Most mid-market consulting firms adopting AI do not have a CTO, a security team, or an appetite for a forty-page policy document. That is fine. You do not need any of those to govern AI responsibly. You need five decisions made well, written down on roughly one page, and actually followed. Here is the template.
1. Data scope
Decide what data is allowed into which tools. The line that matters most is client-confidential material: what can be pasted into a general-purpose model, what must stay inside an approved environment, and what never leaves your systems at all. Most governance failures are really data-scope failures. Settle this first and in writing.
2. Model choice
Decide which tools are approved for which kinds of work, and publish the list. The goal is not to lock people down — it is to prevent "shadow AI," where individual staff quietly route client work through whatever tool they happen to like. An approved, sensible list that people can actually work within beats a restrictive one they route around.
3. Human review
Decide where a human must check output before it reaches a client. This is the human-in-the-loop line, and it should be explicit: which deliverables can go out with light review, and which require a named person to sign off. AI accelerates the draft; a human still owns the judgment. Say clearly where that ownership sits.
4. Audit trail
Decide how you record what was AI-generated. When a client asks — and in regulated verticals they will — "was this produced with AI, and how was it checked?", you want to answer honestly and immediately. A lightweight record of what was AI-assisted and who reviewed it turns a potentially awkward question into a demonstration of rigor.
5. Decommission
Decide, in advance, how you retire or replace a tool. AI tools change fast; the one you standardize on this year may not be the right one next year. Knowing how you will switch — where the prompts, templates, and institutional knowledge live so they survive a tool change — keeps you from being locked in by inertia.
Governance as a trust asset
Handled this way, governance is not a compliance chore bolted on after the fact. It is a trust asset you can put in front of a client. In sectors where data sensitivity and defensibility matter, being able to show that your firm made these five decisions deliberately is a genuine differentiator — often the difference between a cautious client saying yes and saying not yet.
Five decisions. One page. Reviewed as the tools evolve. That is governance a firm without a CTO can actually run.