Most organizations find themselves in the same position: AI tools are already in use across the business before any governance structure exists. ChatGPT, Gemini, and similar products require no IT procurement. They require a browser and an email address. The starting point for building an AI governance framework is not preventing adoption. It is creating the policies and guidelines that make adoption manageable, auditable, and consistent with the organization's obligations.
Effective AI governance rests on three policy layers, and getting the layers right matters because the risks and controls are different for each. Consumer AI covers free and personal-tier tools where there are no enterprise data handling terms in place. Enterprise AI covers tools procured and configured by IT, with data processing agreements and defined retention controls. Vendor-embedded AI covers the AI features now present in most SaaS products, often enabled by default, where the question is whether the vendor's terms adequately address how organization data is handled. A policy that treats these three categories identically will either be too restrictive to be practical or too permissive to provide real governance.
The policy document is not the governance program. An AI acceptable-use policy tells employees what is and is not permitted. The governance program is the set of processes that make the policy operational: a tool evaluation and approval process, a data classification framework that employees can apply when deciding which tools are appropriate for which tasks, a vendor AI review checklist, and a mechanism for employees to raise questions about tools they want to use. Organizations that produce a policy document without these supporting elements tend to find the policy is ignored in practice.
Data classification is the foundation everything else rests on. If employees understand which categories of information require controlled handling, they can apply that judgment to AI tool decisions without IT needing to enumerate every possible tool or use case. Most organizations have data classification in some form for compliance purposes already. Making it explicit and connecting it to AI tool guidance is often the step that converts a general AI policy into one employees can actually act on.
The vendor AI review process is equally important and frequently overlooked. The majority of enterprise SaaS products now include AI features. Understanding what those features do with organization data, whether they can be disabled for accounts where that is appropriate, and whether the vendor's AI-specific terms align with the organization's obligations, is a routine IT governance task. Building a repeatable review process for it, rather than addressing it ad hoc, is what keeps the estate manageable as the number of AI-enabled products continues to grow.
We have helped organizations build governance frameworks that cover all three layers: policy drafting, data classification frameworks, tool evaluation criteria, and vendor review processes. The work is typically straightforward once the policy structure is clear. The goal is a framework that enables the organization to use AI tools productively, with the controls in place to do so consistently and with appropriate oversight.
Illustrative example. Identifying details and figures have been changed to protect confidentiality.