Minimum controls
AI governance should be usable by staff. These controls make the first policy conversation concrete before tooling decisions take over.
- Written use-case statement and owner.
- Data boundary: public, internal, confidential, personal/client-sensitive or restricted.
- Human review point and escalation route.
- Approved tools and prohibited uses.
- AI-use register for live and proposed workflows.
- Error, exception and limitation notes.
Restricted uses
Some work should not enter public AI tools and may need private scoping, senior approval or legal/compliance review first.
- Legally privileged material.
- Suspicious activity or AML-sensitive material.
- Vulnerable customer or health-related records.
- Credentials, secrets or security details.
- Solely automated regulated decisions.
Buyer-friendly framing
The aim is not to ask the buyer to trust a black box. The aim is to test one workflow under controls they can inspect.
- Name the data boundary.
- Keep source evidence visible where possible.
- Keep human review explicit.
- Log limitations and exceptions.
- Make the stop/go decision after evidence exists.