👋 Get the latest legal insights, best practices, and breakdowns for in-house legal. I cover everything tech companies need to know about legal stuff.

Everyone Wants an AI Policy, No One Wants to Read It

Every company right now wants to say they have “Responsible AI.”

Few can define it.

Somewhere between the engineers saying “It’s just math!” and the board saying “Are we at risk?” sits Legal—trying to design guardrails that don’t sound like a science fair project or a philosophy paper.

Most GCs start with good intentions. They open a blank Word doc titled “AI Governance Policy v1” and think, this time, it’ll be practical.

Three weeks later, they have a 40-page epic quoting NIST, the EU AI Act, and every ethics principle known to humankind.

It’s beautiful. It’s also unread.

AI governance doesn’t need to be complicated. It needs to be clear, fast, and boring enough that people actually follow it.

The Myth of the Big Policy

Every AI governance journey starts with someone saying, “We need a policy.”

And that’s where the trouble begins.

You don’t need a 40-page policy. You need a 4-page playbook that says:

1. What people can and can’t do.

2. Who to tell before they do it.

3. What happens if they ignore that step.

That’s it.

I once had a lawyer write a Responsible AI policy that was longer than our privacy standard. It covered every risk scenario: bias, explainability, accountability, transparency. It had citations, footnotes, and a glossary.

Nobody read it.

When we finally replaced it with a one-pager titled “AI Guardrails for Humans Who Just Want to Ship Stuff,” people actually followed it.

Because here’s the thing:

If your AI policy needs a training session to explain it, it’s never going to work.

10 Steps For AI Governance Policies

1. Know What You’re Governing

“AI” isn’t one thing. It’s a grab bag of magic tricks that all get labeled “AI” when someone in marketing thinks it’ll sound smart.

If you want your governance framework to work, start by splitting your world into two lanes:

• AI-For: internal use of AI tools (ChatGPT, CoCounsel, internal copilots).

• AI-On: AI that is your product or feature (customer-facing).

Different risks. Different rules.

When an employee uses ChatGPT to summarize an NDA, that’s an AI-For use case.

When your SaaS product uses AI to summarize a customer’s data for them, that’s AI-On. And regulators care a lot more about the second one.

I’ve seen companies apply the same policy to both and then wonder why everyone ignores it. The marketing team trying to use an image generator doesn’t need a model governance committee. They just need to know not to upload customer data.

If you can’t tell the difference between AI-on and AI-for, your first governance step is figuring that out…fast.

2. Build a Lightweight Review Process

AI governance fails when your review process moves slower than your engineers.

You don’t need a formal “AI Review Board” that meets once a quarter and produces PowerPoints nobody reads. You need an intake process that people actually use.

Here’s a good rule:

If your AI intake form takes longer to fill out than it takes to build the tool, you’ve messed up.

At one company, we built our intake in SharePoint. Not glamorous, but it worked.

We asked four basic things:

1. What’s the use case?

2. What data does it touch?

3. Who’s responsible if it breaks?

4. Is there any chance this ends up on the front page of the Wall Street Journal?

That last one was our “gut check.”

And it worked. We caught a project that was quietly training on customer data before it reached production.

AI governance doesn’t need to be fancy. It needs to be fast.

3. Classify the Risk. Then Move.

Not all AI is created equal. You don’t need to put the same guardrails around an internal chatbot that you do around a hiring algorithm.

I use a simple triage model:

• Low risk: Productivity tools, copilots, or anything that uses public or anonymized data.

• Medium risk: Tools trained on internal non-sensitive data.

• High risk: Anything that touches personal data, customer systems, or decision-making.

For each, define what’s needed:

• Low = quick review.

• Medium = legal + security check.

• High = full risk assessment + leadership sign-off.

One engineer once asked me, “So red means bad?”

No…red means “we’re showing up early.”

A matrix works better than a manifesto. Boards love heat maps. So do execs. And if your governance model fits on one slide, you’ll likely get it adopted.

4. Borrow From What Already Works

Don’t reinvent governance. Repurpose it.

Your company already has frameworks for privacy, security, compliance, and ethics. Use them. Add one AI line to each:

“If AI touches this data, automates this process, or influences this decision, Legal must review before deployment.”

That’s 80% of your policy right there.

We discovered that more than half of our “AI governance controls” were already covered by privacy, ethics, or security standards. So we deleted the duplicates. Suddenly everyone loved our new policy.

AI doesn’t need its own religion.

It just needs better ushers.

5. Assign Accountability (Not Ownership)

The worst line in any policy: “Legal owns AI governance.”

No. Legal facilitates it. Legal guards the perimeter. But AI risk belongs to everyone who builds or uses it.

Here’s how it really works:

• Product owns the design.

• Engineering owns implementation.

• Security owns data protection.

• Legal owns the panic button.

I once told an executive, “We don’t own the models. We own the mess if you ship one without telling us.” That stuck.

Think of Legal as the air traffic controller—coordinating, not piloting.

6. Make It Visible

AI governance fails in the shadows. You need visibility.

Build an AI registry: a single list of all approved tools, models, and use cases.

Track:

• Who owns it.

• What data it touches.

• When it was last reviewed.

We built ours in Power BI. Engineers mocked it, until they realized they were building duplicate models for the same feature.

Now they love it.

Nothing says “governance win” like engineers voluntarily checking your dashboard.

7. Don’t Forget the Humans

The best AI policy in the world won’t stop Carl in sales from pasting customer data into ChatGPT unless Carl understands why that’s bad.

Training beats policy every time.

You don’t need a lecture. You need a 5-minute video or a one-pager that says:

• Don’t paste confidential data into public AI tools.

• Don’t believe everything the bot tells you.

• Call Legal before you launch anything that looks like magic.

We added a five-minute “AI sanity check” to onboarding. It cost nothing.

Within two weeks, someone caught a prompt-injection issue in a pilot chatbot.

That’s governance in action, human plus habit.

8. Report Like the Board Actually Cares

Boards don’t want technical deep dives. They want assurance and trends.

Use the language they speak:

• “5 AI use cases reviewed this quarter.”

• “2 flagged for privacy risk, 1 for ethics.”

• “0 incidents, 1 new control implemented.”

One time, our quarterly report was literally a pie chart: “AI risk exposure by category.” The Audit Chair said, “This is the first AI report I’ve actually understood.”

That’s the goal. Don’t show off your governance IQ. Show your risk visibility.

9. Build for Change

The only thing moving faster than AI is AI regulation.

EU AI Act, Brazil’s AI Bill, the U.S. Executive Order…everyone’s building the plane midair.

Don’t hard-code policy to today’s rules.

Build principles that can flex tomorrow.

Ours boiled down to four:

1. Transparency

2. Accountability

3. Privacy

4. Human oversight

That’s it. Everything else plugs into those pillars.

If your policy needs a rewrite every time the EU updates a footnote, it’s not governance, it’s job security for lawyers.

10. Make It Useful, or It Dies

AI governance isn’t compliance theater. It’s survival strategy.

A good framework does three things:

1. Catches real risk early.

2. Doesn’t kill innovation.

3. Makes Legal look like a partner, not a bottleneck.

If your engineers say “Legal actually helped,” congratulations, you’re ahead of 90% of companies.

I once had an exec tell me after an AI review meeting, “That was the least painful governance discussion we’ve ever had.”

That’s how you know it’s working.

Because AI governance isn’t about stopping the work.

It’s about making sure nobody ends up on the wrong side of a headline.

Final Thought: The Best AI Policy Is the One People Use

AI governance should be simple enough for humans, strong enough for regulators, and fast enough for engineers.

You don’t need a manifesto. You need a map.

So keep it short. Keep it real.

And when someone asks for your 40-page policy, smile and say,

“We traded that for a 4-step process that actually works.”

The lawyers who get this right aren’t writing essays. They’re shaping how AI gets built—safely, transparently, and without becoming the “Department of No.”

And honestly, that’s the best kind of legal innovation there is.