Pragmatic AI governance for a mid-market company is three artifacts, not a committee: an inventory of AI use cases, a simple risk tiering (low, medium, high), and a one-page policy that says what's allowed by tier. Anything heavier gets ignored; anything lighter isn't governance.
The three artifacts
- 1Inventory: a living list of every AI use case, tool and workflow, with owner and data touched. You can't govern what you can't see.
- 2Risk tiers: low (internal drafts, no sensitive data), medium (customer-facing with review, internal sensitive data), high (autonomous actions, regulated data, financial or legal output).
- 3One-page policy: low tier is pre-approved, medium needs the data checklist, high needs sign-off from the accountable owner.
What makes it actually work
- The approval path is measured in days, not months, speed is the compliance feature.
- The policy names allowed tools, so 'can I use this?' has a self-serve answer.
- New use cases enter the inventory via a two-minute form, not a meeting.
- One executive owner is accountable; legal and security advise, they don't queue.
What to skip (for now)
- An AI ethics board before you have ten production use cases.
- Policies written for models you don't use and risks you don't have.
- Blanket bans, they don't stop usage, they just stop visibility.
- Governance tooling before the inventory spreadsheet is outgrown.
