A practical guide to AI governance in professional services firms.
How to build governance that people actually follow — starting from evidence, not from policy documents written before anyone used AI in their real work.
What this guide covers
Why most AI policies are written too early — and what happens when governance is built on hypothetical risk rather than observed practice.
Where the evidence for good governance actually comes from — and why it can't be manufactured without real AI use in real work.
What makes the difference between a standard people ignore and a standard people follow.
How to turn governance from a one-time document into an ongoing rhythm that evolves with your firm's AI usage.
The problem with early governance
Most professional services firms that have written an AI policy did so before anyone had seriously used AI in their actual client work. The policy was written from hypothetical risk: what could go wrong, in theory, if people used AI for sensitive tasks. The result is usually a document that's either too restrictive — blocking useful work that people then do anyway, quietly — or too vague to protect anything.
This isn't a criticism of the people who wrote those policies. They were doing the responsible thing with the information they had. The problem is structural: you can't write good governance for a technology your organisation hasn't meaningfully used yet. You don't know what the real risks are. You don't know which are serious and which are manageable. You don't know what verification actually needs to look like for your specific work.
The result is governance that gathers dust. People know the policy exists. They don't follow it — not because they're reckless, but because it doesn't connect to how they actually work.
Become a member to read the full guide.
Access all articles, guides, webinar replays, and detailed service information.
Apply for MembershipAlready a member? Log in
Where governance evidence comes from
The alternative is to let governance emerge from evidence — specifically, from what your people discover when they build and test AI tools against their real work.
A lawyer builds an AI tool for contract review and discovers that it handles standard clause identification well but needs explicit jurisdiction context to interpret clauses correctly. An advisor builds a first-draft report writer and discovers that it occasionally fabricates data points. A recruitment consultant builds a candidate brief generator and discovers that it gets the tone right for one client type and completely wrong for another.
Those aren't hypothetical risks. They're specific findings from real use. And they're the foundation for governance that people will actually follow — because the people who discovered the risks are the same people who will follow the standards. They experienced why each standard matters.
The key principle
Governance written before anyone has used AI in real work produces policy based on hypothetical risks. Governance written after supervised builds produces standards based on named failure modes. The second kind is three sentences long and people follow it. The first kind is twenty pages long and nobody reads it.
Writing standards people actually follow
The best AI governance standards we've seen in professional services firms share three characteristics. They're short — three sentences, not three pages. They're specific to a task — not generic advice about "reviewing AI output for accuracy." And they're written by the people who do the work, not by the compliance team working from a template.
A governance document that nobody reads protects nothing. A three-line standard pinned to a workflow that people use every day protects everything.
What a good standard looks like
A typical policy might say: "All AI-generated content must be reviewed by a qualified professional before being shared with clients." That's technically correct and practically useless — it doesn't tell the reviewer what to check or what the specific risks are for their kind of work.
A good standard says: "First-draft client reports produced with AI assistance must be checked for: (1) any data points or statistics, which AI occasionally fabricates, (2) tone consistency with our house style, and (3) client-specific context, which must be added manually." Three sentences. The reviewer knows exactly what to look for and why. It was written by an advisor who discovered those three issues through real use.
This is counterintuitive for firms used to comprehensive policy documents. But comprehensiveness is the enemy of compliance when it comes to AI standards. A short, specific standard attached to the workflow where it applies ensures that everyone sees it at the moment it matters.
Governance as a rhythm
Standards written after a build sprint are a starting point, not a destination. AI models change. New use cases emerge. People discover new failure modes as they use their tools in different contexts. Governance that works is a rhythm — a regular cycle of review, update, and shared learning — not a document that gets approved once and filed.
In practice, this means a cadence: a monthly or quarterly review where teams share what they've learned about AI reliability in their work, standards get updated based on new evidence, and leadership gets a clear picture of how AI usage is evolving. The review doesn't need to be long — an hour is usually enough. What matters is that it happens consistently and that the outputs are documented and visible.
This is what turns a project into a capability. Without the rhythm, the initial standards decay over time as conditions change. With it, governance evolves at the same pace as AI usage.
What good governance looks like
In a firm with effective AI governance, every team that uses AI for client-facing work has specific standards for their specific tasks. The standards are short and attached to the workflow. Leadership can see how AI is being used, what standards apply, and whether they're being followed. New team members learn the standards as part of onboarding. And there's a regular rhythm for updating everything based on what people are learning in practice.
It doesn't look like a compliance exercise. It looks like a well-run firm that happens to use AI — with the same discipline it applies to everything else that matters.
The firms that get there don't start with governance. They start with discovery and building. The governance emerges naturally — grounded in evidence, written by practitioners, and maintained through a rhythm that keeps it current. That's the sequence that works.
This is the governance approach built into our methodology. AI Empowerment: Top Down, Inside Out explains the full sequence in detail.
Read the BookBecome a member for full library access.