For Operators · AI governance

AI governance for $1M to $10M companies, no legal bloat.

You do not need a 50-page AI policy. You need clear rules around five things. This is the 1-page template you can adapt in a morning and actually enforce with your team.

Section 01 · What to govern

Five things, nothing more.

Most AI policies go wrong at the start because they try to govern everything. Your lawyers hand you a template written for a 500-person tech company. You end up with a 40-page document nobody reads.

At your size, focus on five things. These are where real risk lives. Customer data getting leaked because someone used ChatGPT for analysis. Hiring bias creeping in through AI screening tools. An AI decision affecting a customer and you have no audit trail. Your vendor got hacked and your data went with it. A team member wasting 10 hours a week with a tool that does not work.

Govern those five things tightly. Everything else gets a lighter touch. This keeps the policy in your head instead of in a filing cabinet.

1. Data security

What data can go into AI tools. What cannot. When data leaves your systems.

2. Customer-facing AI

If your customers interact with AI, how you build it. Transparency. Fallback to humans.

3. Hiring and decisions

Using AI to screen candidates, promote people, or make big decisions. Bias checks. Human review required.

4. Vendor compliance

Every AI tool your team uses has terms of service. Your vendors need to meet your standards.

5. Tool adoption

No random AI tool signup. Your team gets a list of approved tools. New tools need ops approval first.

Bonus: How you measure it

One tool per department for each use case. Not five chat tools. One. Measure time saved per week and kill tools that do not move the needle.

Section 02 · The policy

Copy this, customize it.

AI POLICY for [COMPANY NAME] (Effective [DATE])

Data Security

No customer PII, financial data, or proprietary business information goes into any AI tool without written approval from ops. No exceptions. Cloud storage gets encrypted. API keys live in a password manager, not in Slack or email.

Customer Facing AI

Any AI tool customers interact with gets a human fallback. If the AI cannot solve it in one turn, escalate to a person. Label AI clearly on customer-facing pages. Review all AI customer interactions monthly.

Hiring and Decisions

AI can score resumes or flag patterns in data. Human always makes the final call. Same for promotions, raises, and any decision that affects employee outcomes. Document the human review. Keep an audit trail.

Vendor Compliance

Every tool your team uses needs to meet: data residency rules, security certifications (SOC 2 or equivalent), and explicit terms on data usage (your data stays your data). If a vendor does not answer these questions, you do not use their tool.

Tool Adoption

Ops maintains an approved tools list by use case (writing, research, customer service, video, etc). New tools get 30-day trial. If it saves 5 hours per week per user after the trial, it moves to approved. If not, it gets canceled. One tool per category, not five.

Review Cadence

This policy gets reviewed after each new tool goes live. Quarterly full review every [MONTH]. Any team member can flag a gap. Policy updates happen in writing with team sign-off, not in Slack.

Approved by: [CEO] [OPS LEAD] [LEGAL REVIEW DATE]

That is it. One page. Five sections. You can read it in three minutes. Your team can follow it in practice. Hand this to your lawyer for a 30-minute review, not a complete rewrite.

Ready to make this real?

We can run an AI Audit that includes governance mapping.

Two weeks. $1,500 to $3,000. You get this policy customized to your business, vendor security checklist, and team rollout plan.

See Pricing

Section 03 · The traps

Three mistakes that kill governance.

Over-policing. You write a policy so strict that your team hides their tool usage instead of disclosing it. Policy becomes a liability. The fix: policy enforces five things tight, everything else gets a light touch. Your team wants to use tools. Give them clear rules and then get out of the way.

Under-policing. You publish a policy and do not enforce it. First person who drops customer data into ChatGPT gets a "oh well", and suddenly everyone is doing it. Enforcement does not mean termination. It means a conversation, then escalation if it happens again. No enforcement means no rules.

Paper-only governance. You get the policy written, leadership signs it, and then nothing happens. Team never reads it. Policy lives in a folder nobody remembers. The fix: policy gets a mandatory team meeting. Ops leads a quarterly review in a meeting, not an email. People follow rules they understand.

Section 04 · Maintenance

Keeping the policy live.

After each new tool

Ask: does this tool need new governance language? New data risk? New vendor requirement? One-line update to the policy. Takes five minutes.

Quarterly full review

Does reality match the policy? Are we breaking rules we wrote? Is something missing? Ops leads the review meeting. One hour. Make changes in writing.

FAQ · Common questions

Real questions, real answers.

Want to dig into something specific? Book a 15-minute call.

Do I really need a written AI policy?

If your lawyer or board asked for one, then yes. If not, a written policy still matters because it forces you to think through how your team actually uses AI. Most small companies realize mid-way through writing the policy that they have no rules. Formalizing them prevents expensive mistakes later.

Who approves the policy once it is written?

Leadership team signs off first. Then your lawyer does a 30-minute review (not a rewrite). Then it goes to the full team with a mandatory conversation about why these rules exist. Adoption happens when people understand the why.

What happens if someone breaks the policy?

First offense is a conversation about what went wrong and why the rule matters. Second offense gets escalated. Third offense is performance management territory. The policy only works if you actually enforce it. No enforcement means no rules.

How often do I update this?

After every new tool your company adopts. Quarterly review to make sure reality matches the policy. If you find yourself saying 'oh yeah, we do that but the policy does not mention it', update it. A policy that does not match practice is worthless.

Can I just steal this template?

Absolutely. Customize the five sections to match your business. Add industry-specific rules if you handle sensitive data (healthcare, finance, legal). Have your lawyer do a 30-minute review, not a complete overhaul. The template is the starting point, not the ending point.

Related reads · For operators

Keep going.

The AI Roadmap

Four phases to build AI ops at your size. Real timelines, real budgets, real mistakes.

Fractional AI Exec

What this role actually does and why it is the shape that fits companies at your stage.

Pricing

Three tiers. Plus the AI Audit option that includes governance review.

Ready to move?

Let's build AI governance handled.

15 minutes. Tell me what you are worried about. I will walk you through how we would set this up for your team.

Book Your Free Call