In my last instalment, I moved from basic information and concepts to strategy and tactics, focusing on the process to follow for a successful AI pilot. This time I am diving into guardrails and governance. Acceptable AI use requires oversight of the use cases, proper sharing of data, and re-architecting workflows. These are critical components of usage and a mandatory part of navigating your next steps in a safe and productive way.
Non-negotiable Guardrails
As I alluded to in previous posts, indiscriminate use of AI can lead to problems. To prevent these, you need to put rules and boundaries in place for its use. As a starting point, consider the following as absolutes.
Training. Nobody should be using AI in a production environment without first completing basic training. This could be as little as 2 or 3 hours of videos covering practices like effective prompt engineering, data usage and validation. A short list of approved resources, with links from both LLM providers and third-parties should be made broadly available.
Data classification. For anybody using AI tools, you need to be explicit about the rules concerning data use and you must enforce them. Public data is anything that is already in the public domain (e.g. web site, sales brochures) and can be fed to consumer versions of LLMs. Internal data that may be sensitive but non-regulated, should be used with paid tools that come with formal data protection agreements. This might include drafting emails, internal memos or creating presentations. Restricted data includes anything with personally identifiable information (PII) - customer or employee data - company financials, classified documents or intellectual property (IP). This is off-limits unless the data never leaves your own secure servers.
Human-in-the-Loop (HITL) Mandate. This has to be non-negotiable during early adoption of AI, and likely for the foreseeable future. AI generated content should not be used in any way without first being reviewed and approved by a human with the appropriate authority and accountability. Failure to do this should be treated like any other policy violation that puts the business or its customers at risk. It’s that serious.
Version Control and Reproducibility. As we saw in part 2, different LLMs will produce different outputs with the same prompts. The same model, using the same prompt, may even produce a different output on a different day. This illustrates the need for documenting both the input prompts and the AI outputs. If AI has been used to support a decision, it is advisable to save the original interaction with the LLM in a secure folder. If challenged, you’ll have the backup to explain it.
Vendor and Tool Approval. You need to carefully read the terms of use and ownership of data. What are their policies regarding use of data? Will the vendor be using your data to train their model? Are they trustworthy? Additionally, for production purposes, employees should be restricted to using approved tools only. Using free models should be restricted to learning, experimentation or understanding how they differ.
Governance – Sponsors, Leads and Decision-Makers
This part is about people and metrics. Every AI initiative that you undertake needs a sponsor, an execution lead and a final decision-maker. In very small SMBs this could be the same person – for example, the owner. In larger ones, it is best for these to be different people with the appropriate skill sets. Clearly defined metrics and verifiable measurement systems should be used to ensure that decision-making is supported by data and not just gut instinct.
Accountability. An AI Sponsor defines the "why" - articulating the problem, justifying the budget and resource requirements, and quantifying the cost of inaction. The Execution Lead addresses the "how" – the technical steps, scheduling, and necessary tools. The Decision-Maker must be a senior leader that can terminate the pilot if it’s not working and, at the end, provide an objective, business case evaluation of the outcomes and decide on go or no-go for next steps.
Monitoring. Progress should be visible to all stakeholders with a shared tracking tool and weekly 20-minute stand-up reviews. This will enable more effective collaboration, learning and insight into potential stumbling blocks or bottlenecks. In particular, costs need to be well understood and controlled if there is a potential for the pilot to scale into larger, production usage.
Maximizing Benefits. In the example from my last post, the marketer was expecting to save 5 hours per week by using an LLM to assist with content creation and editing. That begs the question – “How should this time be effectively re-applied?” It was suggested that it could be used to focus on the separate problem of converting a larger share of web site browsers into actual customers. This is only one possibility and needs to be evaluated against alternative priorities to determine if it’s the best one. The key is to find ways for the pilot to add incremental value and not to assume that your marketer will fill that space productively.
Quality & Ethics. A particular model may exhibit bias, as a result of the data that it was trained on or the algorithms it uses. While HITL (above) is intended to catch inappropriate or invalid outputs, there needs to be an intentional review of this, especially before scaling occurs. If significant bias, hallucinations or errors are observed, and the problem cannot be corrected quickly, stop using that AI system and revert to manual processes until these issues are resolved.
Assessment. At the end of each 90-day pilot, a full debrief needs to take place to document outcomes achieved, return on investment and lessons learned. Answers are needed for – Did we hit our target? If not, can we explain why? What could we have done differently? Is there another use case that we should consider? Were there other unanticipated benefits? (For this last question, the decision on how to apply those extra 5 hours and the outcomes achieved from that, should be documented.) Answering these questions will be the starting point for an AI playbook that can be applied to future projects and set the stage for more advanced usage.
Summary
This framework – Process, Guardrails, Governance – is designed to be a simple, fast, inexpensive way to move from strategic inertia to strategic adaptation safely and with some structure. Pick a problem, run a 90-day pilot, ruthlessly evaluate results, decide. The time to get started is now.
Join me again next time when I tackle the promise of agentic AIs and APIs. The promise of safe, reliable and predictable automation, at scale, is where operational benefits start to yield true competitive advantage. I hope you’ll stay with me for that discussion.
© 2026 by Roy Gowler. All rights reserved.
This article was originally published in December 2025 and posted on Medium.com. As its author, I have updated it and posted it to my own website to increase visibility and reach.
Back to Insights.