Skip to main content
Haney Strategy
Practical AI

AI Governance Isn't a Binder. It's a Habit.

The most common AI question I get right now starts in the wrong place. Here's the question that actually matters, and the seven things I see working.

Jim HaneyMay 28, 20264 min read

AI governance is the most common conversation I'm having right now. CEOs, COOs, CIOs, different chairs, same opening line: "What does our acceptable use policy need to say?"

Fair question. It's also the second one.

Before the policy, there are four questions I ask back. All four are operational, not legal:

  1. Who owns this at your company?
  2. What AI tools are actually approved?
  3. Where is AI really being used inside the business?
  4. How are you tracking whether it's working?

Most of the leaders I talk to can't answer all four on the spot. That is the real governance gap. Not the wording of the policy. You can buy a policy template in an afternoon. Knowing where AI actually lives in your company, who's accountable for it, and whether it's helping or quietly creating risk, that's the work nobody can shortcut.

So here is what I tell people instead, and what I see holding up at mid-market companies right now. None of it requires a six-figure platform or a compliance department.

The seven that actually hold up

  1. Keep a living AI inventory. Every tool, every use case, every owner, every type of data it touches. You cannot govern what you cannot see, and this is the single highest-leverage hour your team will spend this quarter.
  2. Tier by use case, not by tool. The same model is low risk for marketing copy and high risk for hiring. Anything touching employment, credit, health, customer money, or legal exposure is high risk by default. Govern the decision, not the software.
  3. Pair the policy with a sanctioned tool. This is the step most companies skip. A policy without an approved alternative is theater, because people still need to get work done. Give them an enterprise-grade option that's as good as the free one, and the unauthorized usage drops on its own.
  4. Put a human in the loop on the consequential calls. Hiring, firing, pricing, contracts, anything a customer sees. Define who approves, who can override, and how the decision gets recorded. The control isn't "a person looked at it." The control is that you can prove who, and when.
  5. Treat vendor AI as third-party risk. At every renewal, ask what AI features got added, what they train on, where the data sits, and whether you can turn it off. Most of the AI exposure I run into now isn't shadow ChatGPT. It's a feature your existing vendor switched on by default, and nobody noticed.
  6. Sample the logs quarterly. Pull a handful of real prompts and outputs from your sanctioned tools and read them. You're looking for leaked PII, fabricated client-facing claims, and policy drift. Ninety days of retention is usually plenty.
  7. Name one owner. A person, not a committee. At your size that's typically the COO or CIO, running a working group across Legal, HR, IT, Marketing, and Operations. Committees diffuse accountability. A name on the line concentrates it.

On the rules, briefly

Yes, the regulatory picture moved this past year, and it'll keep moving. My honest advice: don't try to chase fifty state regimes and a moving federal target. Build to one strong reasonable standard and be done. The NIST AI Risk Management Framework is still the cleanest free reference for that, and ISO 42001 is the one that's starting to show up on enterprise vendor questionnaires, so if you sell upmarket, expect the question. That's the practical exposure for most mid-market companies. Not a regulator knocking. A customer's procurement team asking.

Where it goes sideways

I see the same three failure modes. Companies lawyer the policy and never touch the workflow, so the document gets signed and nothing actually changes. Or IT blocks the obvious tools, and shadow AI just moves to personal phones where leadership has less visibility, not more. Or it gets run as a project: a Q1 kickoff, a Q2 working group, and a stale inventory by spring.

The companies getting this right treat it like the financial close. It recurs, it's owned, and somebody inspects it.

If you're starting cold

You don't do all seven at once. Do the first three, in order, this week. Inventory what's actually in use, including the tools IT never approved. Stand up one sanctioned tool with logging and make it the default. Publish a one-page policy, one sentence per rule. Then put a recurring quarterly review on the leadership calendar and assign it to a name. That's it. That's governance you can run on a Tuesday afternoon, not a procurement event.

The companies doing this well in 2026 aren't the ones with the longest documents. They're the ones who can tell you, on any given day, where AI is being used, by whom, on what data, and with what guardrails.

All signal. No noise.

Keep reading

More from the Signal.

Want this thinking applied to your business?

Signal Notes can sharpen the thinking. A strategy call turns it into a plan.

Book an Introductory Call