Targeted Project

AI Governance & Policy Package.

Know what your organization has decided about AI — and have the documents to prove it. Three weeks. Four deliverables. No prior AI experience required.

3 weeks

typical engagement duration
6–8 hours

total time required from your team
$3,000

fixed, all-in

Why this matters.

Most organizations haven't explicitly decided what AI use looks like for their team. Employees are making individual calls about which tools to use, which data to share, and which tasks to hand to an AI system — without any organizational policy to reference. When something goes wrong (a sensitive file shared with a public AI tool, a client deliverable built on AI output without disclosure, a vendor contract fed into a system without a data processing agreement), the absence of a deliberate policy is the liability. The Governance & Policy Package closes the gap: a structured engagement that produces the policy, the risk framework, the inventory of what tools are already in use, and the internal communication plan — built for organizations that want to get ahead of the problem, not respond to it.

What we do.

Leadership interviews — typically two to three hours with the decision-makers who shape how AI is used or should be. We don't need system access; this is a policy and governance engagement, not a technical assessment. A shadow AI inventory exercise, structured to surface which tools employees are actually using without requiring individual monitoring. A working session to develop and calibrate the Risk Tier List — the Approved / Conditional / Prohibited framework that tells employees which tools are sanctioned, which require review before use, and which are off the table. Draft deliverables for leadership review, one revision cycle, and a final delivery walkthrough with the team.

What you walk away with.

A written AI Use Policy for your organization. An AI Risk Tier List — your Approved / Conditional / Prohibited framework, calibrated to your environment and your data sensitivity. A Shadow AI Inventory capturing what tools are already in use across the organization and where each sits on the risk tier list. And a Manager Rollout Pack — one-page guidance for managers to introduce the policy to their teams without a formal all-hands or external training session. All four deliverables are yours to keep and maintain; the Risk Tier List is your framework regardless of whether we continue working together.

What's in scope.

Leadership interviews (2–3 hours, decision-makers and IT lead — no system access required). Shadow AI inventory exercise (structured, no endpoint monitoring). AI Risk Tier List development (Approved / Conditional / Prohibited framework, calibrated to your tool stack and data sensitivity). AI Use Policy drafting — an organizational policy document, not a templated PDF. Manager Rollout Pack — internal communication guidance for front-line managers. One revision cycle on all deliverables before final delivery. Delivery walkthrough (~60 minutes, leadership team).

What's out of scope.

Technical implementation of any controls or tooling — separate engagement scoped against findings. Employee AI training, facilitated all-hands presentations, or department-level rollout facilitation. Formal compliance certification work (HIPAA, SOC 2, CMMC AI addenda) — different deliverable, different scope, different credentialing. Post-delivery policy maintenance and quarterly updates — that's the AI Advisory Retainer.

This is the right engagement when…

Your organization has employees using AI tools — some formally, some informally — and leadership wants to establish a deliberate policy before the informal use becomes a problem.
A client, board, auditor, or insurer has asked about your AI governance posture and the honest answer is "we're still working on it."
You're about to make a larger AI tool or infrastructure investment and you want the governance baseline in place before the rollout, not after.
Your legal counsel or HR leadership has flagged AI tool use as a policy gap that needs closing on a defined timeline.
You completed an IT Health Check or AI Infrastructure Readiness Assessment and governance is one of the named action items.

What you receive across the engagement.

AI Use Policy Written organizational policy document, built for your environment and your team. Names acceptable use, prohibited use, data handling requirements, disclosure expectations, and the process for evaluating new tools. Not a vendor template or policy-library PDF.
AI Risk Tier List Your Approved / Conditional / Prohibited framework. Which tools employees may use freely, which require review and documented justification before use, and which are off-limits — with the rationale for each tier assignment. Maintained as a living document; yours to expand as new tools surface.
Shadow AI Inventory Documented current state of AI tool use across the organization. Which tools, which departments, which use cases, what data each tool touches, and where each sits on the risk tier list. Baseline for the policy conversation and starting point for the quarterly tier refresh.
Manager Rollout Pack One-page internal communication guide for managers. How to introduce the policy to their teams, how to handle common employee questions, and where to escalate edge cases. Designed so the rollout happens in an existing team meeting, not a separate training event.

Here's the kind of situation this engagement is built to resolve:

Stakeholder interviews surface that three different departments are using AI writing tools — two people on the marketing team using ChatGPT for client-facing content drafts, a finance analyst using an AI summarization tool for vendor contracts, and the executive director using a third tool for board communication drafts. None of the three tools have been reviewed for data handling terms. Once the Risk Tier List is built, one tool lands in Approved, one in Conditional, and one in Prohibited based on their data training and retention policies. The Manager Rollout Pack gives each department head a concrete conversation for their next team meeting — here's the policy, here's what Conditional looks like in practice for the tools you're using, here's where to bring questions. No all-hands session, no policy binder, no enforcement theater.

— Illustrative scenario · the kind of situation an AI Governance & Policy Package is built to resolve

How we're different.

Interview-based, no system access required. The assessment is built on structured conversations and documentation review — not endpoint monitoring, not system credentials, not surveillance. Useful when leadership wants to move fast without a technical dependency.
Delivered, not templated. The AI Use Policy is drafted for your organization, your data environment, and your team's actual use cases — not a generic policy PDF you fill out yourself or a compliance toolkit you license and are left to implement.
The Risk Tier List belongs to you. After delivery, it's your framework to maintain, expand, and update. The AI Advisory Retainer keeps it current on a quarterly cadence — but the document is yours regardless of what comes next.

Want to start with a policy baseline before you go further with AI?

Schedule a free discovery call

Indiana · U.S. remote