Step one: AI readiness assessment. Understand where and how AI is already being used in the organization – formally and informally. Interviews with team leads, anonymous surveys, analysis of network traffic to public AI domains. Without this diagnosis, any policy is disconnected from reality.
Step two: data classification and risk mapping. What data categories exist in the organization, where they live, which regulations apply and what risk their exposure in AI models creates. Without classification, no sensible policy or architecture can be designed.
Step three: AI policy and approved tools catalogue. A short, readable document ('AI Acceptable Use Policy') written in operational, not legal, language. For each data class – recommended and discouraged tools. For each new use case – a clear approval path.
Step four: deployment of safe tools and integration with workflows. Microsoft 365 Copilot, Copilot Studio, Azure OpenAI in a VPC and – for the most sensitive workloads – private AI or on-premise. Tools must be at least as convenient as personal ChatGPT, otherwise Shadow AI will not disappear.
Step five: training, education and continuous communication. Not one e-learning, but an ongoing conversation with the organization: what is allowed, what is not, how to spot hallucinations, how to validate outputs, where to report incidents.
Step six: monitoring, audit and iteration. Logs from enterprise tools, adoption metrics, regular policy reviews and a mechanism for reporting new use cases. Governance is a process, not a project. We typically run these stages with clients as part of advisory and strategy and security and compliance engagements.