential data to unapproved tools; AI-only decisions about people). One page is a feature: policies read in three minutes get followed; PDFs of twenty pages get summarized by the shadow-usage grapevine, badly.
- The intake path — one form, five questions, fast answers. Anyone proposing an AI use answers: what task, what data, what capability, who's affected, what's the error cost. Routine cases (per the appetite statement) get yes-with-conditions in days, template-fast. The intake's real product is visibility — it's how the inventory stays true and how shadow usage converts to sanctioned usage.
- The review board — small, cross-functional, decision-empowered. Five-ish people (ops, legal/compliance, security/IT, data, a rotating business lead), meeting biweekly, deciding — not advising — on intake items above the routine bar. The teeth matter: a board that can only recommend becomes a bottleneck with opinions. Chair it yourself for the first 90 days to set calibration, then hand the gavel to your appointed program lead while keeping escalation rights.
- The AI inventory — every system in use, one register. What it does, what data it touches, who owns it, its risk tier, last review date. Sourced from intake going forward and a one-time amnesty sweep backward ('register your shadow tools, no penalties, this month'). The inventory is the artifact regulators, auditors, and next year's you will ask for first.
- The incident path — who to tell when AI does something wrong. A named contact, a no-blame norm for reporting, a triage habit (wrong-answer? leakage? compliance?), and a feedback loop into policy. The first reported incident is a governance success — it means people tell you things. Celebrate accordingly, visibly.
Calibration: the only hard part
Every piece above can be done in a week with templates; the leadership work is calibration over time. Watch two gauges: intake latency (if routine approvals take three weeks, safe paths lose to shadow paths and your governance is manufacturing risk) and exception rate (if everything's an exception, the appetite statement is miscalibrated — fix the statement, not the humans). Quarterly, the board reviews its own throughput as seriously as its decisions. Governance that measures itself stays minimum and viable; governance that doesn't grows rings like a tree.
This lesson is the executive altitude: enough to charter the structures and staff them credibly. The operator altitude — risk taxonomies mapped to NIST AI RMF, control matrices with evidence requirements, audit readiness, incident runbooks — is the AI Governance, Risk & Compliance course, and the person you appoint to run this machinery should take it. Your job is to charter the program and hold its calibration; theirs is to run it so well you rarely think about it.