This post answers: Why most AI policies fail before they’re enforced, what the smallest governance system that actually works looks like, and how to build it without slowing down the team using AI to do real work.
Most mid-market businesses are stuck between two bad options on AI governance.
Option one is to do nothing formal and hope it works out. Send an email reminding the team to be careful. Trust that good judgment will fill the gap. This is what most businesses are doing right now, and it is exactly how the structural problems described in the rest of this series compound month over month.
Option two is to copy what enterprise legal departments are doing. Hire a consultant. Build a 50-page policy. Spend six months on review cycles. Roll out a framework so comprehensive that no one on the team can remember what it actually says, so they fall back on the email-and-hope version anyway.
There is a third option, and it is the one almost no one is talking about. It does not require a consultant, a committee, or a six-month rollout. It requires five decisions, made clearly, written down, and shared with your team. That is the entire framework.
After four years studying what AI is actually doing inside companies, the pattern that keeps showing up in the research and in the conversations is consistent: the businesses that govern AI well are not the ones with the most comprehensive policies. They are the ones who made a small number of structural decisions early and stuck to them.
This is Minimum Viable Governance. Five decisions. One named owner. One page of policy. Real, enforceable, finished in weeks instead of quarters.
Why Comprehensive Governance Usually Fails
MIT’s Center for Information Systems Research has documented this pattern clearly. Organizations that roll out comprehensive AI governance frameworks frequently end up with the worst of both worlds: governance no one enforces, innovation that stalls, and shadow AI that expands precisely because the formal system creates more friction than it removes.
The failure mode is not the ambition of the policy. It is the absence of a named human with real authority to enforce it. Governance that requires people to choose the right behavior every time, without anyone owning the consequences when they do not, is not governance. It is a suggestion.
Effective governance has one named person at the center with real authority. The ability to say no. The authority to pause a deployment. The mandate to require a review. The accountability when something goes wrong. That single design choice does more for governance than 50 pages of policy ever will.
The other failure mode is length. A policy longer than one page does not get read. A policy that does not get read is not governance. It is paperwork the legal team can point to after an incident.
Minimum Viable Governance is built around what actually works: one owner, one page, five decisions. That is enough to meaningfully reduce risk without creating the paralysis that kills adoption.
The Five Decisions
These are the smallest set of governance choices that meaningfully change how AI operates in your business. Not policies. Not frameworks. Decisions, made by specific people, that define how AI works in your organization from this point forward.
Decision 1: Name the AI Owner.
One person. Named publicly, with a mandate and real decision authority over tool approval, output standards, and use case governance.
Not a committee, because committees diffuse the accountability you are trying to create. Not IT by default, because this is a business-operations role, not a technology role. The AI Owner is the person your team calls when something goes wrong, and the person who can stop a workflow producing bad output without scheduling a meeting to discuss it.
One thing worth naming plainly: consolidating accountability that currently lives everywhere and nowhere is a political act as much as an operational one. Some people benefit from the current ambiguity. When you move to name a single owner, expect friction. That friction is not a problem to solve. It is confirmation that the role matters.
Decision 2: Run the Shadow AI Audit.
Before you govern anything, you need to know what is running. WalkMe and SAP’s 2025 research found that 78 to 80% of employees use AI tools their organization never approved. Whatever you think your AI footprint is, the real one is almost certainly larger.
This is not a punishment exercise. Survey your team, ask what tools they are using and for what, and build a simple inventory: tool name, use case, data types accessed, user count, preliminary risk level.
You cannot govern what you have not seen. Most organizations discover more is running than they expected. That is the point.
Decision 3: Write a one-page policy.
If it is longer than one page, your team will not read it. A policy no one reads is not governance.
Four things on the page: which tools are approved, what data can go into those tools, who reviews outputs before they reach a client or decision-maker, and what constitutes a reportable incident.
That is the whole document. Simple enough to follow. Short enough to remember. The first time someone on your team can quote your AI policy from memory is the first time governance is actually working.
Decision 4: Establish risk tiers.
Not every AI task carries the same stakes. An internal meeting summary is not the same as a client proposal, which is not the same as anything touching financial advice, legal exposure, or patient data. Treating them the same is what creates either too much friction or too little oversight.
Three tiers cover most situations.
Tier 1 is high-stakes. Anything that affects clients, revenue, compliance, or legal exposure. Client deliverables, proposals, contracts, financial analysis, recommendations, or anything that could create liability. The rule is simple: nothing in Tier 1 leaves your business without a named human reviewing it against a defined standard.
Tier 2 is important but lower-stakes. Internal documents that influence decisions, drafts that will later become client-facing, research summaries, or analysis used to guide direction. These do not require full review every time, but they do require periodic spot-checking and a clear approval step when the output is used in a meaningful decision.
Tier 3 is low-consequence internal work. Meeting notes, brainstorming, first drafts, internal summaries, or tasks where errors create inconvenience but not risk. Approved by default for standard internal use without formal review.
Assign every use case a tier. Then flag every Tier 1 workflow currently running without a named reviewer. That list is your priority queue.
Decision 5: Define what output review actually means.
Most organizations say they review AI output. What usually happens is someone glances at it and moves on. That is not review. That is approval by inertia.
Output review means a named person has confirmed the output meets the standard required for its purpose before it leaves the building. For Tier 1 work, that standard needs to be explicit: accuracy verified, sources checked, brand voice confirmed, no hallucinated facts, no sensitive data exposure.
Name the reviewer for every Tier 1 and Tier 2 workflow. Log it. That log becomes your audit trail when something goes wrong, and it becomes your evidence of governed AI use when a buyer, insurer, or regulator asks.
What MVG Is Not
It is worth saying directly what Minimum Viable Governance is not, because the term itself can be misread.
It is not a temporary measure you replace later with “real” governance. For most mid-market businesses, MVG is the destination, not the starting point. The enterprise version of governance is built for compliance bureaucracies and global regulatory environments. A 200-person business that adopts that model imports the friction without the benefit.
It is not a substitute for the cultural work. MVG addresses the structural layer. It does not fix the behavioral one. The conversations about fear, role evolution, and what AI changes about the work still have to happen. MVG just gives those conversations something concrete to organize around.
It is not a one-time exercise. The five decisions need to be revisited as your AI footprint grows. The tools change. The use cases multiply. The risk tiers need updating. MVG is a system you run, not a document you file.
And it is not enough on its own to capture the full Governed Advantage. The companies that turn governance into a competitive position do more than this baseline. But this baseline is the structural floor underneath everything else, and almost no one has it.
How to Build Minimum Viable Governance
The five decisions are the framework. Here is the sequence that actually gets them implemented.
Step 1: Name the AI Owner this week. Not next quarter. This week. One specific person, announced publicly, with a clear mandate. The longer this decision sits unmade, the longer everything downstream of it stays stuck. The owner does not need a perfect job description on day one. They need authority and a starting point.
Step 2: Run the Shadow AI audit in the first 30 days. Use the framework from the Shadow AI piece: visibility owner announces the audit in advance, frames it as a system exercise not a behavior exercise, guarantees no consequences for what surfaces. Build the inventory. Map the data flow. Identify which tools are solving real problems and which ones are creating exposure.
Step 3: Draft the one-page policy in week five. Once the audit gives you the real picture of what is running, write the policy to match. Approved tools, allowed data types, review responsibilities, incident reporting. One page. Have the AI Owner write the draft, get input from two or three department heads, finalize within two weeks.
Step 4: Assign tier ratings to your top 20 AI use cases. Not every workflow at once. Start with the 20 most active or highest-stakes use cases identified in the audit. Tag each one Tier 1, Tier 2, or Tier 3. The Tier 1 list becomes your immediate accountability priority.
Step 5: Name a reviewer for every Tier 1 workflow. Specific person, by name. Document it. This is where governance becomes operational. The reviewer for every Tier 1 workflow knows it is their job to confirm the output meets the standard before it leaves the building.
Step 6: Run a quarterly review. MVG is not done at launch. Every 90 days, the AI Owner reviews the inventory, updates the tier assignments, audits the review log, and adjusts the policy if anything has materially changed. This is what keeps MVG from becoming the same kind of paperwork the comprehensive version produces.
The whole thing can be in place within 90 days. The cost is mostly attention, not money. The result is a structural floor that meaningfully changes how AI operates in your business, without the months of paralysis that the enterprise-grade version creates.
Why This Cannot Wait
The remediation cost of ungoverned AI compounds. Research suggests businesses that implement basic governance within six months of serious AI adoption face roughly half the remediation cost of those that wait a year. Every month of delay is not just delay. It is debt being added to a structural problem that has to be fixed eventually.
The other reason this cannot wait is the market shift. AI governance is on the same trajectory SOC 2 was on a decade ago. It went from nice-to-have to differentiator to table stakes in roughly ten years. AI governance is completing the same journey in about three. The window where having a governed AI operation is a competitive position rather than a baseline requirement is closing fast.
The leaders who build MVG in the next quarter will spend the rest of the year operating with structural advantage. The ones who wait will spend the same quarter explaining to buyers, insurers, and their own boards why their AI footprint is still ungoverned.
Frequently Asked Questions
Why only five decisions? Won’t a real policy need to be more comprehensive? Comprehensiveness is what kills most AI policies. MIT research shows that policies long enough to cover every scenario become policies no one reads, which means no one follows. The five decisions are deliberately narrow because they cover the structural layer where governance actually lives: ownership, visibility, behavior, risk calibration, and review. Adding more decisions does not strengthen the framework. It dilutes it.
Who should the AI Owner be? Is this an IT role? Not by default. The AI Owner is a business-operations role with executive sponsorship, not a technology role. They need to understand the business, have authority across functions, and be senior enough to enforce decisions. A COO, head of operations, or strategically-positioned VP is usually a better fit than the CIO. If your business is small enough that the owner or CEO can play this role directly, that often works best.
What if I cannot get executive buy-in for naming an AI Owner? Start with a function-level version of MVG within your department. Name yourself or someone on your team as the function’s AI Owner. Run the audit within your function. Draft a one-page policy for your team. Establish tiers and reviewers for the workflows you control. This gives you the proof case to bring to executive leadership, and it closes the most immediate gaps in your own area while you build the broader argument.
How is this different from the AI governance frameworks consultants are selling? Enterprise governance frameworks are built for compliance environments with regulatory mandates, global operations, and dedicated risk functions. They are designed for organizations where the cost of incomplete coverage is a regulatory fine. MVG is built for mid-market businesses where the cost of comprehensive coverage is paralysis. Different problem, different solution. MVG focuses on the smallest set of decisions that meaningfully reduce risk without freezing adoption.
Is one page really enough for a policy? Yes, because the policy is not the governance. The five decisions are the governance. The one-page document is just the artifact that makes the decisions visible and shareable. The AI Owner, the audit process, the tier system, and the review log do the actual work. The policy page is what your team reads and remembers. Anything longer stops being read, which makes it less effective, not more.
Find Out Where Your Governance Gaps Are
Most leadership teams are running on a more optimistic picture of their AI governance than the one their business actually reflects. The AI Blind Side Assessment is a 12-question diagnostic that takes under five minutes and tells you where your visibility, accountability, and capability gaps are forming โ the same gaps Minimum Viable Governance is designed to close.
You will see which of the five decisions are unmade in your business, where your accountability gaps live, and what to address first.


