Where Do You Start With AI Governance? A First-90-Days Framework
## The short answer
If you are starting AI governance from scratch, do three things first: build an inventory of where AI is already being used in your organisation, name a single accountable owner, and classify each use case by risk. Everything else (policies, controls, training, monitoring) follows from those three foundations. Trying to write a perfect policy before you know what you are governing is the most common reason early programmes stall.
Good AI governance is not a one-off document. It is an operating capability that grows with your use of AI. The goal of your first 90 days is not to be finished, it is to gain visibility, assign responsibility, and prevent the highest-risk surprises.
## Days 1 to 30: see what you actually have
Most organisations underestimate how much AI is already in use. It arrives through SaaS tools that quietly added features, through individual employees pasting data into public chatbots, and through models embedded in products you bought.
Build an inventory that captures:
- The system or feature and who owns it internally
- What it does and what decisions it influences
- What data goes in, including whether any personal or confidential data is involved
- Whether outputs are shown to customers, used in regulated decisions, or kept internal
- Whether it was built in-house, bought, or accessed via an API
You do not need a fancy tool for this. A shared spreadsheet completed through short interviews with team leads is enough to start. The act of asking surfaces shadow usage you did not know about.
## Days 1 to 30: name an accountable owner
Governance fails when responsibility is diffuse. Appoint one senior person who is accountable for AI governance overall, even if the day-to-day work is shared. This person does not need to be technical, but they do need authority to set rules that engineering, legal, and the business will follow.
Around that owner, form a small cross-functional group. At minimum you want representation from:
- Legal or compliance
- Security and data protection
- A product or engineering voice
- A business owner who understands the commercial use cases
Keep it small enough to make decisions quickly.
## Days 30 to 60: tier your risk
Not every AI use case deserves the same scrutiny. A model that drafts internal meeting notes is not the same as one that screens job applicants or makes credit decisions. Define a simple tiering scheme, for example:
- **Low risk:** internal productivity, no personal data, no consequential decisions
- **Medium risk:** customer-facing content, limited personal data, human reviews outputs
- **High risk:** automated or semi-automated decisions affecting people's rights, money, safety, or access to services
Tie the level of control to the tier. High-risk systems get documented testing, human oversight, and sign-off. Low-risk ones get lightweight guidance. This is how you avoid either smothering innovation or leaving dangerous gaps.
## Days 30 to 60: publish baseline rules
With an inventory and tiers in hand, you can now write rules that mean something. Keep your first policy short and practical. It should cover:
- Acceptable use, including what data must never go into external AI tools
- A requirement to register new AI use cases before they go live
- Minimum oversight expectations by risk tier
- A clear escalation route for concerns
A two-page policy people actually read beats a forty-page document nobody opens.
## Days 60 to 90: prove the loop works
Governance only matters if it operates. In the final stretch, run your process for real on one or two live use cases. Take a medium or high-risk system through registration, risk assessment, and sign-off. You will discover where the process is unclear or too slow, and you can fix it while the stakes are low.
Also set up the simplest possible monitoring: a recurring review of your inventory, a way for staff to report problems, and a calendar reminder to revisit your tiering as regulation and your usage evolve.
## What to avoid
- **Boiling the ocean.** Do not try to govern everything at once. Start with the highest-risk uses.
- **Policy theatre.** A document with no owner and no enforcement is worse than nothing because it creates false comfort.
- **Treating it as a legal-only job.** Governance needs engineering and business buy-in or it will be quietly ignored.
This is the area where neart.ai builds enterprise-grade products, and the pattern we see repeatedly is that visibility, not paperwork, is the real first milestone.
## Practical takeaway
In your first 90 days, aim for three concrete outputs: a living inventory of AI use, a named accountable owner with a small cross-functional group, and a risk-tiering scheme that drives proportionate controls. Then run your process on one real use case to prove it works. Visibility and ownership come before policy, always.