Governance silently entered most businesses through the same door as the tools. Its presence was announced much later. A contract that asked about it. A regulator that mentioned it. A procurement form that would not accept that silence. By the time anyone got around to building a structure, the structure was being built backwards, working from the requirement to the response. That is how governance acquired its reputation as a brake. A thing that forces you to stop and assess. A thing that says no. A thing that exists to hold you back.
That reputation is half deserved. There is a side of governance that does say no, and does slow things down, and does exist to stop people from doing the wrong thing. That half is real, and a business that ignores it pays for it sooner or later.
But it is only half. And building a business around the half that says no is the surest way to get the half that says yes wrong.
The other half is harder to see because it is not punitive. It does not enforce anything. It does not stop anyone. What it does is steer.
That distinction matters because the question every business now faces is no longer whether to use AI. AI is already in the business. The tools are paid for. The features are switched on. The workflow nobody signed off is already running. The question is whether anyone is steering what is already in motion.
A brake can only ever do one thing. It can stop you. When the technology updates, when a new regulation lands, when a client asks how a decision was made, when an insurer wants your position, a business with only a brake stops dead to assess the damage. A business with a steering system keeps its foot down.
That is the half nobody is selling, because it is hard to sell. It is structural. It is invisible from outside. It does not show up on a quarterly slide. But it is what separates the businesses that pull ahead from the businesses that get caught reassessing every time the ground shifts.
Without structure, every new AI tool is a risk you cannot price. So the answer defaults to no. No to the procurement question you cannot answer. No to the client who needs to see your AI position in writing. No to the adoption of a better tool, because nobody can say what the old one was doing or how to unwind it cleanly. No, because a tool you rely on just changed its terms overnight.
With structure, the answer can be yes. Yes to a new tool. Yes to a new client. Yes to a new market. Yes to the procurement questionnaire that arrives in your inbox this afternoon. Yes to the regulator’s letter that lands tomorrow. Yes to the question, asked in the room, about how a decision was made.
Governance done properly is not the cost of doing the work. It is becoming the condition of being allowed to.
If governance were a checklist, every business would need the same one. Apply the framework, tick the boxes, file the documents. That is the model most of the market is built on, because it is easier to sell.
But it is not how governance works in practice. Every business is using AI differently. The tools are different. The data is different. The clients asking the questions are different. The risk a fintech holds is not the risk a defence contractor holds is not the risk a legal practice holds. A framework applied without translation produces documents that satisfy a template but cannot be defended in the room when someone actually asks.
So we do not arrive with a framework. We arrive with questions.
The first thing we do is not propose. It is ask.
- What is your team actually using?
- What is each of those tools doing with your data?
- What contract are you holding with each vendor, and what does it say about how that data is used?
- What does your team need to anonymise before putting it into these tools?
- What happens when there is a data breach?
- What would you send a client’s procurement team this afternoon, if they asked?
- Who, if anyone, decided this was alright?
These are not questions a framework can answer for you. They are questions you have to answer for yourself, in the actual context of your business, with the actual people involved. Our job is to ask them well, listen carefully, and find what is really there, not what you think is there.
Before any paid work begins, we offer a structured diagnostic. It is a conversation, not an audit. We walk through your AI use across the business: the tools, the data, the contracts, the people, the questions you already half-know are coming.
By the end of that conversation, two things are clear. You have a picture of your current position, mapped against the questions a client, regulator, or insurer would actually ask. And we have a picture of where the structure needs to go.
If there is useful work to do, we propose a clear scope, sequence, and price. If there is not, you leave with a clearer view of what to look at next, and no obligation either way.
The work that follows is shaped to your business. Not adapted from someone else’s template. Not borrowed from a more regulated sector and toned down. Shaped from the answers we gathered with you. In most cases, that means a foundational set of documents, all bespoke to your situation:
- 01
AI register
Captures what you are using, where, and on what data.
- 02
Acceptable use policy
One your team can actually follow.
- 03
Vendor due diligence framework
For the contracts you hold and the ones you are considering.
- 04
Incident and escalation playbook
For when something goes wrong.
- 05
Governance assessment
Captures where you stand against the obligations that actually apply to you.
In some cases, the shape is different. An EU AI Act readiness review where the exposure is on that side. A workshop to bring a leadership team up the curve. A focused piece of work on a single high-risk system. The shape of the work follows the shape of the business.
When the build is complete, we hand it over in a session designed to make sure the documents are not just delivered but absorbed. You and your team walk through each one. We answer questions. We agree what changes if anything still does not fit.
What you are left with is not a folder that gathers dust. It is a working structure. Documents your team can read, use, and defend. A reference point for every future AI decision. An answer ready before the question is asked.
For thirty days after handover, we are available for follow-ups, clarifications, and the inevitable real-world questions that emerge once the structure is in use.
Some clients want a structure delivered and then to run it themselves. That is a complete engagement.
Others want a continuing relationship. A regular review. A sounding board. Someone to call when a procurement question arrives that the existing structure does not quite cover. We offer a maintenance arrangement for that, and for businesses where AI governance has become a significant ongoing concern, a fractional governance lead role that sits inside the business on a monthly basis.
The right shape is whichever one serves the business. We will tell you, honestly, which one we think that is.