Skip to main content
AI governance & policy

A policy people follow beats a framework people frame.

AI governance and usage policies from Aun & Co.: approval gates, input rules and ownership written at workflow level — sized for teams that actually work.

AI governance fails at the extremes: fifty-page frameworks nobody reads, or a paragraph of good intentions nobody can apply. The working middle is a short policy written at the level of the actual workflow — which tools are approved, what may and may never be entered into them, where the human approval gate sits, what gets logged, and who owns the answers. The firm writes these policies from its own governed practice: every rule it drafts for clients is a rule it can live under itself.

The work spans
  • Usage policies: approved tools, prohibited inputs, approval gates
  • Governance structure: ownership, escalation, exception handling
  • Data classification tied to tool tiers — what may go where
  • Logging and review requirements proportionate to the risk
  • Policy rollout: training, attestation and the enforcement posture
  • AI use is widespread in your team and entirely ungoverned in writing.
  • A generic AI policy exists and everyone, including its author, works around it.
  • A client, insurer or regulator asked for your AI governance and there is nothing to send.
  • An input mistake nearly happened — confidential material, wrong tool — and next time is a matter of odds.

The policy is drafted from observation, not template: how the team actually works, which tools are actually in use, where the real risk moments occur. Rules are written as decisions a person can make at the keyboard — this document class, this tool tier, this approval step — and every rule carries an owner and an exception path, because a policy without an exception path is a policy people route around silently. Rollout includes the training and attestation that make it enforceable.

04 · What you get

Keyboard-level rules

Every rule answers a question someone actually faces mid-task — which tool, which data, whose approval — not a question a committee faces annually.

Practised, not theorised

The firm operates under its own AI policy daily; the drafting reflects what governed use feels like from inside.

Enforceable by design

Ownership, logging, attestation and an exception path built in — the components that separate a policy from a poster.

A typical engagement: a professional team of fifteen with a dozen AI tools in informal use. The firm drafts a four-page policy — three tool tiers, a data classification, one approval gate — runs the rollout training, and the shadow use converges into the governed channel within a month.

Described in abbreviated, anonymised form to preserve client confidentiality.

What should an AI usage policy actually contain?

Five things: the approved tools by tier, the input rules — what data classes may enter which tier, the human-approval gates for consequential outputs, the logging expectations, and a named owner with an exception path. Beyond those, length is usually a symptom.

How do you make an AI policy something people follow?

Write it at the level of their actual tasks, keep it short, give it an exception route, and pair it with training that shows the workflows rather than reciting the rules. People route around policies that ignore how the work happens — fit is the enforcement mechanism.

How quickly can a governance policy be put in place?

For a small-to-mid-size team, a drafted policy typically lands within two to three weeks — observation, draft, review round — with rollout and attestation the week after. Speed matters: every ungoverned week is exposure accumulating quietly.

Start a conversation.

The firm replies within one business day.