AI Playbook 2 of 5

How to Establish AI Governance and Acceptable Use Policies

The test of governance is whether a low-risk use case can get approved in days while a high-risk application receives genuine scrutiny. Most organizations fail this test because they apply uniform process to everything. This playbook covers the practical steps for building tiered governance, deploying enforceable acceptable use policies, implementing risk-based approvals, and evolving your governance as the technology and regulatory landscape shift.

This playbook covers the how. For the why and what, see the skill definition .
Developing Start here. Build the foundation.
  • Draft a one-page AI acceptable use policy covering five areas: approved tools, prohibited uses with industry-specific examples, data protection rules specifying what can and cannot be shared with AI tools, quality and review requirements for AI-assisted work, and enforcement mechanisms. Keep it short enough that people actually read it. Circulate to legal, compliance, and security for review, then deploy organization-wide with a required acknowledgment and a clear point of contact for questions.
  • Convene a cross-functional AI governance working group of six to eight people from legal, compliance, security, HR, and business leadership. Set a monthly meeting cadence. The first meeting should review the acceptable use policy and identify the three most urgent governance gaps. Assign an owner for each gap with a 30-day deadline. This group becomes the seed of your governance structure.
  • Create a simple three-tier risk classification guide. Tier one covers low-risk uses like summarizing internal documents or drafting initial communications with non-sensitive data. Tier two covers medium-risk uses involving some sensitive data or internal decision support. Tier three covers high-risk uses involving customer-facing outputs, consequential decisions, or regulated data. Publish this alongside the acceptable use policy so teams can self-classify.
Proficient Build consistency and rhythm.
  • Stand up a formal tiered governance structure: a strategic committee of senior leaders meeting quarterly to set AI direction and investment priorities, an operational review board meeting monthly to approve medium and high-risk applications, and technical working groups meeting weekly to handle implementation standards. Write a charter for each body defining membership, decision rights, escalation paths, and how conflicts between bodies are resolved.
  • Implement the risk-tiered approval process so that tier-one uses get approved within three business days with a lightweight submission form, tier-two uses get approved within two weeks with review board evaluation, and tier-three uses require full committee assessment with documented risk analysis. Track approval cycle times and publish them. If all tiers take the same amount of time, your process is not working.
  • Schedule quarterly policy reviews. AI capabilities and regulatory requirements change faster than annual review cycles can accommodate. Each quarterly review should assess whether the acceptable use policy reflects current tools, whether the risk classification still maps to actual organizational risk, and whether enforcement mechanisms are being applied consistently. Document changes and communicate them broadly.
Mastered Operate at the highest level.
  • Staff governance bodies with genuine cross-functional representation that has decision authority, not just advisory input. Legal should be able to block high-risk deployments. Business leaders should be able to advocate for fast-tracking high-value opportunities. Security should be able to mandate technical controls. When governance bodies include only one function, the resulting policies reflect only one perspective and lack organizational credibility.
  • Build governance feedback loops that capture how well the system works in practice. Survey teams that have gone through the approval process quarterly. Ask what worked, what created unnecessary friction, and what risks they see that governance is not catching. Use this data to continuously improve the system rather than waiting for a governance failure to prompt changes.
  • Develop governance playbooks for common scenarios so teams do not have to start from scratch every time. Create templates for tier-one self-certification, tier-two submission packages, and tier-three risk assessments. Document past decisions as precedents so similar use cases can reference them. A governance system that requires every decision to be made from first principles will not scale.
Back to AI Strategy and Governance Playbook

Unlock Skill Progression

Coaching Personalized to your current level
Progress Tracking Across every skill area
Mastery Validation Evidence-based, not guesswork