The minimum: an approved-tools list, a data-handling policy, an output review process, access controls, and escalation paths. Put those five in writing and you've prevented most of the failures that make headlines.
The five guardrails
1. Approved-tools list
Decide which AI tools staff may use, and for what. Without this, people use random unvetted apps and your data scatters. Keep a short living list of approved tools and the tasks each is cleared for.
2. Data-handling policy
State plainly what data can and cannot go into AI tools. Tie it to your data privacy checklist. Everyone should know that customer records and secrets never go into a consumer chatbot.
3. Output review process
Define where a human must check AI output. Low-risk tasks (drafting, summarising) can run with light review; consequential ones (anything customer-facing, financial, legal) need a named reviewer before anything ships.
4. Access controls
Not everyone needs access to everything. Limit who can connect AI to which systems and who can send which categories of data. Principle of least privilege applies to AI as much as any other tool.
5. Escalation paths
Decide in advance what happens when something goes wrong — a bad output reaches a customer, sensitive data is mishandled, an agent misbehaves. Who is told, who can switch it off, and how fast.
A one-page policy template
| Section | What to write |
|---|---|
| Approved tools | The tools we use and the tasks each is approved for |
| Allowed data | What may and may not be entered into AI tools |
| Review | Which outputs need human sign-off before use |
| Access | Who can use what, and who connects AI to internal systems |
| Escalation | Who to tell and how to stop an issue |
| Owner | The named person accountable for AI use |
Governance for AI agents specifically
Agents act, not just answer — they call tools, send messages and trigger workflows. Add three controls for any agent: a scope limit (what it is allowed to touch), a spend cap (agents burn 5–20x the tokens — see the calculator), and a kill switch (one person who can stop it instantly).
What changed in June 2026
- As over half of large enterprises ran agents in production, lightweight governance became a board-level expectation, not an afterthought.
- Spend caps on agentic workflows became a standard control after token-cost surprises.
- Approved-tools lists replaced blanket bans as the practical middle ground for staff AI use.
Putting this in place? Combine with the starter guide, the privacy checklist, and a clear view of what AI can't do.