Mid-market companies get governance advice written for banks: committees, review boards, model risk frameworks. So they either adopt bureaucracy that stalls every project — or skip governance entirely and find out later what their teams pasted into public chatbots.
There is a middle path, and it fits on one page.
01The one-page policy
- ▸An allowlist, not a ban. Name the approved tools and what data class each may touch. Bans push usage into the shadows; allowlists make the safe path the easy path.
- ▸Three data classes. Green: public and harmless. Yellow: internal — approved tools only. Red: regulated, personal, or privileged — named systems with contracts and controls, or not at all.
- ▸Human sign-off by risk, not by habit. Low-stakes drafts flow free; anything customer-facing or irreversible gets an approval step.
- ▸Log everything automated. If a system acts on your behalf, its actions are recorded and explainable. Non-negotiable.
- ▸A quarterly hour. One meeting: what's in use, what broke, what moves tiers. That is your AI council.
02Vendor screening in five questions
- ▢Where does our data go, and is it used for training?
- ▢Can it run inside our tenant or virtual private cloud?
- ▢What happens to our data when we leave?
- ▢Are actions logged in a form we can audit?
- ▢Who is accountable — by contract — when it is wrong?
03What to actually worry about
The realistic mid-market failure modes are not science fiction: an employee pasting a customer list into a free tool; an automation emailing the wrong segment; an unlogged agent making a decision no one can reconstruct. All three are prevented by the one-pager above — not by a committee.
04Rolling it out without a memo war
Governance lands badly when it arrives as restriction. It lands well when it arrives as permission: "here is what you can now safely do."
- ▸Lead with the allowlist. The announcement is the list of approved tools and what they're for — the rules ride along underneath.
- ▸Declare an amnesty. Everyone discloses what they already use, no consequences. You cannot govern what you refuse to see.
- ▸Run one brown-bag. Thirty minutes: the three data classes, the approval tiers, who to ask. That's the whole training program.
- ▸Name the owner. One person answers tool requests within a week. Slow answers recreate the shadow usage you just cleaned up.
OPERATOR NOTE — Governance done right is an accelerator: teams move faster when the safe path is paved and marked.
Ready to run it?
Put this manual to work.
A 30-minute strategy call with an operator — we'll map your first deployment path, not send a deck.
