AI GOVERNANCE & POLICY

Your People Already Use AI.
Give Them Rules That Make It Safe.

Get a board-ready AI acceptable-use policy, tuned to your security posture and your risk tolerance. Your team gets to use AI safely, and you get to see what is actually happening with your data.

2 weeks

To a board-ready policy

43%

of employees use AI at work, off the books

~70%

Of organizations have no AI policy

40 years

Of security experience leading every engagement

You Can't Govern What You Can't See

Your employees use AI. The question is whether you know which tools, with what data, and whether you would catch a problem before it became a headline. Most companies cannot answer that today. The two reflexive fixes, banning it or ignoring it, both leave you exposed.

Data leaving through personal accounts

People paste company and customer-confidential information into personal ChatGPT and Claude accounts. Around 4.7% of employees have pasted sensitive company data into public AI tools, and just 0.9% account for 80% of everything that leaks out. Source code has now passed customer data as the second most-leaked type.

Source: Cyberhaven

Prompt injection you would never see

Hidden instructions can ride in on an ordinary email, document, or web page, telling an AI assistant to forward anything matching “password reset” or “invoice” to an outside address. The assistant can act on it by itself. No click, no security alert. Prompt injection is the number one risk on OWASP’s list for large language models.

Source: OWASP

Banning it does not work

A ban does not stop the use. It pushes it into the shadows, keeps every bit of the leakage risk, and hands the productivity gains to your competitors. 43% of professionals use AI at work, and 68% of them don’t tell their employer.

Source: Fishbowl

Ignoring it is worse

More than 70% of organizations already have AI in production, but governance has not kept up. Half of employees use generative AI at work, often through personal accounts no one is tracking. Every week without a policy is another week of exposure you cannot measure.

Source: Forrester

What You Walk Away With

Every deliverable is built around how your company actually works: your stack, your posture, your risk tolerance. These are the pieces that turn a policy from a document into something people follow.
acceptable use policy

AI Acceptable-Use Policy

The core document, written for your stack and your risk tolerance. Clear rules your board can sign off on and your people can actually follow.
Approved

Approved Tools List

Which AI tools belong on your list and which do not, with the reasoning behind every call so you can defend it later.

roadmap

Staged Adoption Roadmap

A plan to widen AI access as your guardrails mature, so you can keep saying yes to more over time instead of freezing on day one.
Alert

Incident-Response Addendum

What to do when something goes wrong with AI, so the honest answer to “would we even know?” finally becomes yes.
toolkit

Rollout Kit

An employee acknowledgment form and a suggested rollout approach, so the policy lands with your team instead of sitting in a shared drive.

briefing

CISO Briefing & Recommendations

A readout with your leadership and high-level security-posture recommendations, delivered by the person who led the work.

How the Engagement Works

About two weeks from kickoff to a finished policy, with a short check-in a couple of weeks after delivery. Mostly remote working sessions, with the drafting done asynchronously.

Phase 1: Discovery & assessment

We learn your stack, your current security posture, your risk tolerance, and how your people are really using AI today.

LIVE WORKING SESSIONS

PHASE 2: Policy Drafting

We draft the acceptable-use policy, the approved-tools list, and the staged roadmap, tuned to what we found in discovery.

ASYNC DRAFTING

PHASE 3: ROLLOUT & ENABLEMENT

A review session, the final artifacts, the acknowledgment form, a rollout approach, and a CISO briefing for your leadership.

~45-MIN CHECK-IN TWO WEEKS LATER

OPTIONAL ADD-ON

Gap Assessment

Where your controls stand against where they should be, with implementation guidance to close the distance. Runs 30 to 45 days, mostly dependent on the information you provide.
OPTIONAL ADD-ON

Shadow AI Detection

A bounded, one-time report on which AI tools are actually in use across your company, mapped to data-exposure risk and your approved-tools list. Built from data you already have, with an optional monitoring trial.

This Service is Right For Companies That...

Are security-aware with an infosec policy in place or clearly on the way, but have not gotten to AI yet.
Answer to SOC 2, PCI, or customer security reviews, without being HIPAA-driven.
Want a done-for-you policy from people who have done this before, not a project to staff and figure out alone.
Know their people use AI but have no policy governing it.
Do not have a full-time CISO already carrying this.
Run 50 to 500 people from startups through mid-market.

Put Rules Around AI Before You Need Them.

Tell us how your team is using AI today. We will tell you straight what your policy needs to cover and how we would build it.

Related Resources

The AI Paradox: Why the Heaviest AI Users Are Also the Busiest

Companies adopting AI hardest are somehow more swamped than before. Here's what's actually happening — and what to do about it.

AI and the Future of Software Engineering: A New Path to Senior Engineer (Part Two)

In Part One, we explored how AI is subsuming mid-tier software engineering work—the reliable translation of specifications into code that once formed the backbone of ...

AI and the Future of Software Engineering: The Broken Career Ladder (Part One)

In the beginning (of compute), the machine programmer and operator were one and the same, literally patching cables and toggling switches, holding the entire computation ...
Scroll to Top