All Posts
AI & Governance

Enterprise AI Adoption: The Governance Gap

24 September 20242 min read

Every enterprise I interact with is piloting LLMs in some capacity. GPT-4o for customer support drafts. Gemini 1.5 for document analysis. GitHub Copilot for engineering. The experimentation is happening fast. The governance is lagging behind.

The governance gap

Most organizations have clear policies for data access, code deployment, and vendor selection. Almost none have equivalent policies for AI tool usage. Engineers are pasting proprietary code into ChatGPT. PMs are feeding confidential roadmaps into Claude. Marketing is generating customer-facing content with no review process.

This isn't malice — it's enthusiasm outpacing policy.

What a minimum viable AI governance framework looks like

Data classification for AI inputs. What data can go into external AI tools? We created three tiers: public (fine for any AI tool), internal (approved AI tools with enterprise agreements only), and restricted (never input into external AI). Simple, enforceable, and better than no policy.

Output review requirements. AI-generated code must pass the same review standards as human-written code. AI-generated customer communications must be reviewed before sending. AI-generated analysis must be verified against source data. These aren't new standards — they're applying existing standards to new tools.

Approved tool list. Not every AI tool gets a blanket approval. We maintain a list of sanctioned tools with enterprise agreements that include data handling provisions. Using unsanctioned tools isn't forbidden — but it is flagged for security review.

Training, not restriction. Banning AI tools drives usage underground. Training people on responsible use keeps it visible and improvable. We run monthly sessions on effective and safe AI usage.

The PM's role

PMs sit at the intersection of engineering, business, and compliance. We're uniquely positioned to champion responsible AI adoption — fast enough to capture value, careful enough to manage risk.

The companies that get governance right won't be the ones that moved slowest. They'll be the ones that moved deliberately.

Back to all posts