AI governance for a mid-sized business doesn't require a framework, a committee, or a 30-page policy document. It requires six decisions, made deliberately and written down: what AI we allow, what data it can use, how much it can do on its own, who's accountable, how we'll know if something goes wrong, and how we'll review all of this as the technology changes. Make those six calls, agree them at leadership level, and make them known across the organisation, and you have working governance. The frameworks come later, if and when the business scales into needing them.

Why most AI governance advice is overbuilt

Most AI governance advice has been written by people whose business is selling governance. Big consultancies offering frameworks. Large law firms producing policy templates. AI vendors marketing “responsible AI” platforms. The incentives all favour complexity, and the result is a lot of advice that doesn’t fit the businesses reading it.

A mid-sized business asking how to govern AI use doesn’t need a 12-pillar model or a Chief AI Officer. It needs clarity, at the leadership level, about a small number of important things. Larger businesses and regulated industries will need more than this. For everyone else, the lighter approach isn’t a compromise, it’s the right answer.

Governance isn’t really a deliverable. It’s a set of decisions, made deliberately, written down, and revisited as the situation changes. The companies doing this well have made those decisions on a single page. The companies struggling are still waiting for someone else to make them.

The six decisions worth making

1. What AI tools are we permitted to use, and which are off-limits?

Most mid-sized businesses already have employees using AI tools, often without leadership knowing which ones. That's a problem you can solve in a meeting, not a policy document. You need an agreed list of what's approved, a clear process for adding new tools, and an obvious place employees can check before using something.

What good looks like: a one-page list of approved tools, an owner who can approve new ones within a week, and a known way for employees to ask.

2. What data can go near AI tools, and what definitely can't?

This is the question that prevents most of the headline-grabbing AI incidents. Confidential client information, financial data, personal data, intellectual property, trade secrets, each needs a clear position. The default shouldn't be "decide case by case." It should be "we know what's allowed and what isn't, before any employee is in the moment of deciding."

What good looks like: three to five categories of data, each with a clear rule. Allowed with approved tools. Allowed with restrictions. Not allowed at all.

3. What can AI do on its own, and what needs a human to sign off?

This question used to be simpler, because AI mostly drafted and suggested while a person did the doing. That has changed. The tools you already pay for are increasingly shipping agentic features, AI that can take actions on its own: sending the email, booking the meeting, updating the record. These often arrive switched on by default, which means a business can hand AI real authority without ever deciding to.

So the question isn't only what decisions AI can influence. It's how much AI can do without a human in the loop, and whether you chose that on purpose. There's a meaningful difference between AI drafting a customer email and AI sending it.

What good looks like: a clear line between what AI is allowed to do on its own and what needs human sign-off first, plus the habit of checking the default settings on any new tool rather than inheriting whatever the vendor switched on.

4. Who's accountable when AI is involved in something that goes wrong?

The temptation is to leave this vague, especially in mid-market businesses where roles overlap. Don't. If an AI-summarised contract misses an important clause, who's accountable? If an AI-pulled figure goes into a board report wrong, who owns the mistake? Naming accountability before something goes wrong is a fraction of the cost of figuring it out afterwards.

What good looks like: a named senior owner for AI use in the business overall, plus clarity that the human who deployed AI in a specific situation owns the outcome.

5. How will we know if something is going wrong?

Good governance isn't just about prevention. It's about visibility. Without basic monitoring, AI problems often go unnoticed until they become customer complaints, regulatory letters, or board questions. The bar isn't high. You need a regular, deliberate look at where AI is being used, not a monitoring system.

What good looks like: a quarterly review item on the leadership team agenda, plus a known way for employees to flag concerns without it feeling like a formal incident report.

6. How will we review and update all of this as the technology changes?

AI tools and what they can do keep changing, so a decision that was sound when you made it can quietly date. Building a review cycle into the governance itself is what stops it ageing badly.

What good looks like: a six-monthly review of these decisions, with named owners and a clear process for updating them.

What this looks like in practice

A mid-sized business with working AI governance doesn't have a governance framework. It has a one-page document, agreed by the leadership team, that records the six decisions above and nothing more. It gets shared with the organisation, referenced when new AI use cases come up, and updated every six months. It's not impressive to look at. It doesn't need to be. It just needs to be true, current, and known.

That's working governance. Everything beyond that is decoration.

Where to go from here

Most mid-sized businesses we work with don't have AI governance in any deliberate form. They have AI use, which isn't quite the same thing. Closing that gap is usually a half-day exercise with the right people in the room, not a multi-month framework project.

If you're trying to bring order to AI use in your business without committing to a framework you'll regret, we're happy to talk. No pitch, no commitment, just a conversation about what working governance looks like for your specific context.