Skip to main content
Back to Ethics at Work: Responsible AI for Organizations
Lesson 6 of 8

Build Controls That Actually Stick

~24 min readLast reviewed May 2026
This lesson counts toward:Lead AI Adoption, Drive ResultsUsing AI ResponsiblyLegal Work, Faster: AI for High-Stakes PracticeBuild Fair AI Systems: A Safety GuideLead Through AI: The Executive Playbook

Building organizational AI Governance

When Good Intentions Aren't Enough: The Case for Formal AI Governance

In early 2023, a mid-sized recruitment firm in London called Tribepad faced a problem that was invisible until it wasn't. Their HR clients had been quietly using AI screening tools, some approved, some not, to filter job applications. Individual hiring managers were making their own calls about which tools to use, what prompts to run, and how much weight to give the outputs. Nobody had written a policy. Nobody had assigned accountability. Then a candidate complained that they had been screened out unfairly, and the firm had no paper trail, no audit log, and no clear answer about which system had made which recommendation. The reputational damage was immediate and the legal exposure was real.

What Tribepad experienced wasn't a technology failure. The AI tools themselves were functioning as designed. The failure was organizational, a gap between the speed at which AI adoption spread across the business and the speed at which leadership built any structure around it. This is the central tension in AI governance: tools that are easy to access, fast to deploy, and genuinely useful can outrun an organization's ability to use them responsibly. When that happens, the risks don't stay theoretical. They show up as complaints, audits, and headlines.

The lesson Tribepad took away, and that many organizations are now learning the hard way, is that governance isn't a bureaucratic overhead you add after something goes wrong. It's the structure that lets people use AI confidently and consistently, knowing what's allowed, who's accountable, and what happens when something doesn't work as expected. This lesson is about building that structure inside your organization, regardless of whether you're a team of five or a division of five thousand.

The Principle: Structure Enables Speed

The instinct many leaders have is that governance slows things down, that adding policies and approval processes will throttle the creativity and productivity gains AI can deliver. The Tribepad case suggests the opposite. Without governance, teams move fast but inconsistently. Some employees use AI extensively; others avoid it entirely because they're unsure what's permitted. Decisions get made without documentation. Risk accumulates silently. When something goes wrong, the organization can't explain what happened. Governance, done well, doesn't slow adoption. It makes adoption sustainable, defensible, and scalable.

What AI Governance Actually Means

AI governance is the set of policies, roles, processes, and standards that define how your organization uses AI tools. It answers four questions: What AI tools are approved for use? Who is responsible for AI-related decisions? What data can be put into AI systems? And what do we do when AI produces a problematic output? You don't need a dedicated AI team to have governance. You need documented answers to those four questions, and someone whose job it is to keep those answers current.

How One Retailer Built Governance From the Ground Up

In 2023, John Lewis Partnership, one of the UK's largest employee-owned retailers, began rolling out Microsoft Copilot to staff across buying, HR, and customer operations. Rather than issuing a blanket approval and letting departments figure it out, the partnership took a different approach. They created a small internal working group, not a tech team, but a cross-functional group including a buying manager, an HR business partner, and a legal advisor, and tasked them with writing a plain-English AI use policy before any broad rollout began. The policy covered three things: which tools were approved, what kinds of tasks they could be used for, and what information staff must never paste into an AI system.

What made the John Lewis approach effective wasn't its sophistication, the initial policy was four pages. It was the fact that it existed, was communicated clearly, and had a named owner who could be asked questions. Staff knew where to look. Managers knew what to say when a team member asked whether they could use Copilot to draft a supplier email. The policy created a shared reference point that replaced the fog of individual guesswork with a consistent organizational position.

The working group also built in a quarterly review cycle, three months after launch, they gathered feedback from the teams using Copilot and updated the policy based on real usage patterns. New use cases that emerged got formally approved or flagged as out of scope. This iterative approach meant governance stayed connected to reality rather than becoming a static document nobody reads. It also meant staff felt heard, which increased compliance rather than resistance.

A Buying Manager Uses Copilot to Draft a Supplier Communication. With Governance in Place

Prompt

I need to write an email to one of our fabric suppliers explaining that we're reducing our order volume for next quarter by approximately 20% due to slower-than-expected sales in our homeware category. The tone should be professional but warm, we want to preserve the relationship. Please draft this email for me. Do not include any specific pricing, contract terms, or supplier names in your draft.

AI Response

Subject: Upcoming Order Adjustment. Q3 Planning Dear [Supplier Contact Name], I hope this finds you well. I'm writing to give you advance notice of a planned adjustment to our order volumes for the coming quarter, so you have time to plan accordingly. Due to softer-than-anticipated sales performance in our homeware category, we'll be reducing our fabric order for Q3 by approximately 20% compared to our most recent forecast. We want to be transparent with you early rather than leaving this as a last-minute change. This adjustment reflects current trading conditions rather than any concern about the quality or service we receive from your team, both of which continue to meet our expectations. We remain committed to this partnership and anticipate returning to previous volume levels as trading conditions improve. Would you be available for a brief call this week to discuss how we manage this together? I'm happy to work around your schedule. Please treat this communication as commercially sensitive and not for onward distribution. Warm regards, [Your Name] Buying Manager

Notice What the Prompt Did

The buying manager explicitly told the AI not to include pricing, contract terms, or supplier names. That's governance in action at the individual level, the policy had trained her to think about what information belongs in an AI prompt and what doesn't. Good governance shapes behavior before the tool is even opened.

A Different Industry, the Same Problem

Healthcare provides some of the starkest examples of AI governance gaps because the stakes are so visible. In 2022 and 2023, several NHS trusts in England began piloting AI tools for administrative tasks, drafting patient letters, summarising clinical notes, scheduling follow-ups. The tools were saving real time: one trust estimated that administrative staff were recovering around 90 minutes per day. But a report from the Health Services Safety Investigations Body flagged a consistent problem: different departments within the same trust were using different AI tools, with no shared standard for what patient information could be processed and no audit trail for AI-assisted communications.

The risk wasn't hypothetical. A patient letter drafted with AI assistance that included an error, a wrong date, a misread name, could cause real harm. And if that letter was challenged, the trust needed to be able to explain exactly how it was produced. Without governance, they couldn't. The NHS response has been to develop a national framework for AI use in administrative functions, essentially a governance template that individual trusts can adapt. The lesson for any organization is clear: when AI outputs can have real consequences for real people, the governance question isn't optional.

Comparing Governance Approaches: What Works and What Doesn't

Governance ApproachWhat It Looks LikeWhat Goes RightWhat Goes WrongBest Suited For
No policy (ad hoc)Staff use any AI tool they choose, however they choose, with no central visibilityFast initial adoption, high individual flexibilityInconsistent outputs, data risk, no accountability, legal exposure when things go wrongNowhere, this is the default that governance replaces
Blanket banAI tools are prohibited across the organization pending further reviewZero data risk from AI, easy to enforce initiallyStaff use tools anyway on personal devices, organization falls behind competitors, talent frustrationShort-term only, while a proper policy is being written
Approved tool list onlyA defined list of permitted tools (e.g. only Microsoft Copilot) with no further guidance on useReduces tool sprawl, limits data exposure through unapproved platformsStaff still unsure what tasks are appropriate, no guidance on data inputs or output reviewEarly-stage governance as a starting point
Use-case policySpecific tasks are approved or restricted, e.g. 'Copilot may be used for internal draft emails but not for external client communications without human review'Clear expectations, manageable compliance, easy to train staff onRequires more upfront work to define use cases, needs regular updating as tools evolveMost organizations at a mature early stage
Full AI governance frameworkPolicies, roles (AI lead, department champions), audit processes, training program, incident reporting, quarterly reviewsComprehensive accountability, scalable, audit-ready, enables confident adoptionResource-intensive to build; requires sustained leadership commitmentLarger organizations, regulated industries, or those with significant AI usage
Five governance approaches compared, from no policy to full framework. Most organizations should target the use-case policy as a minimum.

What a Marketing Director Learned About Oversight

Sarah Chen is Marketing Director at a B2B software firm in Singapore with a team of twelve. In late 2023, she gave her team open access to ChatGPT Plus and Claude Pro and told them to use AI however they saw fit to speed up content production. Within six weeks, output had increased dramatically, blog posts, social media content, email sequences, and case study drafts were being produced at roughly three times the previous rate. Then a client called to say that a case study published on the firm's website attributed a quote to their CEO that the CEO had never said. A junior copywriter had used Claude to draft the case study and hadn't checked the quote, which the AI had plausibly fabricated.

Sarah's response was measured and instructive. She didn't ban AI use, the productivity gains were too significant to abandon. Instead, she introduced what she called a 'two-eyes rule': any AI-generated content that would be published externally or sent to a client had to be reviewed by a second team member before it went out. She also created a simple one-page document listing what AI tools could be used for (drafting, brainstorming, summarising research) and what required human-only work (direct quotes, client-specific facts, legal or compliance statements). The incident cost her a client relationship. The policy cost her an afternoon to write. The ratio made the lesson obvious.

AI Fabrication Is a Governance Issue, Not Just a Technical One

AI tools including ChatGPT, Claude, and Gemini can produce confident-sounding content that is factually wrong, including invented quotes, false statistics, and plausible but incorrect claims. This is known as 'hallucination' and it's a known characteristic of current AI systems, not a bug that will simply be fixed. Your governance policy must account for it. Any AI output that will be published, sent to a client, or used in a legal or compliance context needs human verification before it leaves your organization.

Putting Governance Into Practice: Where organizations Actually Start

Most organizations don't build their AI governance framework in one sitting. They start with the most urgent gap, usually a data handling question or a specific incident, and build outward from there. A useful starting point is what governance professionals call a 'tool registry': a simple spreadsheet or shared document that lists every AI tool currently in use across the organization, who approved it, what it's being used for, and what data it can access. This sounds mundane, but it's genuinely revealing. Most organizations that do this exercise for the first time discover tools they didn't know their staff were using, including free consumer versions of AI tools that have different data handling terms than enterprise versions.

The distinction between consumer and enterprise AI tools matters enormously for governance. ChatGPT's free tier, for example, may use your conversations to train future models unless you opt out, something most employees don't know and most organizations haven't communicated. ChatGPT Plus for Teams and ChatGPT Enterprise have explicit data protection terms that prevent this. Microsoft Copilot for Microsoft 365 operates within your organization's existing Microsoft data boundary. Google Gemini for Workspace similarly operates under enterprise data agreements. The governance question isn't just 'are we using AI?', it's 'which version, under which terms, with whose data?'

Once you know what tools are in use and under what terms, you can make informed decisions about which to approve, which to restrict, and which to replace with enterprise-grade alternatives. This is the foundation layer of AI governance. Everything else, use-case policies, accountability structures, training programs, audit processes, builds on top of it. You can't govern what you can't see. The tool registry makes the invisible visible, and that's where real governance begins.

Build Your organization's AI Tool Registry

Goal: Produce a complete first draft of your organization's AI tool registry that reveals which tools are in use, under what terms, and where your governance gaps are. This document becomes the foundation for your AI policy.

1. Open a new spreadsheet (Google Sheets, Excel, or Notion) and create columns with these headers: Tool Name, Who Uses It, What They Use It For, Free or Paid Version, Data Handling Terms Confirmed (Yes/No), Approved by organization (Yes/No/Unknown), Notes. 2. In the Tool Name column, list every AI tool you're personally aware of being used in your organization, include ChatGPT, Claude, Copilot, Gemini, Grammarly AI, Canva AI, Notion AI, and any others you've seen colleagues mention or use. 3. For each tool, fill in the 'Who Uses It' column with the team or department, even if it's just your best estimate. 4. In the 'What They Use It For' column, write a brief description of the task, for example: 'drafting client emails', 'summarising meeting notes', 'generating social media captions'. 5. In the 'Free or Paid Version' column, record what you know, if you're unsure, mark it 'Unknown' and flag it for follow-up. 6. For the 'Data Handling Terms Confirmed' column, check the tool's website or your IT/legal team to confirm whether your organization has enterprise-level data protections in place. Mark Yes, No, or Unknown. 7. In the 'Approved by organization' column, record whether each tool has been formally approved for use. Yes, No, or Unknown. Most organizations doing this for the first time will have many 'Unknowns'. 8. Add a Notes column for anything important, for example, 'used on personal devices only', 'client data sometimes included', or 'team lead unaware of data terms'. 9. Share the completed registry with one colleague or manager and ask them to add any tools you've missed. Count the number of 'Unknown' entries, that number represents your current governance gap.

Key Lessons So Far

  1. AI governance failures are almost always organizational, not technical, the tools work as designed; the problem is the absence of structure around them.
  2. The gap between AI adoption speed and governance readiness is where risk accumulates, the faster your organization adopts AI, the more urgently it needs a governance structure.
  3. A policy doesn't need to be long to be effective, the John Lewis approach started with four pages and a named owner; that was enough to create clarity.
  4. The distinction between consumer and enterprise AI tools is a governance issue, data handling terms vary significantly and most employees don't know the difference.
  5. Governance shapes individual behavior before problems occur, staff who understand the policy make better decisions when they're sitting in front of the tool.
  6. AI hallucination (fabricated but plausible outputs) is a known and persistent characteristic of current AI systems, your governance must include human review requirements for high-stakes outputs.
  7. A tool registry, knowing what AI is in use, by whom, and under what terms, is the necessary foundation before any further governance work can be meaningful.

When Policies Meet Reality: The Human Side of AI Governance

In 2023, a major UK retailer rolled out an AI-assisted hiring tool across its HR department. The policy documents were thorough. The ethics committee had signed off. The legal team had reviewed everything twice. Then a regional HR manager noticed something uncomfortable: the tool was consistently scoring candidates from certain postcodes lower than others. Nobody had programmed bias in deliberately, it had crept in through historical hiring data that reflected decades of unconscious preference. The policy existed. The governance framework existed. But no one had built a process for frontline staff to raise concerns without fear of being seen as obstructionist. The problem sat undetected for four months.

This story illustrates the most common failure point in AI governance: the gap between what the policy says and what actually happens when people use AI tools day-to-day. Governance frameworks that live only in PDF documents and annual compliance training do not protect organizations. What protects organizations is governance that is embedded in the actual workflow, visible, usable, and easy to act on in the moment a problem surfaces. The retailer eventually fixed the issue, but only after building a simple internal reporting channel specifically for AI-related concerns. That single structural change caught three further issues within the next six months.

The principle here is straightforward: governance needs feedback loops. A policy without a mechanism for people to report anomalies, ask questions, or flag discomfort is like a fire alarm with no bell. You can have all the right intentions and still leave your organization exposed because the people closest to the problem have no clear path to raise it. Building those feedback loops, making them psychologically safe, structurally simple, and genuinely acted upon, is as important as writing the policy itself.

What a Feedback Loop Actually Looks Like

A governance feedback loop doesn't have to be complex. It can be a dedicated Slack channel, a monthly 15-minute team check-in, a simple Google Form, or a named person employees can contact. The key ingredients are: a clear channel, a named owner, a defined response time, and visible evidence that concerns are acted upon. Without these four elements, most employees will stay silent, not because they don't see problems, but because they don't believe raising them will make a difference.

The Three Layers of Governance That Actually Work

Effective AI governance operates at three distinct levels simultaneously, and organizations that treat it as a single-layer problem, usually just a policy document, consistently struggle. Think of it like building safety in a commercial kitchen. You need rules posted on the wall (policy), trained staff who know what to do when something goes wrong (people), and equipment that is physically designed to reduce risk, like cut-resistant gloves and automatic shutoffs (process). Remove any one layer and the other two carry too much weight. The same logic applies to AI governance in any professional setting, from a ten-person consultancy to a ten-thousand-person enterprise.

The first layer is organizational policy: the documented rules about which AI tools are approved, what data can be shared with them, who has authority to approve new tools, and what the consequences are for misuse. This layer is the most visible and the most commonly built, but it ages quickly. AI capabilities change fast. A policy written in January may be partially obsolete by September. organizations that treat policy as a living document, with a scheduled review cycle of at least every six months, stay ahead of this problem. Those that treat it as a one-time exercise find themselves enforcing rules that no longer reflect how their teams actually work.

The second layer is people: who is responsible for what, and whether those people have the knowledge, authority, and time to actually do their jobs. This is where many governance frameworks quietly collapse. An organization might appoint an 'AI Ethics Lead' who is also carrying a full-time marketing role, with no budget, no team, and no formal authority to pause a tool rollout. The title exists on paper; the function does not exist in practice. Meaningful governance requires that the people accountable for it have real capacity to act. Even in smaller organizations, this means carving out dedicated time, not adding governance to an already full job description and hoping for the best.

Process as the Third Layer, and Why It's the Most Neglected

The third layer, process, is the one most organizations skip because it feels mundane compared to writing a policy or appointing a committee. But process is where governance becomes real. It answers the practical questions that employees face on a Tuesday afternoon: Do I need approval before using a new AI tool I found? Who do I ask? How long will it take? What happens if I use it anyway and something goes wrong? Without clear process answers to these questions, employees make their own decisions, often sensibly, sometimes not, and the organization loses visibility into how AI is actually being used across the business.

HR Manager Drafting an AI Tool Request Process

Prompt

I'm an HR manager at a mid-sized professional services firm (around 200 employees). We've been using AI tools in an ad hoc way, people are just downloading and using whatever they find. I need to create a simple internal process for employees to request approval to use a new AI tool. It should be quick to complete, capture the right information, and route to the right people for a decision. Can you draft a short approval request template and a simple 5-step process flow for how requests get reviewed and decided?

AI Response

**AI Tool Approval Request Template** Employee Name & Department: Tool Name & Website: Proposed Use (2-3 sentences, what will you do with it?): Data Involved (tick all that apply): ☐ Client data ☐ Employee data ☐ Financial data ☐ Internal documents ☐ No sensitive data Free or paid? If paid, estimated monthly cost: Have you reviewed the tool's privacy policy? ☐ Yes ☐ No Any concerns you're already aware of?: --- **5-Step Review Process** 1. **Submit**. Employee completes the template above and emails it to ai-requests@[yourfirm].com (monitored by the Operations Manager). 2. **Initial Screen (48 hours)**. Operations Manager checks if the tool is already on the approved or prohibited list. If approved: green light immediately. If prohibited: decline with reason. If new: proceed to Step 3. 3. **Risk Assessment (5 working days)**. IT reviews data handling. Legal flags any compliance issues. Line manager confirms business need. 4. **Decision**. Operations Manager issues approval (with any conditions), conditional approval (e.g., no client data), or rejection. Decision documented in the AI Tool Register. 5. **Notify & Log**. Employee notified by email. Tool added to the register with approval date, approved users, and next review date (6 months). *Target turnaround: 7 working days for new tools.*

A Hospital System That Got the People Layer Right

Cedars-Sinai Medical Center in Los Angeles has been integrating AI tools into clinical and administrative workflows since the early 2020s. What distinguishes their approach is not the sophistication of the tools, it is the deliberate investment in human infrastructure around those tools. They created a dedicated AI governance committee that includes not just technologists and executives but also frontline clinical staff, patient advocates, and compliance officers. Crucially, the committee meets monthly, not quarterly, and has actual authority to pause tool deployments. When an AI-assisted diagnostic tool began producing outputs that nursing staff found inconsistent, there was a clear escalation path, and the tool was paused within two weeks pending review.

The lesson from Cedars-Sinai is not that healthcare organizations need to copy their exact structure. It is that governance bodies need decision-making authority, diverse perspectives, and a regular cadence, not just a charter. A committee that meets twice a year and can only recommend rather than decide is not a governance body; it is a discussion group. For non-healthcare organizations, the same principle applies whether you are running a marketing agency, a school district, or a logistics company. The people responsible for AI governance need to be empowered to act, not just to advise.

Governance ElementWeak ImplementationStrong ImplementationWhy It Matters
Policy DocumentWritten once, stored in a shared drive, rarely referencedLiving document with 6-monthly review, version history, linked to onboardingAI capabilities change fast, outdated policies create false confidence
AccountabilityGeneric 'everyone is responsible' languageNamed individuals with specific accountabilities and time allocatedDiffuse responsibility means no one acts when problems emerge
Reporting ChannelGeneric HR inbox or 'speak to your manager'Dedicated AI concerns channel with named owner and 5-day response SLAEmployees won't report concerns if the path is unclear or feels risky
Tool Approval ProcessInformal, manager decides case by casestandardized request form, documented criteria, central registerUntracked tool usage creates data and compliance exposure
TrainingOne-off launch training or annual e-learning moduleRole-specific training, updated when tools change, with practical scenariosGeneric training doesn't change behavior in real workflow situations
Review & AuditNo scheduled review unless something goes wrongQuarterly spot checks, annual full audit, incident log maintainedProblems compound silently without regular visibility into actual usage
Governance implementation strength across six critical elements, the difference between compliance theater and functional oversight.

What a Sales Team's AI Misstep Taught One Consultancy About Scope

A mid-sized management consultancy, around 300 people, offices in three cities, encouraged its sales team to use AI tools for proposal writing and client research. Results were initially strong: proposals went out faster, response rates improved, and the team felt genuinely more productive. Then a senior partner received a concerned call from a long-standing client. A proposal sent to them contained detailed information about another client's internal restructuring, information that had been fed into an AI tool months earlier during a different engagement and had apparently resurfaced in a generated output. The consultancy had no data handling policy specific to AI tools. Client data had been treated the same way it would be in a private Word document. It was not.

This incident exposed a governance gap that is extremely common in professional services: the assumption that existing data policies automatically cover AI tool usage. They typically do not. When you type client information into ChatGPT or Claude, the data handling rules are those of OpenAI or Anthropic, not your firm's confidentiality agreement. Enterprise versions of these tools (ChatGPT Enterprise, Claude for Enterprise) offer stronger data protections, but only if your organization has specifically procured and configured them. The consultancy's governance failure was not malicious, it was a scope failure. Their existing policies simply had not been extended to cover a new category of tool. Building AI governance means explicitly addressing this gap, not assuming it is covered.

Consumer vs. Enterprise AI Tools: A Critical Distinction

Free and standard consumer versions of AI tools, including ChatGPT (free tier), Claude.ai (free and Pro), and Google Gemini (personal accounts), may use your inputs to improve their models, depending on current settings. Enterprise versions (ChatGPT Enterprise, Claude for Enterprise, Microsoft Copilot for Microsoft 365) typically offer contractual data protection, no training on your inputs, and admin controls. If your team is using consumer versions with client or employee data, your governance policy needs to address this explicitly, either by prohibiting it, requiring enterprise procurement, or documenting an accepted risk.

Translating Governance Into Everyday behavior

The ultimate test of any governance framework is not whether it satisfies an auditor, it is whether it changes what an employee does on a Wednesday afternoon when no one is watching. This requires translating abstract principles into concrete, memorable guidance that fits naturally into how people already work. The most effective organizations do this through what you might call 'decision nudges': simple reference tools that help employees make the right call in the moment without needing to read a 40-page policy document. These can be as simple as a one-page quick reference card, a checklist embedded in a project management template, or a short decision tree posted in the team's main communication channel.

A marketing team at a financial services firm created a practical example of this. They built a two-minute 'AI use checklist' into their content production workflow in Notion. Before publishing any AI-assisted content, team members answer four questions: Is any client or personal data included in this content? Has a human reviewed the factual claims? Does this content meet our compliance requirements? Are we comfortable putting our name on this? Four questions. Thirty seconds. But those four questions caught eleven compliance issues in the first three months, issues that would previously have required reactive fixes after publication. The governance framework did not change. What changed was making it frictionless to act on it.

behavior change at scale also requires visible leadership. When employees see their manager using AI tools carefully, pausing to check a fact, declining to share client data with a consumer tool, crediting AI assistance in a document, they receive a more powerful message than any training module delivers. Governance leaders who model the behaviors they are asking for create cultures where those behaviors feel normal rather than burdensome. Conversely, when senior people visibly cut corners, using unapproved tools, skipping review steps under deadline pressure, the policy becomes background noise. The human example, positive or negative, is always the loudest signal in the room.

Build Your Team's AI Use Quick Reference Card

Goal: Create a practical, one-page reference tool that helps your team make sound AI governance decisions in their daily workflow, without needing to consult a full policy document.

1. Open a blank document in Word, Google Docs, or Notion, whatever your team uses daily. 2. At the top, write the heading: 'AI Tools: Quick Reference for Our Team' and add today's date and your name as the owner. 3. Create a section called 'Approved Tools' and list the AI tools your team is currently permitted to use. If you are unsure, list the ones you know are in active use and mark them as 'pending confirmation'. 4. Create a section called 'What You Can Use AI For' and write 3-5 specific, permitted uses relevant to your team's work (e.g., 'Drafting internal emails', 'Summarising meeting notes', 'Generating first drafts of reports'). 5. Create a section called 'What Requires Approval First' and list the situations where employees should check before proceeding (e.g., 'Using a new tool not on the approved list', 'Including client names or data in a prompt'). 6. Create a section called 'Never Do This' with 3-5 clear prohibitions specific to your context (e.g., 'Do not paste client financial data into consumer AI tools', 'Do not publish AI-generated content without human review'). 7. Add a 'Before You Publish / Submit / Send' checklist of 4-5 yes/no questions that act as a final check. 8. Add a 'Questions or Concerns?' section with a specific name, email address, or channel where team members can raise issues. 9. Share the draft with one colleague for a five-minute review, ask them: 'Is anything unclear?' and 'Is anything missing that would have helped you last month?' Revise based on their input.

Key Lessons From This Section

  1. Governance frameworks fail most often not at the policy level but at the feedback and reporting level, employees who have no clear, safe way to raise concerns stay silent.
  2. Effective governance operates across three layers simultaneously: policy (the rules), people (accountable individuals with real authority), and process (the day-to-day mechanisms that make rules actionable).
  3. Policies must be treated as living documents and reviewed at least every six months. AI tool capabilities and risks evolve faster than annual review cycles can track.
  4. Accountability must be specific and resourced. A named individual with dedicated time is worth more than a committee with no authority or a job title bolted onto an already full role.
  5. Consumer and enterprise versions of AI tools carry significantly different data handling implications, existing data policies almost never cover this distinction automatically.
  6. Governance changes behavior only when it is embedded in actual workflows, checklists, decision nudges, and templates are more effective than standalone training modules.
  7. Senior leaders modeling careful AI use is one of the most powerful governance interventions available, culture follows visible behavior, not policy documents.

Making AI Governance Stick: From Policy to Practice

2023

Historical Record

Air Canada

In 2023, Air Canada's customer service chatbot told a grieving passenger he could apply for a bereavement discount after his flight, then the airline tried to disown the advice by claiming the chatbot was a separate legal entity. A Canadian tribunal rejected that argument and held Air Canada responsible.

This case demonstrates the governance gap created when organizations deploy AI tools without clear accountability structures and responsibility frameworks.

The Air Canada case exposes a governance gap that many organizations share: they deploy AI tools quickly, then scramble to assign responsibility when something goes wrong. A policy document sitting in a shared drive does not constitute governance. Real governance means clear ownership, trained people, and a feedback loop that catches problems before a tribunal does. The principle extracted from Air Canada's mistake is blunt, if your organization benefits from an AI tool, your organization owns what that tool does.

Building governance that actually works means moving from abstract principles to operational habits. It means someone specific is accountable for each AI tool in use. It means staff know what to escalate and to whom. It means your AI policy gets reviewed when tools change, not once every three years. The organizations getting this right are not necessarily the most technologically sophisticated. They are the most disciplined about process.

The Core Principle

Governance is not a document, it is a system of people, decisions, and feedback loops. A written AI policy only has value if staff know it exists, understand what it asks of them, and have a clear path to raise concerns when something feels wrong.

Accountability Without Bureaucracy

Unilever's HR team faced a concrete version of this challenge when they introduced AI-assisted CV screening across multiple markets. Different countries had different legal requirements around what candidate data could be processed, what criteria could be weighted, and how long records could be retained. Rather than applying one global setting, they built a tiered accountability model: a central AI ethics team set the non-negotiable limits, regional HR leads adapted implementation to local law, and individual hiring managers retained the final hiring decision with documented rationale. No single person carried all the risk. No decision was made without a human sign-off.

This tiered model is replicable at any scale. A 12-person marketing agency does not need a dedicated AI ethics team, but it does need one named person who owns the AI tool inventory, one agreed escalation path when a tool produces something problematic, and a quarterly check-in where the team reviews what tools they are using and whether anything has changed. The structure matches the scale.

The key insight from Unilever is that accountability works when it is specific, not general. 'The team is responsible for AI use' means no one is responsible. 'Priya owns our ChatGPT usage policy for client-facing content, and any output that goes to a client must be reviewed by the account lead before sending', that is accountability. It names a person, defines a scope, and creates a checkpoint.

Creating an AI Accountability Framework for Your Team

Prompt

I manage a 15-person sales team at a B2B software company. We use ChatGPT to help draft proposal emails, summarize discovery call notes, and create personalized follow-up messages. I want to create a simple accountability framework, not a long policy document, that tells my team what they can use AI for, what needs a human check before it goes to a client, and what they should escalate to me. Can you give me a one-page framework in plain language?

AI Response

**Sales Team AI Accountability Framework** **What you can use AI for freely:** - Drafting internal summaries of discovery calls (for your own notes) - Generating first drafts of follow-up emails (must be reviewed before sending) - Brainstorming objection-handling responses to practice with - Summarising long product documents into key selling points **What requires a human review before it reaches a client:** - Any email, proposal section, or message sent externally - Pricing language, commitment statements, or delivery timelines - Any content that references a competitor by name - personalized content using a client's specific business data **What to escalate to your manager:** - If an AI tool produces something offensive, factually wrong, or legally sensitive - If a client asks whether AI was used to create their proposal - If you are unsure whether a specific use case is covered by this framework - If a new AI tool is being considered for team use **The non-negotiables:** - Never paste confidential client data (financials, contracts, personal details) into a public AI tool - Always read AI-generated content before sending, you own what you send - If in doubt, ask before using Review this framework every quarter. If the tools change, the framework should too.

What Good Governance Looks Like Across Industries

The BBC's editorial standards team provides a useful contrast to Air Canada. When generative AI tools became widely available, the BBC did not ban them outright, nor did it allow unrestricted use. Instead, it published clear editorial guidelines specifying that AI could assist with research and drafting, but that all published content required human editorial judgment and sign-off, that AI-generated images required disclosure, and that no AI tool could be used to generate quotes attributed to real people. The framework was public, specific, and tied directly to the BBC's existing editorial values. Staff knew exactly where the lines were.

The BBC example shows that governance does not have to restrict productivity, it can enable it. When people know what is allowed, they use tools confidently. When the rules are vague or absent, people either avoid tools entirely (productivity loss) or use them without guardrails (risk exposure). Clarity is not a bureaucratic burden. It is a competitive advantage.

organizationIndustryGovernance ApproachKey Accountability MechanismLesson
Air CanadaAviation / Customer ServiceReactive, no clear ownership before incidentNone, disputed responsibility after the factDeploying without accountability creates legal and reputational exposure
Unilever HRConsumer Goods / HRTiered, central limits, regional adaptation, human final decisionNamed regional leads + mandatory human hiring sign-offAccountability works when it is specific and scaled to context
BBC EditorialMediaProactive, published guidelines tied to existing valuesHuman editorial sign-off on all published AI-assisted contentClear rules enable confident use rather than fearful avoidance
Three governance approaches, and what each one teaches

The Teacher Who Built Governance From the Classroom Up

Maria, a secondary school head of department in Manchester, faced a governance challenge with no IT team to help her. Students were submitting AI-generated essays. Teachers were unsure whether using AI to create lesson plans was acceptable. The school had no policy. Rather than waiting for senior leadership to act, Maria drafted a one-page departmental agreement in a single afternoon using ChatGPT to help her structure it. She defined three categories: AI tools teachers could use freely for planning and feedback drafts, uses that required disclosure to students, and uses that were off-limits entirely (such as generating student assessment grades without human review). She shared it at a team meeting, iterated based on feedback, and had a working framework within a week.

Maria's approach illustrates something important: governance does not have to flow top-down. A team-level framework, built by the people who actually use the tools, is often more practical and more followed than a corporate policy written by people who do not. If your organization has not given you a framework, you can build one for your own team, and often that grassroots document eventually becomes the organization-wide standard.

Start With What You Can Control

You do not need executive sign-off to govern your own team's AI use. Draft a one-page agreement covering: what tools are in use, what requires human review, what is off-limits, and who to contact with concerns. Share it with your team, invite edits, and review it quarterly. That is real governance, and it works.

Putting Governance Into Practice This Week

Practical governance starts with an inventory. Most teams have no idea how many AI tools are actively in use across their members. Someone is using ChatGPT for emails. Someone else has Grammarly AI turned on. A third person is running meeting summaries through Otter.ai. None of it is coordinated, none of it is reviewed. Start by simply listing the tools your team uses, what they are used for, and whether any of them touch client data, personal data, or public-facing content. That list is the foundation of everything else.

Once you have the inventory, assign ownership. For each tool or use case, name one person responsible for staying current on how it is used and raising concerns if something changes. This does not mean they are the only person accountable, it means they are the person who notices and acts. In a small team, this might be the same person for everything. In a larger organization, it is distributed. Either way, a named person beats a vague 'everyone is responsible' policy every time.

Finally, build in a review rhythm. AI tools change fast, new features, new data policies, new risks. A governance framework written in January may be outdated by March. Put a 30-minute 'AI governance check-in' in your team calendar every quarter. Review the tool inventory, check whether anything has changed, update the framework if needed. Thirty minutes four times a year is a small investment against the cost of an Air Canada-style incident.

Build Your Team's One-Page AI Governance Framework

Goal: Create a practical, usable AI governance document for your immediate team using a free AI tool, ready to share at your next team meeting.

1. Open ChatGPT (free version at chat.openai.com) or Claude (free at claude.ai) in your browser. 2. Start by typing: 'I want to create a one-page AI governance framework for my team. Ask me five questions to gather the information you need before drafting it.' 3. Answer each question the AI asks, include your team size, your industry, the AI tools currently in use, and any sensitive data your team handles. 4. Once you have answered all five questions, ask the AI to draft a one-page framework with three sections: Approved Uses, Uses Requiring Human Review, and Escalation Path. 5. Read the draft carefully. Edit any section that does not reflect how your team actually works, the AI does not know your organization's specific culture or constraints. 6. Add one named person as the accountability owner for AI tool oversight (this can be you). 7. Save the document and share it with one colleague before your next team meeting, asking for one piece of feedback. 8. Bring the revised draft to your next team meeting as a discussion item, frame it as 'a starting point, not a final policy.' 9. Set a calendar reminder for 90 days from today to review and update the framework.

  1. Deploying AI without clear accountability is not a neutral act, it is a liability waiting to materialise, as Air Canada discovered in court.
  2. Governance works when it is specific: named people, defined scopes, and clear checkpoints beat vague team-wide responsibility every time.
  3. Tiered accountability models, like Unilever's, allow large organizations to set firm limits centrally while adapting implementation to local context.
  4. Clear rules enable confident AI use. When people know what is allowed, they use tools effectively. Vague or absent rules produce either avoidance or uncontrolled risk.
  5. Governance does not have to flow top-down. Team-level frameworks built by practitioners are often more practical and more followed than corporate policies written in isolation.
  6. An AI tool inventory, a simple list of what tools are in use, by whom, and for what, is the foundation of any working governance system.
  7. Review cycles matter. AI tools change faster than most policy cycles. A quarterly 30-minute check-in keeps governance current without creating bureaucratic overhead.

Key Takeaways

Governance is a system, not a document. It requires named accountability, clear rules that staff actually know about, a feedback loop for raising concerns, and a regular review rhythm. You can build a working governance framework for your team in an afternoon, and that grassroots framework is often more effective than waiting for a corporate policy that may never arrive.

Featured Reading

This lesson requires Pro

Upgrade your plan to unlock this lesson and all other Pro content on the platform.

Upgrade to Pro

You're currently on the Free plan.

Practice this in a lab

Fix the Broken Prompt: AI Content Moderation Audit

intermediate · 12 min

Spot the Better Bias Check: AI Loan Summaries Under the Microscope

intermediate · 10 min