AI governanceexplained.
Plain-language answers to the questions that come up early: what governance actually is, what's in it, and what Cooperance builds.
The basics.
What is an AI governance policy?
It's the rulebook that tells your team what they're allowed to do with AI, what data they can put into which tools, and what happens when something goes wrong. Most organizations don't have one. Staff are already using AI daily (ChatGPT, Copilot, whatever's in their browser), and leadership usually finds out after the fact, if at all.
A real governance policy answers three questions for every employee: What tools can I use? What data am I allowed to put into them? Who do I ask when I'm not sure? Without it, everyone makes that call themselves, inconsistently, with no record of what was decided.
Why does an organization need one if nothing's gone wrong yet?
Nothing visible has gone wrong, which is different from nothing having happened. The pattern in most organizations we assess is consistent: more AI tools in daily use than anyone approved, client or employee data flowing into tools with no rule governing it, and often at least one system quietly making decisions about people (screening resumes, flagging performance, ranking candidates) with no human check on it. Every ungoverned week adds decisions nobody can account for later.
Isn't the simplest fix just to block AI tools?
No, and it doesn't work anyway. Employees who are blocked from AI tools tend to find workarounds, which means the risk doesn't go away, it just goes underground and out of sight. Governance isn't about saying no. It's a green light with clear boundaries: here's what's safe, here's what isn't, here's who to ask about the gray areas. Staff get to use AI (which they're going to do regardless), and the organization gets a defensible, documented answer when a client, insurer, or auditor asks how AI is handled.
Who inside an organization usually owns this?
Whoever got handed the “figure out AI” mandate: often the COO, an operations lead, sometimes IT, sometimes a founder directly. It rarely has a natural home yet, because most organizations haven't needed a policy owner for AI before. Part of what a governance engagement does is establish who that owner is going forward and hand them a system they can actually run.
What's actually inside a governance policy.
A data classification framework
The foundation everything else depends on. Every piece of information gets a rating: Green (fine anywhere), Yellow (business-sensitive, needs an approved tool), or Red (restricted, needs the most care). This is the single idea that makes everything else usable: staff don't need to memorize a complicated matrix, they just need to know what color their data is and what that color allows.
An acceptable use policy (AUP)
The central policy document. What tools are approved, what data classification rule applies, that personal or consumer accounts aren't allowed for company work, and that any AI use affecting a person (hiring, performance, discipline) needs a human checking it, not just the algorithm.
An approved-tool process
A living list of which AI tools are cleared for use, and to what data level each one is cleared for. New tools go through a short evaluation before they're added. This is what lets an organization say yes to new tools quickly and safely, instead of either banning everything or approving nothing.
Incident response procedures
What happens when something goes wrong: someone pastes the wrong thing into the wrong tool, a vendor's AI use turns out not to be vetted, a near-miss happens. A clear, non-punitive process for reporting and responding, with severity tied to what data was involved.
A human-in-the-loop requirement for people-affecting AI
Any AI use that screens, ranks, or informs a decision about a person needs a documented human review process (often called a Human Rights AI Impact Assessment, or HRIA). This is the part regulators and human rights bodies increasingly expect to see, and the part most informal policies skip entirely.
Third-party and vendor requirements
The bar any vendor, subcontractor, or partner has to clear if they're using AI on the organization's work or handling its data. Most data exposure doesn't happen through employees, it happens through vendors nobody vetted.
Training content the organization's own team can use
Policy nobody understands doesn't get followed. The training materials (documents and short videos) are what turns a policy binder into something staff actually apply, and they're built so the organization's own team delivers the rollout, not an outside consultant standing in front of the room.
Operating registers
Running records: a log of tool requests, an incident register, an exception log, a decision log. Not exciting, but this is what lets an organization answer “how do we handle this” a year from now without having to remember, and what a procurement team or auditor wants to see when they ask “can you show me you're actually doing this.”
About Cooperance.
What does Cooperance actually do?
Cooperance builds an organization's complete AI governance system, then hands it off. The client's own team runs it afterward: classifying their own systems, approving new tools, running their own rollout. Cooperance doesn't operate the system on an ongoing basis, and it doesn't pick the client's tools (tool-agnostic by design, we give the criteria, the client keeps the choice).
What are the two products?
Governance Audit (two to four weeks, fixed scope, fixed price): a survey-driven shadow-AI discovery. The whole team answers a short survey, and the client gets a plain-language findings memo on where AI is actually being used, what data is exposed, and whether the full build makes sense. The fee counts toward the Engagement if the client continues.
The Engagement (eight to twelve weeks, fixed scope, fixed price): the full governance system described above, built and handed off, with training content the client's own team rolls out.
Both are fixed-scope and fixed-price. No hourly billing, no open-ended retainers. Take the free assessment for an honest read on where you stand, or book a call to talk pricing.
How is this different from what a client's IT provider, MSP, or lawyer could do?
IT keeps systems running and secure, it isn't usually in the business of writing policy or building training content, and Cooperance works alongside IT rather than replacing it (in fact, a lot of referrals come from MSPs whose clients ask them governance questions they don't want to take on). Legal counsel should review the final policy, and that's explicitly the client's own lawyer's job, not Cooperance's. What Cooperance builds is the operational policy: the day-to-day rules a person applies on a Tuesday, not a legal defense document.
Who is this a fit for?
Organizations where AI adoption is already happening (which is nearly everyone) and leadership wants to lead it rather than chase it. Usually mid-sized, usually the operations lead, COO, or whoever got handed the AI mandate. Not a fit for someone who wants custom software built, a specific tool recommended, or a two-week fix with no involvement from their own team.
What happens after the engagement ends?
The client's team runs governance independently from there, with a 30-day check-in included and a self-maintenance review template for keeping the policy current on a roughly six-month cycle. For organizations that would rather not carry that upkeep themselves, an optional annual maintenance subscription keeps the system current (regulatory-change briefings, tracked updates to their own documents) without Cooperance ever operating the client's system for them.
Where does your team stand?
See your place on our free AI Readiness Spectrum Assessment, no call required.