AI Governance
Most AI usage policies are written to satisfy a request — from a client, from a board member, from a procurement checklist. Written to satisfy a request, they tend to be comprehensive on paper and useless in practice. A policy that gets followed is written to answer the specific questions your team will have when they are in the middle of doing actual work.
The approved use section
This is the section most policies get right. Name the specific tools that are approved and the specific uses they are approved for. "AI tools may be used for drafting internal documents, summarizing meeting notes, and generating code for internal tools." Specific. Affirmative. Actionable.
The restricted use section
Uses that require a review step before action. "AI-generated content for client deliverables must be reviewed by the account lead before delivery." This section is where most policies are too vague — "use with caution" is not a procedure. Name the review step, name the reviewer, name the format the review should take.
The prohibited use section
Absolute limits with no exceptions. Typically: entering client personal data into any AI tool without a signed DPA, using AI to make final decisions on hiring or termination, and using free-tier tools that train on user inputs for anything involving proprietary or sensitive information. The prohibited section should be short and unambiguous.
The section most policies leave out
Ownership and review. Every AI tool in use should have a named owner responsible for monitoring the tool's data practice changes and flagging when the policy needs updating. AI tools change. Their data practices change. A policy with no review mechanism becomes outdated and dangerous without anyone noticing.