# AI Governance Starter Guide ## What this guide is for This guide is for leaders and operators who know AI is already being used inside their organization but have not yet built a governance model around it. ## The first truth AI adoption almost never waits for policy. It spreads through usefulness. Someone saves time with a tool. Someone else notices. A manager encourages it. Soon the organization depends on systems it never formally approved. That is why governance needs to start with visibility, not theory. ## The first five steps ### 1. Acknowledge current use Assume AI is already in your workflows. Ask teams where it is being used today for drafting, analysis, customer communications, research, coding, summarization, proposal writing, spreadsheet assistance, and meeting notes. ### 2. Assign an owner Governance requires accountability. Name a person responsible for coordinating policy, tool review, training, and escalation. ### 3. Define approved tool boundaries Create a short list of approved tools and a clear rule that anything outside that list is unapproved until reviewed. ### 4. Establish data rules Publish a simple first version of data handling rules. At minimum, prohibit regulated, privileged, customer-controlled, or highly sensitive information from being entered into external AI tools unless explicitly approved. ### 5. Require human review Declare that AI output is draft material, not final truth. Define which work products require review before use. ## The first questions leaders should ask - Which AI tools are staff using today? - What data has likely already entered those tools? - Which teams are using AI for external-facing work? - Which workflows currently lack review? - Who should own governance for the next 90 days? ## What not to do - Do not ban everything without understanding current dependence. - Do not publish a policy without training. - Do not assume security owns the whole problem alone. - Do not let convenience define approved use. - Do not wait for a formal incident before building controls. ## The practical goal The goal is not to become perfect. The goal is to move from unmanaged adoption to visible, reviewable, accountable use.