AI Governance

The One-Page AI Governance Framework (Even in Regulated Industries)

Anar Agency · July 15, 2026 · Field-tested operator guidance
Effective AI governance is five decisions written down: what data may enter which tools, who may use which capabilities, how output quality is checked, what spend is authorized, and who is accountable when something goes wrong. If your framework does not fit on one page, it will be ignored; if it does not exist, it will be improvised badly.

Governance is five decisions, not fifty pages

Data boundaries. Classify once: green (any approved tool), yellow (enterprise tools with contractual data protection only), red (never leaves controlled systems). Every future question reduces to which bucket.

Access. Which roles get which capabilities. Read-widely, write-narrowly is the default that survives contact with reality. Log writes.

Evaluation. Every production AI workflow names its owner and its check: sampled human review, regression cases, tripwire metrics. Unevaluated workflows are pilots, and pilots do not touch customers.

Spend. Budgets and caps per team, visible weekly. Runaway cost is a governance failure before it is a finance problem.

Accountability. A human owns every agent's output, the same way a manager owns a report's output. No orphan automations.

ONE PAGE1. DATA - green / yellow / red buckets2. ACCESS - read wide, write narrow3. EVALUATION - every workflow names its check4. SPEND - caps and weekly visibility5. ACCOUNTABILITY - a human owns every output
If a governance question does not fit under one of the five decisions, it is usually not a governance question.

Regulated industries: constraint as clarity

Healthcare, finance, insurance, and law adopt AI successfully by inverting the question: instead of "can we use AI?", ask "which of our workflows have no regulated data in them at all?" Marketing drafts, internal documentation, code without PHI or PII, research synthesis: there is usually a wide green zone that requires no regulator conversation whatsoever.

For the regulated zone, your existing compliance machinery is the asset, not the obstacle: the same access controls, audit logs, and review chains that govern human work extend to machine work. Regulators do not require that AI be absent; they require that accountability be present.

One rule keeps you safe in every jurisdiction: a human owns every consequential output, and the log can prove who.

Framework: The Five-Decision Page

Write five headings on one page: Data (green/yellow/red), Access (who gets what), Evaluation (every workflow names its check), Spend (caps and visibility), Accountability (a human owns every output). If a governance question does not fit under one of the five, it is usually not a governance question.

Rolling out coding agents without leaking the company

Coding tools (Claude Code and peers) deserve their own checklist because they touch source code, credentials, and infrastructure. Enterprise accounts only, with training-data exclusion in the contract. Repository access scoped per team, never org-wide by default. Secrets out of repositories entirely so there is nothing to leak. Agent-written code enters through the same pull-request review gate as human code. Spend caps per seat. A kill switch someone actually knows how to use.

None of this is exotic; it is your existing engineering hygiene applied to a faster contributor. Teams with weak hygiene discover that the agent did not create the risk, it accelerated the discovery of it.

Making it stick

Publish the page. Name the owner. Review it quarterly against incidents and new tools. Tie exceptions to the ask-first contact rather than to silence. Governance that lives in a shared document people have actually read beats a policy portal nobody visits.

Questions executives ask

What should an AI governance framework include?

Five decisions: data classification for AI tools, role-based access, mandatory evaluation for production workflows, spend caps with visibility, and named human accountability for every agent's output. One page, one owner, quarterly review.

Can regulated companies use AI safely?

Yes. Start in the green zone (workflows with no regulated data), extend existing compliance controls to machine work in the regulated zone, and keep a human accountable and logged for every consequential output.

How do we roll out AI coding tools securely?

Enterprise accounts with training exclusion, per-team repository scoping, secrets out of repos, agent code through normal PR review, per-seat spend caps, and a practiced kill switch. Standard engineering hygiene, applied to a faster contributor.

Talk it through in 15 minutes

Bring one AI question from this article. We will tell you what we would do, whether or not you hire us.

Book a 15-Min Chat →