LevelUpAutomate
AI Governance / Getting Started

How to start AI governance without hiring a lawyer or a PhD

Five concrete steps you can finish in 30 days. No frameworks, no acronyms, no boil-the-ocean. Just the order to do things in so you stop worrying about what your staff might paste into ChatGPT, Claude, or Copilot.

Book a free 30-minute scoping callBack to AI Governance
Reviewed by Level Up Automate.
TL;DR

  • You don't need a 40-page policy to start. A one-pager and a staff conversation cover 80% of the risk.

  • Start with what's already happening in your business, not with a framework.

  • The first 30 days of work are the most valuable. Anything more sophisticated can come later.

Step 1: Find out what's actually happening (week 1)

Before you write any policy, you need to know what AI is already in use at your company. The honest answer is almost always more than you think.

Send a one-question email to every team: "What AI tools have you used for work in the last 30 days, even casually?" Promise no judgment. You'll learn that someone in marketing is using ChatGPT to draft proposals, someone in operations is running meeting notes through an AI summarizer, and your sales team has been pasting customer emails into a tool you've never heard of. None of this is bad — but you can't govern what you don't know about.

  • Send the one-question email. Set a 48-hour deadline.
  • Build a simple list: tool name, who's using it, what they use it for, what data they put in.
  • Don't punish anyone for what they disclose — you'll get a real list.

Step 2: Decide on three rules (week 2)

You don't need a policy yet. You need three rules every employee can repeat from memory.

Most good starter policies boil down to this: which tools are approved, what data is off-limits, and who to ask when in doubt. That's it. Pick three rules that are clear, defensible, and easy to remember. You can add nuance later, but if your rules can't fit on a sticky note, your team won't follow them.

  • Rule 1: Approved tools are X, Y, Z. Anything else, ask first.
  • Rule 2: No client data, financial data, or HR data goes into AI tools unless we've cleared the tool.
  • Rule 3: When AI helps you produce work that goes to a customer, a human reads it before it sends.

Step 3: Have one short conversation with the team (week 3)

Don't email the rules. Hold a 30-minute meeting — virtual is fine — and walk through them. Why these three? Because we've seen what happens when companies skip them.

The goal of this meeting is not to create fear. It's to make staff feel like the company has their back. Most employees are using AI because they're trying to do their jobs faster. They're not trying to leak data. A clear conversation means they can keep using AI productively without the constant low-level worry of "am I going to get in trouble for this?"

Step 4: Write the one-pager (week 4)

Now write it down. One page. Plain English. No legal disclaimers. The document exists to be read, not filed.

Sections we recommend: a one-paragraph intro, the three rules, examples of what's allowed and what isn't, who to contact with questions, and a date for the next review (we recommend quarterly for the first year). If you want a head start, see our [AI Policy Template](/ai-governance/ai-policy-template) — it's structured exactly this way.

Step 5: Pick a review date and stop worrying (ongoing)

AI is moving fast, but your governance doesn't have to. Pick a review cadence — quarterly is fine — and put it on your calendar. In each review, ask three questions: What new tools showed up? Did anyone hit a problem? Do we need to update a rule?

That's it. You're now doing AI governance. It's not a project, it's a 30-minute meeting four times a year. Anything more elaborate is a luxury you can add when the basics are working.

Common questions

Plain-English answers

Do I really not need a 40-page policy?
Not to start. The companies with 40-page policies that no one reads are in worse shape than the companies with one-page policies that everyone follows. Get the one-pager working first; expand from there if your industry or insurer requires it.
What if a regulator audits me?
A clear, dated, communicated policy — even a short one — is better than a long one no one has read. Auditors generally want to see that you've thought about it, that staff know the rules, and that you review periodically. The one-pager passes that test for most small and mid-size businesses.
How long until we need something more sophisticated?
If you're under 200 employees and not in healthcare, finance, or legal, the one-pager will likely serve you for a year. If you're in a regulated industry or you're growing fast, plan to revisit at six months and add specifics around vendor risk and incident response.
Can you help us run this?
Yes. Most clients hire us to run steps 1-4 in two weeks, then leave them with the playbook to run step 5 themselves. Book a free 30-minute call and we'll scope it.
Related reading

AI Policy Template

The free starter template to use as your one-pager.

Read on →

Acceptable Use Policy for Staff

The rules side of governance, in plain English.

Read on →

AI Essentials for Staff (60-min primer)

The team conversation in step 3, run by us.

Read on →
Next step

Want a hand getting this right?

A 30-minute conversation often saves weeks of guessing. We'll talk through your team, your data, and what to do first — no slide deck required.

Book a free 30-minute scoping call