Skip to main content
Back to Navigate AI Risk: Compliance Mastery
Lesson 3 of 6

Document Your AI: Stay Audit-Ready

~26 min readLast reviewed May 2026
This lesson counts toward:Legal Work, Faster: AI for High-Stakes PracticeUsing AI Responsibly

Model Documentation and Governance Standards

Most Professionals Have This Completely Backwards

Most professionals believe that AI governance is a technical problem, something the IT department handles in a server room while everyone else gets on with their jobs. They believe documentation is bureaucratic box-ticking that slows teams down. And they believe that if a vendor like Microsoft or OpenAI built the tool, the vendor is responsible for how it behaves inside their organization. All three of these beliefs are wrong. They are not just slightly off, they create real legal exposure, erode trust with clients and regulators, and leave organizations unable to explain or defend decisions made with AI assistance. This lesson systematically dismantles each myth and replaces it with a working mental model you can actually use.

  1. Myth 1: AI governance is an IT or data science responsibility, not a business one.
  2. Myth 2: Model documentation means technical specs, it's only useful for engineers.
  3. Myth 3: If the vendor built it, the vendor is liable for how it behaves.

Myth 1: AI Governance Belongs to IT

This belief is understandable. AI tools feel technical. They run on servers, involve algorithms, and come with documentation written in language that reads like an engineering textbook. So when something goes wrong, a hiring tool screens out qualified candidates, a customer-facing chatbot gives incorrect pricing, a sales forecasting model produces wildly inaccurate numbers, it feels natural to hand it back to IT and say 'fix it.' But governance is not the same as maintenance. Governance is about deciding who can use an AI tool, for what purposes, on what data, with what level of human review, and with what records kept. Those are business decisions. They require input from HR, legal, compliance, finance, and operations, not just the team that manages the software.

Consider what happened at a large UK retailer in 2023 when their AI-assisted inventory management system began recommending deep discounts on products that were actually in short supply. The system had been updated by a third-party vendor, IT approved the update, but nobody in the buying or merchandising team had signed off on a change to the model's behavior. The business lost an estimated £2.3 million in margin over six weeks before the error was caught. The governance failure was not technical, the system worked exactly as the vendor intended after the update. The failure was organizational: no business owner had defined what 'acceptable behavior' looked like, and no approval process existed for model changes that affected commercial outcomes.

The corrected mental model is simple: think of AI governance the same way you think of financial controls. Your finance team does not decide alone how money is spent, there are approval thresholds, audit trails, sign-off requirements, and policies that involve managers across the business. AI tools that influence hiring, pricing, customer communication, credit decisions, or employee performance need the same structure. IT implements the controls. Business leaders define them. Compliance verifies them. That division of responsibility is what governance actually means.

Governance Without Business Ownership Is Just IT Paperwork

If your organization's AI governance policy was written entirely by the technology team and has never been reviewed by HR, Legal, or a senior business leader, it almost certainly has gaps that create liability. The EU AI Act (effective 2026 for high-risk systems) explicitly requires that 'human oversight' responsibilities be assigned to named roles within the deploying organization, not just the vendor. That means someone with a business title, not just a technical one, must be accountable.

Myth 2: Model Documentation Is Just Technical Specs for Engineers

When most non-technical professionals hear 'model documentation,' they picture a PDF full of equations, architecture diagrams, and training dataset statistics. Something that only a data scientist would read. So they ignore it, or they delegate reading it to someone in analytics and assume they'll be told if anything important comes up. This is a significant mistake, because the parts of model documentation that matter most for business risk are written in plain language and answer questions every manager should care about: What is this tool designed to do? What is it explicitly NOT designed to do? What kinds of errors does it tend to make? What data was it trained on, and how recent is that data?

2019

Historical Record

Google

Google introduced Model Cards in 2019, a documentation format designed to help non-technical stakeholders understand the intended use, performance characteristics, and known limitations of AI models.

Model Cards became an industry standard practice for making AI documentation accessible to business decision-makers, not just engineers.

Here is why reading them matters in practice. If you are an HR manager using an AI tool to help screen job applications, the model documentation may explicitly state that the tool was not validated for screening candidates without a four-year degree, or that it performs less accurately on applications written in non-native English. If you deploy it anyway without those guardrails in place, you are not just making a technical error, you are potentially violating equal employment opportunity law. The documentation tells you where the guardrails need to go. That is a business decision, not an engineering one, and it requires a business person to read the relevant section.

Using Claude to Decode Vendor AI Documentation

Prompt

I'm an HR Director. My company is considering using HireVue's AI video interviewing tool. I've downloaded their technical documentation but it's 47 pages and written for data scientists. I need to understand: (1) what the tool is designed to do vs. what it cannot reliably do, (2) any known biases or performance gaps across different candidate groups, and (3) what human oversight they recommend. Can you help me extract and summarize those three things from a document I'll paste below? [Document text pasted]

AI Response

Absolutely. Based on the documentation you've shared, here's what matters for your decision: **What the tool is designed to do:** HireVue's AI analyzes verbal responses, speech patterns, and word choice to score candidates against a competency model you define. It's designed to create consistency across initial screening interviews and reduce scheduling burden for hiring managers. **What it cannot reliably do:** The documentation acknowledges reduced accuracy for candidates with non-native English accents and notes the model was validated primarily on North American English speakers. It explicitly states it should not be used as the sole decision factor for any hiring outcome. Performance on candidates with speech-related disabilities is flagged as an area requiring additional human review. **Known performance gaps:** The fairness testing section shows a 6-8% score variance across racial groups on certain competency dimensions, which the vendor attributes to training data composition. They recommend annual adverse impact analyzis if you deploy at scale. **Recommended human oversight:** HireVue recommends that all candidates scoring within 15 points of your cut-off threshold receive a human review before rejection. They also recommend a structured appeals process for candidates who request reconsideration. **My recommendation for your next step:** Before deploying, define in writing who in HR is responsible for reviewing the adverse impact data quarterly, and document that this tool is one input among several, not an autonomous decision-maker. That written policy is what protects you if a rejected candidate files a complaint.

Myth 3: The Vendor Is Liable for How Their Tool Behaves

This is the most dangerous myth of the three, because it feels legally intuitive. You bought a product. The product did something harmful. Surely the company that sold it is responsible? In some narrow product liability scenarios, yes. But when it comes to AI tools used in professional settings, the legal and regulatory picture is almost entirely the opposite. The EU AI Act, the US Equal Employment Opportunity Commission's 2023 guidance on AI in hiring, the UK ICO's guidance on automated decision-making, and emerging state-level AI legislation in Colorado, Texas, and Illinois all place primary accountability for AI outcomes on the organization deploying the tool, not the organization that built it.

The vendor relationship is better understood through the analogy of a staffing agency. If you hire a contractor through a staffing agency, the agency vets and supplies the worker, but you, as the employer directing the work, are responsible for what the contractor does on your premises and on your behalf. You cannot hand a contractor a task that violates safety regulations and then sue the staffing agency when someone gets hurt. Similarly, when you deploy ChatGPT Enterprise to help your team draft client communications, OpenAI provides the model, but your organization decides what data it accesses, what outputs get sent to clients, and what review process exists. If a client receives incorrect legal or financial information because no one reviewed the AI draft, that liability sits with your organization.

Myth vs. Reality: The Comparison That Changes How You Work

The MythWhy Professionals Believe ItThe RealityWhat It Means Monday Morning
AI governance is IT's jobThe tools are technical, so responsibility feels technicalGovernance is a business function. IT implements controls; business leaders define them.Every AI tool used in your team's workflow needs a named business owner, probably you.
Model documentation is only for data scientistsThe documents look intimidating and use technical languageThe sections on intended use, limitations, and known biases are written for non-technical readers and directly affect business risk.Before deploying any AI tool, spend 20 minutes reading the 'limitations' and 'intended use' sections of its documentation.
The vendor is liable for AI behaviorProduct liability law applies in other contexts, so it feels like it should apply hereRegulators in the EU, US, and UK place primary accountability on the deploying organization, not the model builder.Your AI usage policy, not the vendor's terms of service, is your primary legal protection.
Small teams don't need formal governanceGovernance sounds like something only large enterprises doThe EEOC and ICO both apply to organizations of any size. A 12-person consultancy using AI in hiring has the same obligations as a Fortune 500 company.A one-page AI usage policy with three named responsibilities is better than no policy at all.
If the AI tool is 'general purpose,' it doesn't need documentationChatGPT or Copilot feels like a productivity tool, not a decision-making systemAny AI output that influences a decision about a person, hiring, performance, credit, health, triggers regulatory scrutiny regardless of the tool's general-purpose nature.Document how general-purpose AI tools are used in specific workflows, not just that they exist.
Five common beliefs about AI governance compared with the regulatory and operational reality.

What Actually Works: A Practical Governance Approach for Non-Technical Teams

Effective AI governance for non-technical teams does not require a dedicated compliance department or a six-figure consulting engagement. It requires three things done consistently: an inventory of what AI tools are in use and what decisions they influence, a clear assignment of who is accountable for each tool's outputs, and a simple documentation trail that shows you thought about risk before deploying. Organizations that do these three things, even informally, are dramatically better positioned when a regulator asks questions or a client raises concerns. The ones that cannot answer 'who approved this tool and what review process exists' are the ones that face prolonged investigations and reputational damage.

The most practical starting point is what governance professionals call an AI use register, essentially a spreadsheet that lists every AI tool your team uses, what it's used for, what data it accesses, who approved it, and what human review process exists for its outputs. This sounds mundane, but it is the foundation of every mature AI governance program. Microsoft Copilot, Google Gemini for Workspace, Notion AI, Grammarly Business, and similar tools all touch business data and influence business outputs. A register forces the conversation: 'Do we actually know what this tool is doing with our client data? Does our legal team know we're using it?' Many teams discover, when they build this register for the first time, that they are using four to seven AI tools that nobody formally approved.

Documentation does not need to be elaborate to be effective. A two-page 'AI tool use record' for each deployed tool, covering its purpose, its known limitations, the name of the business owner, the data it accesses, and the human review step before outputs affect real decisions, creates a defensible paper trail. If your organization uses ChatGPT Enterprise for drafting client reports, that record should note: who approved it, that outputs are reviewed by a named senior consultant before client delivery, and that it is not used for final legal or financial advice. That level of documentation takes 30 minutes to create and provides substantial protection. The absence of it, by contrast, is what turns an AI error into a regulatory incident.

Start With a 15-Minute AI Tool Audit

Open a blank spreadsheet. List every AI tool your team uses, including tools embedded in products you already use, like Copilot in Microsoft 365, AI features in Salesforce, or smart replies in Gmail. For each one, write down: (1) what decisions or outputs it influences, (2) whether a human reviews those outputs before they affect a client or employee, and (3) whether anyone formally approved its use. You will almost certainly find gaps. Those gaps are your governance priorities. This exercise costs nothing and takes 15 minutes. It is the single most useful thing you can do before your organization faces any kind of AI-related audit or complaint.
Build Your Team's AI Use Register

Goal: Create a working AI use register for your team that identifies every AI tool in use, its business purpose, its known limitations, and who is accountable for its outputs.

1. Open a new spreadsheet in Excel, Google Sheets, or Notion. Create six column headers: Tool Name, What We Use It For, Data It Accesses, Known Limitations, Business Owner (Name), and Human Review Step. 2. List every AI tool your team currently uses. Include embedded AI features. Copilot in Word or Outlook, AI features in your CRM, Grammarly Business, Canva AI, ChatGPT, Claude, Gemini, or any other tool. 3. For each tool, open the vendor's website and find their documentation, model card, or responsible AI page. Spend 10 minutes reading the 'limitations' or 'intended use' section. Note any limitations that are relevant to how your team uses the tool. 4. In the 'Data It Accesses' column, record whether each tool accesses client data, employee data, financial data, or only internal non-sensitive content. Flag any tool that accesses personal data about clients or employees with a red highlight. 5. For each tool, identify the person on your team who is the de facto business owner, the person who would need to explain to a senior leader or regulator why the tool is used and how. Write their name in the Business Owner column. 6. For each tool, describe the human review step that exists before AI outputs influence a real decision. If none exists, write 'No current review process' and highlight it yellow, these are your highest-priority governance gaps. 7. Share the completed register with your manager or team lead. Identify the top two gaps, typically tools accessing personal data with no review process, and propose a simple fix: a named reviewer and a documented approval step. 8. Save the register somewhere your whole team can access and update it. Set a calendar reminder to review it quarterly, especially when your organization adopts new tools. 9. As a final step, use ChatGPT or Claude to draft a one-paragraph AI usage policy for your team based on what you found in the register. Paste the register contents and ask: 'Based on these tools and their uses, draft a plain-language AI usage policy for a non-technical team that addresses data access, human review requirements, and accountability.'

Frequently Asked Questions

  • Q: Do I really need governance documentation if I'm just using ChatGPT for writing emails? A: For purely internal drafting with no client or employee data involved, the risk is low, but you still need a policy that defines what 'internal only' means and prevents accidental misuse. The moment AI touches data about real people or produces outputs that go to clients, documentation becomes important.
  • Q: What's the difference between a model card and a system card? A: A model card describes a specific AI model's capabilities, training data, and known limitations, it's the technical profile of the AI itself. A system card describes how a model has been deployed in a specific product, including safety measures added on top of the base model. For example, OpenAI publishes system cards for GPT-4 as deployed in ChatGPT, which is more relevant to business users than the raw model card.
  • Q: Our vendor says their AI is 'compliant with GDPR.' Does that mean we don't need our own documentation? A: No. A vendor can be GDPR-compliant in how they process data on their infrastructure while your organization still has separate obligations as the data controller. You are responsible for having a lawful basis for using personal data with any AI tool, documenting that basis, and ensuring data subjects' rights can be honored. The vendor's compliance does not satisfy your compliance.
  • Q: How often should we update our AI use register? A: At minimum, quarterly, and immediately whenever your team adopts a new AI tool or a vendor significantly updates an existing one. Model updates can change behavior in ways that affect your risk profile. HireVue, for example, updated its assessment model in 2021 in ways that changed scoring characteristics. Organizations using it needed to revalidate their processes.
  • Q: Who should own the AI use register. IT, HR, Legal, or a business manager? A: The most effective ownership model is a business manager maintaining the register with Legal reviewing it quarterly and IT providing technical details on data access. If you put it entirely in IT's hands, the business context gets lost. If Legal owns it alone, it becomes a compliance artifact nobody uses. The business manager who actually uses the tools is the right primary owner.
  • Q: What if our organization is small, say, under 50 people? Do these rules still apply? A: Yes, for any AI use that affects decisions about people. The UK ICO has issued enforcement actions against organizations with fewer than 20 employees for unlawful automated decision-making. The EU AI Act includes SME provisions that simplify some requirements but do not eliminate accountability for high-risk uses like hiring, credit, or HR decisions. Small size reduces your administrative burden, not your legal exposure.

Key Takeaways from Part 1

  • AI governance is a business responsibility, not just a technical one. Every AI tool that influences decisions needs a named business owner outside of IT.
  • Model documentation contains plain-language sections on limitations and intended use that every manager deploying AI tools should read before rollout, not just data scientists.
  • The organization deploying an AI tool carries primary regulatory accountability for its outputs, not the vendor who built it. This is the position of the EU AI Act, the US EEOC, and the UK ICO.
  • An AI use register, a simple spreadsheet listing tools, uses, data access, and human review steps, is the foundation of any practical governance approach, regardless of organization size.
  • The most common governance gap is AI tools accessing personal data (client or employee) with no human review step before outputs influence real decisions. Identifying and closing those gaps is the immediate priority.

Three Myths That Get Professionals Into Trouble

Most professionals working with AI tools carry at least one of three beliefs about model documentation that feel reasonable, until an audit, a legal question, or a failed AI project exposes them as wrong. These aren't fringe misunderstandings. They show up in boardrooms, HR departments, marketing teams, and compliance meetings every week. The cost of holding them isn't theoretical. Companies have faced regulatory fines, discrimination lawsuits, and reputational damage because their teams operated on these assumptions. Here are the three beliefs, why they're wrong, and what to replace them with.

Myth 1: 'The AI Vendor Handles All the Documentation'

This is the most common and most dangerous assumption. When a company buys a subscription to an AI tool, say, Microsoft Copilot for their sales team or an AI-powered resume screener for HR, they often assume the vendor has taken care of the governance paperwork. The vendor built the model, after all. They run the servers. They have compliance teams and lawyers. Surely the documentation burden lives with them. This assumption feels especially convincing when vendors provide detailed terms of service, privacy policies, and occasional whitepapers about their AI safety practices.

The reality is that vendor documentation covers the vendor's responsibilities, not yours. When your HR team uses an AI screening tool to filter 500 job applications down to 20, your organization made that decision. You chose that tool. You applied it to your specific hiring context, your job descriptions, your candidate pool. If a rejected candidate claims the process was discriminatory, the question regulators ask is not 'what did the vendor document?' It's 'what did you document about how you chose this tool, what you tested before deploying it, and how you monitored it afterward?' The vendor's model card doesn't answer those questions. Only your internal governance records do.

The EU AI Act makes this split explicit. It distinguishes between obligations for AI 'providers' (the companies that build AI systems) and 'deployers' (organizations that put those systems to use in their own workflows). Deployers, which includes almost every non-technical professional reading this, have their own documentation requirements. These include keeping records of how the system was used, what data it processed, what human oversight was in place, and what risk assessments were conducted before deployment. A vendor's documentation is a starting point, not a finish line.

The Deployer Gap

Even the most thorough vendor documentation cannot substitute for your organization's own records. If you use an AI tool to make or influence decisions about people, hiring, lending, performance reviews, content moderation, you are a deployer, and you have documentation obligations that no vendor can fulfill on your behalf. Ask your legal or compliance team: 'What do we need to document when we deploy this tool?' before you go live.

Myth 2: 'Documentation Is a One-Time Setup Task'

The second myth is about timing. Many teams treat AI documentation the way they treat software installation guides, something you do once at the beginning, file away, and never touch again. A manager signs off on an AI tool, someone in IT or operations fills out an intake form, and the governance box gets checked. Six months later, the tool is being used in ways nobody originally anticipated, the vendor has updated the underlying model twice, and the original documentation describes a system that no longer exists. Nobody noticed because nobody was watching.

AI models are not static software. Vendors update them continuously, sometimes with major capability changes, sometimes with subtle shifts in how the model weights certain inputs. When OpenAI updates GPT-4, the model your team used last quarter is not the same model they're using today. This matters enormously for governance. A bias test conducted on an earlier version of a model may not hold for the current version. A risk assessment completed before a vendor added a new feature may miss entirely new categories of risk. Documentation that doesn't reflect the current state of the system is worse than no documentation, it creates false confidence.

Leading organizations treat AI documentation as a living record, not a filing cabinet. They schedule quarterly reviews of active AI deployments. They designate someone, often a department head or operations manager, not a technical specializt, as the responsible owner for each tool. That person's job is to check for vendor updates, confirm the tool is still being used as originally approved, and flag any changes for re-review. This doesn't require a technical background. It requires the same discipline you'd apply to renewing a vendor contract or reviewing a budget line item.

Quarterly AI Tool Review. Prompt for a Non-Technical Manager

Prompt

I manage a marketing team of 12 people. We've been using an AI writing assistant (Claude Pro) for about six months to help draft email campaigns, social media posts, and internal reports. I need to conduct a quarterly governance review of this tool. I'm not technical. Help me write a one-page internal review memo that covers: how we're currently using the tool, any risks we should flag, what we should check with the vendor, and whether we need to update our original risk documentation. Keep the language appropriate for our legal and compliance team.

AI Response

QUARTERLY AI TOOL REVIEW MEMO Tool: Claude Pro (Anthropic) | Department: Marketing | Review Period: Q2 2024 | Prepared by: [Manager Name] CURRENT USE SUMMARY Our team uses Claude Pro to draft first versions of email campaigns, social media content, and internal communications. All AI-generated content is reviewed and edited by a human team member before publication or distribution. The tool is accessed via individual accounts under our company subscription. Estimated usage: approximately 40 hours per week across the team. RISKS TO FLAG — Brand voice consistency: AI drafts occasionally use phrasing that doesn't match our established tone. Current mitigation: mandatory human review before any content goes live. — Data input risk: Two team members have pasted client names and campaign details into prompts. This may conflict with our data handling policy. Recommend immediate clarification with legal on what information can be shared with third-party AI tools. — Attribution: No current policy on disclosing AI assistance in client-facing materials. This may need review. VENDOR CHECK ITEMS — Has Anthropic updated Claude Pro's underlying model since our last review? If so, what changed? — Does our current subscription tier cover commercial use of generated content? — What are the current data retention and privacy terms for our inputs? DOCUMENTATION UPDATE NEEDED? Yes. Our original intake form did not anticipate client data being used in prompts. Recommend updating our approved-use policy and retraining the team on input hygiene before next quarter.

Myth 3: 'If the AI Makes a Mistake, We're Not Responsible'

The third myth is the most legally consequential. It goes something like this: 'We just used the tool the way it was designed to be used. If the AI gave us bad information and we acted on it, that's on the vendor, not us.' This belief is understandable, it mirrors how we think about other professional tools. If a calculator has a bug and produces wrong numbers, the manufacturer has a problem. But AI decisions are different, particularly when they affect other people. Courts and regulators in multiple jurisdictions have established that human oversight is a non-negotiable requirement when AI influences consequential decisions.

The clearest real-world example comes from hiring. Several companies using AI-powered resume screening tools faced EEOC scrutiny not because the vendor's tool was fraudulent, but because the deploying company failed to conduct independent bias testing before use, failed to maintain documentation of how decisions were made, and failed to provide human review of edge cases. The vendor's disclaimer that the tool 'may produce biased outputs in some contexts' was in the terms of service. The company accepted those terms. Responsibility followed. Good documentation, specifically, records showing you assessed the risk, tested the tool in your context, and maintained human oversight, is your primary defense.

Myth vs. Reality: A Direct Comparison

The MythWhy It Feels TrueThe RealityWhat It Means for You
The vendor handles all documentationVendors provide privacy policies, model cards, and compliance whitepapersVendors document their system; you must document your deployment, use case, and oversightYour organization needs its own records for every AI tool that touches decisions about people
Documentation is a one-time taskIntake forms and approval processes feel like a completed stepAI models update continuously; documentation must reflect the current system, not the one you approved six months agoAssign a quarterly review owner for each active AI tool, no technical skills required
AI errors aren't our responsibilityWe're the customer, not the developer; the vendor accepted liability in their termsDeployers are responsible for oversight, testing, and human review of consequential AI decisions'The AI did it' is not a defense. Your documentation of oversight is your legal protection
Only technical teams need to understand AI governanceAI systems involve code, models, and data, technical territoryMost governance decisions are about policy, process, and human oversight, not codeManagers, HR leads, compliance officers, and department heads are core governance actors
Common AI governance myths compared to regulatory and operational reality

What Actually Works: Building Governance Into Normal Work

The organizations that handle AI governance well don't treat it as a separate compliance project. They fold it into workflows that already exist. Vendor onboarding processes get an AI-specific checklist. Quarterly business reviews include a standing agenda item on active AI tools. Job descriptions for roles that use AI heavily include a line about documentation responsibilities. None of this requires a new department or a technical hire. It requires attaching governance habits to existing habits, the same way expense reporting gets attached to travel booking, or data security reminders get attached to new employee onboarding.

The practical minimum for most non-technical teams is a three-part record for each AI tool in active use. First, an intake document: what the tool does, what decisions it influences, what data it processes, and what human review process exists. Second, a risk note: what could go wrong, who is affected, and what you've done to reduce that risk. Third, a change log: any updates to the tool, changes in how it's used, or incidents that occurred. This doesn't need to live in specialized software. A shared folder with three structured documents per tool is a defensible starting point for most organizations below enterprise scale.

The most effective governance cultures also normalize asking the question 'what does the documentation say?' before expanding or changing how an AI tool is used. A sales team that starts using their AI email assistant to also draft client proposals is making a meaningful change, new use case, potentially new risk profile, potentially new data types involved. That change should trigger a brief review, not because regulators are watching every keystroke, but because the original approval was for a specific use. Scope creep in AI deployment is one of the most common ways organizations drift from a low-risk use case into a high-risk one without realizing it.

The Monday Morning Minimum

You don't need a governance framework built before you can act. This week: open a shared document, list every AI tool your team uses regularly, and for each one write two sentences, what you use it for, and who reviews the output before it affects a decision or goes to a client. That list is the foundation of your documentation. You can build from there.
Build a Lightweight AI Tool Registry for Your Team

Goal: Create a practical, usable AI tool registry that documents your team's current AI deployments, establishes clear ownership, and identifies any immediate governance gaps, without requiring technical expertise.

1. Open a new document in whatever tool your team already uses. Google Docs, Word, Notion, or even a shared spreadsheet. Title it '[Team Name] AI Tool Registry, [Current Month/Year]'. 2. List every AI tool your team currently uses, even casually. Include ChatGPT, Copilot, Grammarly AI, Canva AI, any AI features inside your CRM or project management tool, and any vendor-supplied AI tools. Don't filter, if someone on your team uses it for work, it goes on the list. 3. For each tool, write one sentence describing what your team actually uses it for. Be specific: not 'writing help' but 'drafting first versions of cold outreach emails for enterprise prospects.' 4. For each tool, answer this question: 'Does this tool influence decisions about other people, hiring, performance, client selection, credit, content shown to audiences?' Mark each as YES, POSSIBLY, or NO. 5. For every tool marked YES or POSSIBLY, write one sentence describing what human review step exists before the AI output affects a real decision. If there is no review step, write 'GAP, no human review currently in place.' 6. Assign an owner to each tool, one person on your team who is responsible for staying current on vendor updates and flagging changes. This doesn't have to be the heaviest user; it should be whoever has the clearest view of how the tool is being used. 7. Set a calendar reminder for 90 days from today titled 'AI Tool Registry Review.' At that review, each tool owner checks for vendor updates, confirms the use description is still accurate, and updates the document. 8. Share the completed registry with your manager, legal contact, or compliance team and ask: 'Are there tools on this list that need a more formal risk assessment?' Use their response to prioritize next steps. 9. Save the registry in a location the whole team can access, and link to it from whatever onboarding document or team handbook you use so new team members know it exists from day one.

Frequently Asked Questions

  • Q: We're a small business with no compliance team. Do these documentation standards actually apply to us? A: Scale affects complexity, not obligation. If you use AI tools that influence decisions about employees, customers, or the public, basic documentation is good practice regardless of company size, and in regulated industries like finance, healthcare, or hiring, it may be legally required even for small operators. Start with the lightweight registry above and grow from there.
  • Q: Our vendor says their tool is 'compliant with all relevant regulations.' Doesn't that cover us? A: No. Vendor compliance statements typically cover the vendor's own obligations around data security, privacy, and model development. They do not cover how you deploy the tool, what decisions you use it to inform, or whether your oversight processes meet applicable standards. You need your own records.
  • Q: How detailed does our documentation actually need to be? We don't have time to write essays for every tool. A: For most non-high-risk tools, three things suffice: what the tool does in your context, what human review exists, and a note of any vendor changes or incidents. For tools that influence consequential decisions, hiring, credit, performance management, more detail is warranted. Match depth to risk level.
  • Q: If we document a risk and then it happens, doesn't that documentation hurt us legally? A: Generally, no, and often the opposite is true. Documentation showing you identified a risk and took reasonable steps to mitigate it demonstrates due diligence. The legal exposure comes from risks you should have identified but didn't, or from identified risks you ignored. Honest documentation of risk plus documented mitigation is a defensible posture.
  • Q: Who should own AI governance documentation in a typical mid-size company. IT, legal, or operations? A: All three have roles, but ownership often works best when it's distributed by tool rather than centralized by function. The team that uses a tool most heavily should own its documentation, with legal and IT serving as reviewers. A central registry owned by operations or a designated AI coordinator keeps the whole picture visible.
  • Q: Our AI vendor updated their model last month and didn't tell us. What should we do? A: First, check the vendor's release notes or changelog, most major vendors (Anthropic, Microsoft, Google, OpenAI) publish these. Second, review whether the update affects any of the risk assessments or use cases you documented. Third, if you use the tool for consequential decisions, consider running a brief spot-check: give it the same test inputs you used during original evaluation and see if outputs have changed meaningfully. Update your documentation to reflect the new version.

Key Takeaways from Part 2

  1. Vendor documentation covers the vendor. Your organization's documentation covers your deployment, your use case, and your oversight, and no vendor can provide that for you.
  2. AI models change continuously. Documentation that described your tool accurately at launch may describe a different system today. Quarterly reviews are a practical minimum.
  3. 'The AI made the decision' is not a legal defense. Deployers, the organizations that use AI tools, bear responsibility for oversight, testing, and human review of consequential outputs.
  4. Most AI governance work is not technical. Policy decisions, oversight processes, risk assessments, and documentation are management and operations functions, not engineering ones.
  5. A lightweight AI tool registry, even a simple shared document, is a defensible starting point that most teams can build in under two hours.
  6. Scope creep is a governance risk. When a team starts using an AI tool for purposes beyond what was originally approved, that change should trigger a brief re-review, not just proceed silently.

Model Documentation and Governance: What Most Professionals Get Wrong

Most professionals believe that AI governance is a technical problem for IT departments, that documentation only matters when something goes wrong, and that small organizations are too small to need formal AI oversight. All three beliefs create real risk. They delay accountability, expose organizations to regulatory penalties, and leave employees without the guardrails they need to use AI responsibly. The corrected picture is more empowering than the myths, because it puts governance squarely in the hands of business professionals, not just engineers.

Myth 1: AI Governance Is an IT Problem

This is the most common deflection in organizations adopting AI. Managers assume that because AI tools involve software, the responsibility for governing them belongs to the technology team. In practice, IT can configure access controls and security settings, but they cannot govern how a hiring manager uses ChatGPT to screen resumes, how a sales director uses Copilot to draft proposals, or how an HR team uses AI to summarize performance reviews. Those decisions live in business units, which means accountability does too.

The EU AI Act, which took effect in 2024, makes this explicit. It assigns compliance obligations to 'deployers', organizations that put AI systems into use, not just vendors who build them. A company using a high-risk AI tool for employment decisions is legally responsible for documenting how that tool is used, what data it processes, and how human oversight is maintained. That documentation cannot be outsourced to a software vendor or an IT help desk.

The better mental model: think of AI governance the way you think of financial compliance. Your CFO doesn't expect IT to manage expense reporting policy. Finance owns those rules because finance understands the risk. AI governance works the same way. Business leaders who own the workflows must own the documentation and oversight of the AI tools running inside those workflows.

Regulatory Reality

Under the EU AI Act and emerging US state-level AI laws, 'we left it to IT' is not a compliance defense. Deploying organizations, meaning your company, not your software vendor, bear documentation and oversight obligations. Business unit leaders are the deployers.

Myth 2: Documentation Only Matters When Something Goes Wrong

This reactive mindset treats AI model documentation like an insurance policy you only read after a crash. But documentation serves a proactive function that most professionals miss entirely: it forces clarity before deployment. When a team writes down what an AI tool is supposed to do, what data it uses, and who reviews its outputs, they almost always discover ambiguities and risks they hadn't considered. The act of documenting is itself a risk management exercise.

The NIST AI Risk Management Framework, published in 2023, structures this proactively across four functions: Govern, Map, Measure, and Manage. 'Govern' comes first, establishing policies and roles before any tool goes live. Organizations that follow this sequence consistently report fewer incidents and faster remediation when issues do arise, because accountability is already assigned and processes are already documented.

Documentation also protects employees. When a marketing manager uses Gemini to draft client communications, a documented policy tells them: what to review, what to disclose, and what topics are off-limits. Without that, they're making judgment calls alone. Good governance documentation is, in practice, a set of clear instructions that reduces cognitive load and decision fatigue for everyone using AI day-to-day.

Creating a Lightweight AI Use Policy for a Business Unit

Prompt

I'm a marketing director at a mid-sized consulting firm. We've started using ChatGPT Plus and Canva AI in our team. I need to create a simple, one-page AI use policy for my department, not technical, just practical. It should cover: what we can use AI for, what we must always review before sending, what we should never put into AI tools, and who to contact if something seems wrong. Write this as a clear, professional policy document.

AI Response

**Marketing Department AI Use Policy** *Effective immediately, reviewed annually* **Approved Uses** Team members may use ChatGPT Plus and Canva AI for drafting client communications, creating presentation content, summarizing research, generating social media copy, and producing internal reports. AI tools may assist any task where a human reviews and approves the final output before it reaches a client or is published externally. **Required Human Review** All AI-generated content must be reviewed by a team member before sending to clients, publishing, or including in formal proposals. Review means reading for accuracy, tone, and factual correctness, not just a quick scan. You are responsible for everything that goes out under your name or the firm's brand. **Never Input the Following** - Client names, contract details, or confidential project information - Employee personal data, salaries, or performance records - Proprietary methodologies or unreleased research - Any information marked Confidential or under NDA **When Something Seems Wrong** If AI output appears biased, factually incorrect in a significant way, or potentially harmful, do not publish or send it. Flag it to your manager and email our AI oversight contact: [designated contact]. **Accountability** Using AI tools is a professional responsibility. This policy does not replace your judgment, it supports it.

Myth 3: Small Organizations Don't Need Formal AI Governance

The assumption is that governance frameworks are enterprise bureaucracy, relevant for banks and hospitals but overkill for a 20-person consultancy or a regional school district. This conflates scale with risk. A small HR firm using AI to screen job applicants carries exactly the same discrimination risk as a large one. A small healthcare practice using AI to summarize patient intake forms faces the same privacy obligations. Risk is tied to use case, not headcount.

The practical solution for smaller organizations isn't a 200-page governance framework, it's a proportionate one. A one-page AI use policy per department, a simple log of which tools are in use and for what purpose, and a named person responsible for reviewing AI-related concerns is genuinely sufficient for most small organizations. That's not bureaucracy. That's an afternoon of work that creates clarity for everyone.

MythWhy It's WrongBetter Mental Model
AI governance is IT's responsibilityIT manages access; business units own workflows and accountabilityGovernance follows the workflow owner, not the tool administrator
Documentation only matters after incidentsDocumentation prevents incidents by forcing pre-deployment clarityWriting it down is the risk management exercise, not the record of failure
Small organizations don't need governanceRisk is tied to use case, not organization sizeProportionate governance, one page, one owner, is enough and legally protective
Three governance myths versus the corrected reality for business professionals.

What Actually Works in Practice

Effective AI governance in non-technical teams comes down to three repeatable habits. First: name an owner. Every AI tool in active use should have a designated person, not a committee, not a vendor, who is responsible for reviewing how it's being used and updating the policy when the tool or its use changes. This doesn't require technical expertise. It requires organizational awareness and accountability.

Second: use a simple AI inventory. A shared spreadsheet listing every AI tool in use, the department using it, the purpose, the data it touches, and the review date is genuinely sufficient for most organizations to demonstrate governance intent. Regulators and auditors look for evidence of systematic thinking, not perfection. A maintained, honest inventory signals that your organization is taking this seriously.

Third: make review a workflow step, not an afterthought. The highest-leverage governance habit is treating AI output review as a named step in your process, the same way you'd treat legal review of a contract or a manager's sign-off on a budget. When 'review AI output' is a checkbox in your workflow, not an implicit expectation, it actually happens. That single habit closes more governance gaps than most formal policies ever do.

Start Monday With This

Open a shared Google Sheet or Notion page. Add three columns: Tool Name, Who Uses It, What For. List every AI tool your team currently uses. That's your AI inventory. It takes 20 minutes and immediately gives you a governance foundation most organizations don't have.
Build Your Department's AI Governance Starter Kit

Goal: Create a practical, one-page AI governance document for your team using free AI tools, something you can actually use and share by end of week.

1. Open ChatGPT (free version works) or Claude.ai and start a new conversation. 2. Type your role, your team size, and list 2-3 AI tools your team currently uses or is considering. 3. Ask the AI to draft a one-page AI use policy for your department covering: approved uses, required review steps, prohibited data inputs, and an escalation contact. 4. Read the output carefully. Edit any section that doesn't match your organization's actual context or culture. 5. Add a second prompt asking the AI to generate a simple 5-row AI inventory table with columns: Tool Name, Department, Purpose, Data Touched, Review Date. 6. Fill in the inventory rows based on your team's actual tool usage, be honest and specific. 7. Combine the policy and inventory into a single Google Doc or Word document. 8. Share it with one colleague or your manager and ask for one piece of feedback. 9. Set a calendar reminder to review both documents in 90 days. AI tool usage changes fast, and your governance document should keep up.

Frequently Asked Questions

  • Do I need a lawyer to create an AI use policy? No. A department-level AI use policy is an internal operational document, not a legal contract. You can draft it with AI assistance and have a manager approve it. Involve legal counsel only if your policy touches regulated data like health records, financial data, or hiring decisions.
  • What's the difference between an AI policy and model documentation? A use policy tells employees how to behave with AI tools. Model documentation describes the AI system itself, its purpose, training data, known limitations, and performance metrics. Vendors typically provide model documentation (look for a 'model card' or 'system card'); your policy governs how your team uses that system.
  • How often should we update our AI governance documents? Review them whenever you adopt a new AI tool, when a tool releases a major update, when your use case changes significantly, or at minimum every six months. AI capabilities change faster than most other software, your governance documents need to keep pace.
  • What if employees are using AI tools we haven't officially approved? This is called 'shadow AI' and it's common. Your inventory exercise will likely surface it. The right response is to assess those tools using your standard criteria and either formally approve them with guidelines or provide an approved alternative, not to ban AI use outright, which drives it further underground.
  • Does documenting AI use create legal liability? The opposite is more accurate. Documented, supervised AI use demonstrates responsible deployment. Undocumented, ungoverned AI use is what creates liability, because you cannot show you exercised oversight when something goes wrong.
  • What's the minimum viable governance for a very small team? Three things: a list of approved tools, one rule about what data must never go into AI systems, and one named person to contact with concerns. That's genuinely enough to start. You can build from there as your use matures.

Key Takeaways

  • AI governance is a business responsibility, not an IT function, accountability follows the workflow, not the technology.
  • Documentation is a proactive risk management tool, not a post-incident paperwork exercise.
  • Risk is determined by use case, not organization size, a small team using AI for hiring carries the same legal exposure as a large one.
  • A maintained AI inventory and a one-page use policy are sufficient governance foundations for most non-technical teams.
  • Making 'review AI output' an explicit workflow step, not an implicit expectation, is the highest-leverage governance habit available to business professionals.
  • Regulators and auditors look for evidence of systematic thinking. An honest, maintained governance document signals that, even if it isn't perfect.

Featured Reading

This lesson requires Pro+

Upgrade your plan to unlock this lesson and all other Pro+ content on the platform.

Upgrade to Pro+

You're currently on the Free plan.

Practice this in a lab

Navigate a Regulatory Collision in Real-Time

advanced · 8 min

Write AI Governance Prompts for a Hospital Procurement Team

advanced · 10 min