I notice there is new AI tool worth trying almost every week, or is it everyday? Wait, did I just miss a new one while writing this post? Seems like it! The pace is relentless, and it is not slowing down. I have written about working at the speed of thought, where capability shows up faster than any of us can absorb it.
For any organization, that pace creates a quiet problem. You cannot, and should not, adopt every tool. You certainly cannot vet every tool. There is no practical way to track them all. And while leadership debates which ones matter, something is already happening on the ground.
Your people are using them.
Not because they are reckless. Because the tools are good, they make work better, and more likely, nobody told them not to. So they reach for whatever is closest, whatever a colleague mentioned, whatever showed up in their feed. They are doing it right now, while you read this.
The only thing you actually control is whether they are doing it with guardrails or without them.
The two defaults are both wrong
Most organizations land in one of two places. They are quietly banning AI, or they are pretending it is not happening. Which camp are you in? These feel like opposite responses, but they produce the same result. They push usage into the shadows, where there are no rules at all.
Here is the part executives miss. The ban is not the safe choice. The ban is the risky one.
When you forbid AI, you do not stop people from using it. You stop them from telling you they use it. You lose visibility, you lose the ability to set boundaries, and you lose the chance to teach anyone how to use these tools well. The risk does not go away. It moves somewhere you can no longer see it.
Silence does the same thing, just slower.
Governance is not the word that says no
Somewhere along the way, governance became a synonym for restriction. Sound familar? That is backwards.
Good governance does not have to say no. It is there to make the yes legible. Its job is to tell people, clearly, what they are allowed to do, as well as how, and where, so they can move forward without second-guessing every keystroke.
Because the thing that can really slow down a team is not rules. It is not knowing the rules. A clear yes is faster than a vague maybe. I make the case that governance, not capability, is the real rollout project, and this is the heart of it. The capability is the easy part. Telling your organization what to do with it is the work.
So we wrote our own
My company, Creospark, advises organizations on exactly this point. And while a cobbler’s kids needs shoes, we needed our own. We built our own AI governance document, and I want to share the thinking inside it, because the thinking matters more than the template.
Creospark is a Copilot-first organization. That is a deliberate choice, for real reasons, not least of which is we are a Microsoft services integrator. Even more important, Copilot sits inside our tenant, respects our data boundaries, and is the tool we trust and support first.
But Copilot-first does not mean Copilot-only. We refuse to be limited to a single toolset, and we refuse to be ignorant of everything else happening in this space. The rest of the field is moving too fast to ignore. The question was never whether to engage with other tools. It was how to do it on purpose.
That is what the tiers are for.
A tiered model, in plain terms
The structure is simple. The further a tool sits from our sanctioned core, the more the responsibility shifts to the person using it to protect the business.
Tier one is our fully supposed and approved AI tools, i.e. Copilot. Encouraged, supported, the default. Use it freely for the work in front of you.
Tier two is a small set of vetted tools we generally know and support, Claude among them. It also includes tools we are actively investigating, still evaluating whether to move to tier one. Approved, with care, not fully rolled out, has limits, request access with justification.
Tier three is everything else that is not outright banned. The general universe of AI tools. Allowed, but fenced. No NDA content, no client data, and no sensitive internal discussion in the prompts. Use personal accounts on these tools if you want. And do not install non-tier one (or tier two with approval) AI software on company machines.
Tier four is specifically banned tools. Full stop.
Notice what this is not. It is not a cage. It is a green light with edges drawn on it.
Tiers are encouragement, not control
This is the part I want executives to sit with. A tiered model is not about clamping down. It is about giving people a sanctioned way to try the new thing they were going to try anyway.
Someone on your team is going to read about a tool tomorrow and want to try it. With a tiered model, they already know where it fits and what the rules are. They can experiment, learn, and bring back what they find, inside lines everyone agreed to. Without one, they make a private judgment call about your company’s risk, alone, with no guidance.
Clarity is what speeds adoption. Ambiguity is the brake.
And none of this is fixed. The tools move, so the document moves. We revisit it, because a governance doc that does not change is already out of date.
The actual choice
So here is where I land.
Governance is needed. Not as a wall, but as a way to say yes, responsibly. Allow AI. Set the guardrails. Then watch what your people do with the room you gave them. We are still only in the warm up of this new AI marathon.
Your team is already using AI. That decision was made for you. The only decision still in your hands is whether they are doing it with guardrails or without them.
Allowed by default. Governed on purpose.
Speak Your Mind