The CEO's guide to AI governance without bureaucracy
At 50–500 people, AI governance is a handful of owned decisions, not a committee. Done right, it speeds adoption instead of slowing it.
Say “AI governance” to most CEOs and they picture a committee, a 40-page policy nobody reads, and a legal review that stalls every tool request for six weeks. So they skip it. I understand the instinct. I’ve spent 25 years inside technology companies — WebMD, Clickability, Optimizely, the two companies I lead now — and I’ve watched plenty of process get invented for its own sake.
But at a 50–500-person company, that picture of governance is wrong. Governance at that size is not a committee. It’s a handful of decisions, made once, owned by a named person, and reviewed on a schedule. Written down, it fits on one page. And done right, it’s the thing that makes AI adoption go faster, not slower.
The alternative isn’t “no governance”
Here’s the part most executives haven’t internalized: you don’t get to choose between governance and no governance. You get to choose between governance and shadow AI.
Microsoft’s Work Trend Index surveyed 31,000 knowledge workers and found that 78% of AI users bring their own AI tools to work — and at small and mid-sized companies, it’s 80%. Not tools you approved. Tools they signed up for with a personal email, on a free tier, with your company data in the prompt box.
A 2025 global study by KPMG and the University of Melbourne — 48,000 people across 47 countries — found that almost half of employees admit to using AI in ways that violate company policy, including uploading sensitive company information into free public tools. And 57% say they hide their AI use and present the output as their own.
Read those two findings together. Your people are already using AI with your data. They know it’s probably not allowed. So they’re hiding it, which means you have no visibility into what’s being exposed or where. That’s the actual baseline. Governance doesn’t create risk controls where none were needed. It replaces a system you can’t see with one you can.
Governance is four decisions
Strip away the enterprise theater and AI governance at your size comes down to four decisions. I’ve made these with client executive teams in a single working session.
1. Data tiers. Sort your data into three buckets. Tier one: what can never leave your environment — client PII, financials, anything under regulatory or contractual protection. Tier two: what can go into approved tools with enterprise agreements and no-training clauses. Tier three: what’s effectively public — marketing copy, published docs, anything already on your website. Most companies need about an hour to draft this. The hard part isn’t the sorting; it’s that nobody had been asked to decide.
2. An approved-tool list — with a fast lane. Name the tools employees can use today and which data tier each one is cleared for. Then, critically, publish the path for adding a tool: who evaluates the request, what they check (data handling terms, training clauses, access controls), and the turnaround commitment. I tell clients five business days. If your approval path takes six weeks, employees will route around it, and you’re back to shadow AI with extra resentment.
3. A named owner. One person. Not a committee, not “IT and Legal jointly.” Someone with the authority to approve tools, update the tiers, and answer the question “can I use X for Y?” in a day. At most 50–500-person companies this is a fractional role, a few hours a week once the framework exists. But it must be a name, because unowned policies decay into wallpaper.
4. A review cadence. Quarterly is enough. The owner reviews the tool list, checks what employees are actually asking for, retires what nobody uses, and adjusts the tiers if the business changed. Thirty minutes on an executive agenda four times a year.
That’s it. That’s the whole apparatus.
The failure mode: a policy that only says “don’t”
The most common AI policy I encounter in mid-sized companies is a single sentence, usually written by counsel after a scare headline: employees may not enter company information into AI tools. It feels safe. It’s the worst possible policy.
Here’s what happens. The 80% who were already using AI keep using it — the Microsoft and KPMG numbers make that clear — but now they’re certain they shouldn’t ask permission, so they go quieter. You’ve converted your most AI-curious employees, often your best people, into a hidden risk surface. Meanwhile the cautious employees comply, fall behind, and watch competitors’ teams get faster. You get all the exposure and none of the productivity. A “don’t” policy doesn’t stop usage. It stops honesty.
The one-page acceptable-use document I recommend instead has four sections: the three data tiers in plain language with examples from your own business, the approved-tool list with what each tool is cleared for, the fast-lane request process with its turnaround commitment, and the owner’s name. One page. Employees can hold the whole thing in their heads, which is the only kind of policy that changes behavior.
Clarity is a speed advantage
This is the part that flips the objection. Governance framed as red tape assumes the current state is fast. It isn’t. The current state is thousands of small hesitations: an account manager wondering whether pasting the client brief into ChatGPT is a firing offense, a developer unsure if Copilot is sanctioned, an analyst using a personal account because asking feels risky. In Microsoft’s data, 52% of AI users are reluctant to admit using it for their most important work. Guessing is slow. Hiding is slower.
When the rules are one page and the answer to “can I use this?” arrives in a day, that hesitation disappears. People use the approved tools openly, share what works, and ask for more — which gives you an adoption signal you can actually manage against.
I’ve watched this work. At an ad-tech company, in work delivered with Last Rev, the platform engineering firm I co-founded, sensitive-data exposure in AI tools went from 18% to zero. Not by banning AI — by putting tiers, approved tools, and an owner in place so employees had a sanctioned path that was easier than the shadow one. Usage went up. Exposure went to zero. Those two outcomes were not in tension; the second enabled the first.
What about NIST and the frameworks?
If you go researching AI governance, you’ll hit the NIST AI Risk Management Framework within the first page of results. It’s credible, voluntary, and released in January 2023 with four functions: govern, map, measure, manage. If you’re building AI products or operating in a regulated industry, read it — I’ve used it as a reference architecture.
But if you’re a 120-person services firm deciding whether your team can use Claude on client work, you do not need to implement a federal risk framework. You need the four decisions above. Take one idea from NIST — that “govern” means assigned accountability, not documentation — and skip the rest until your AI footprint justifies it. Frameworks are for scaling governance you already have. They’re a terrible way to start.
Start with one page, one owner, and a five-day fast lane. You can have it running this month.
If your leadership team is working through this, the AI Executive Assessment is a two-week, fixed-price way to get a real answer.
Book a scoping callKeep reading
-
Why AI adoption is an operating model, not a tool rollout
Most AI pilots stall because no one owns the decisions behind them: data rules, approved tools, workflow priority, and how ROI gets measured.
-
What a 90-day AI roadmap looks like for a professional services firm
The actual plan an AI Executive Assessment produces — days 0–14, 15–45, and 46–90 — including what I deliberately leave out.