Most organizations are adopting AI faster than they are governing it. I built this repository because I kept seeing the same failures repeat: tools deployed before data was classified, policies written after incidents happened, IT teams asked to govern something they were never part of approving.
This is practical AI governance for real-world enterprise environments. Not AI ethics theory. Not vendor marketing. The operational questions about enablement, security, compliance, and user behavior - in the environments where they actually collide.
A business unit discovers Copilot or ChatGPT, finds it useful, and starts using it. Sometimes on personal subscriptions. Sometimes with sensitive data in the prompt. By the time IT finds out, adoption is already widespread.
The IT team is then asked to govern something retroactively - without a policy, without visibility into what data has already gone where, and without a clear mandate from leadership. The choice at that point is between restriction (which fails because users resist losing tools they depend on) and accepting the risk (which fails for obvious reasons).
The organizations that handle this well share one thing: they got to the governance conversation before the tools arrived. This framework is designed to help you get there first - or to recover the situation if you didn't.
flowchart TD
A([AI tool identified\nor requested]) --> B[Readiness assessment\nIs the org ready?]
B --> C{Gaps found?}
C -- Yes --> D[Close gaps:\ndata classification,\naccess controls, policy]
D --> B
C -- No --> E[Risk assessment\nper tool / platform]
E --> F{Risk level}
F -- High --> G[Reject or\nrestrict to sandbox]
F -- Medium --> H[Conditional approval\nwith defined controls]
F -- Low --> I[Approved]
H --> J[Governance policy\nand rollout plan]
I --> J
J --> K[Controlled rollout\nto defined user group]
K --> L[Monitor usage\ndetect shadow AI]
L --> M[Periodic review:\nexpand, restrict, or reassess]
M --> E
G --> N([Revisit when\nconditions change])
The four core components are designed to be used sequentially for a first rollout, or independently when addressing a specific gap.
| Step | Component | Purpose |
|---|---|---|
| 1 | AI Adoption Readiness Checklist | Assess whether your organization is ready to adopt AI responsibly before committing to a platform |
| 2 | AI Governance Policy Template | Establish the policy foundation: what is allowed, what is not, and under what conditions |
| 3 | AI Risk Assessment Framework | Evaluate specific AI tools and platforms before approval and deployment |
| 4 | Shadow AI Mitigation Guide | Identify, assess, and migrate unauthorized AI usage to approved solutions |
Practical AI governance for Microsoft 365 environments - the data classification dependencies, SharePoint permission realities, Copilot readiness gates, and the governance gaps that make enterprise Copilot deployments fail silently.
| Document | Purpose |
|---|---|
| Copilot Readiness Checklist | Gate checklist covering identity, classification, permissions, DLP, audit, and policy - what has to be true before Copilot is enabled |
| Data Classification Before Copilot | Why sensitivity labels and DLP are prerequisites, not a parallel workstream, and what happens when organizations skip this |
| Tenant Governance Maturity Model | Six-dimension maturity model for M365 tenant governance with Copilot enablement gates at each level |
Practitioner observations from real AI governance work. Opinionated. Based on what I have seen work, what I have seen fail, and why.
| Document | Topic |
|---|---|
| The tools are already in the building | Shadow AI is not a future risk - by the time governance starts, adoption has already happened |
| Later never arrives | Why "we'll govern it later" is a decision, not a deferral, and what accumulates while you wait |
IT managers, IT operations leads, and security leads responsible for enterprise AI rollout. Specifically useful in:
- Organizations adopting AI for the first time at an enterprise level and trying to do it right from the start
- Security-sensitive environments where data classification and access controls are not optional
- Organizations that have discovered fragmented or unauthorized AI usage and need to recover the governance situation
- IT teams that need a credible policy and process foundation before going to the business or to procurement
Governance before tooling. The choice of AI platform matters less than having clear rules for how it is used, who can use it, and what data can go into it. A well-governed ChatGPT deployment is safer than a poorly-governed Copilot one.
Prohibition without alternatives fails. Telling employees they cannot use tools they already find useful, without offering a governed path, accelerates shadow AI. The goal is migration to approved solutions, not prohibition.
Usability is a governance requirement. A policy that users work around is not a policy - it is a false assurance. Governance that ignores the productivity case will lose. Every control needs to be justifiable to the person it constrains.
Auditability is not optional. In any environment with regulatory obligations or elevated security requirements, you need to be able to answer: who used AI, for what, with what data, and when. If your current setup cannot answer those questions, it is not enterprise-ready.
The security vs. productivity conflict is real - acknowledge it. Security teams want to restrict. Business units want to enable. IT sits in the middle. Pretending this tension does not exist produces policies that satisfy neither side. The framework has to hold both.
Maintained by Andrei Pasca · pascaadvisory.nl