The pattern is consistent across hundreds of programs we've seen:
This fails because governance without enforcement is theater. The policy is aspirational; the behavior is unchanged; the risk is unchanged; the audit exposure grows.
A working implementation inverts the order: start with discovery and enforcement, then write policy based on what you actually see.
Let's walk each phase.
Strac's browser extension pushes via Chrome Enterprise, Edge Group Policy, or Firefox Enterprise. The endpoint agent deploys via Jamf, Intune, Kandji, or any standard MDM. SaaS connections (Microsoft 365, Google Workspace, Slack, Salesforce) happen via OAuth.
Actual elapsed time: under 10 minutes. Your users see nothing — the extension and agent run silently in audit mode.
Over the first 72 hours, the platform establishes a full inventory:
Review the data with key stakeholders:
Publish the baseline to executive stakeholders. Expect reactions:
These reactions are the value of discovery. You now have data; opinions are now informed.
Deliverable: Shadow AI inventory report, data flow map, executive brief.
Now write the AI acceptable use policy — informed by actual data, not aspirational prohibitions. A good policy is pragmatic:
Avoid blanket prohibitions. "Employees may not use any generative AI" is unenforceable and actively harmful to productivity. Real policy enables AI with guardrails.
Route the draft through:
Distribute via:
Deliverable: Signed AUP, distributed to all employees, training completed.
Enforcement ramps incrementally. Skip the big-bang block announcement — it generates pushback and help-desk tickets without changing behavior smoothly.
Keep audit logging on; turn on warning modals for the highest-risk data categories:
When a user pastes one of these into a prompt, they see a modal: "This looks like [data type]. Policy says don't send this to ChatGPT. Continue anyway?" Most users cancel. A fraction proceed and are logged.
This phase is the learning layer. Users are educated in context; the policy becomes real.
Move PCI, PHI, and credentials from Warn to Block. The modal still appears but "Continue" is disabled. Legitimate exceptions go through a request workflow (manager + security approval).
Expected outcome: a 60–80% drop in sensitive data reaching AI tools. Shadow AI personal-account usage typically drops 50–70% as users migrate to sanctioned alternatives.
Extend enforcement to additional data types:
Different enforcement modes per team where needed: marketing has permissive policy on public content; finance blocks on PCI; healthcare redacts PHI by default.
Deliverable: Live enforcement across all sanctioned AI tools and all regulated data types.
Enforcement generates the raw evidence auditors care about. Days 76–90 wire that evidence into operational systems.
Configure log export from the AI governance platform into your SIEM (Splunk, Datadog, Sumo Logic, Elastic). Structured JSON events, OCSF-aligned where possible. Enable alerting on:
Generate the first monthly AI risk report:
Executives want three things: is this getting better? are we covered for audits? what's the biggest remaining risk?
Map the evidence to the frameworks your auditors care about:
A good AI governance platform generates this mapping continuously — you should be able to produce an auditor-ready report on demand, not assembled manually each quarter.
Deliverable: SIEM integration live, monthly executive report template, framework-mapped audit evidence package.
The 90-day plan gets you to operational AI governance. Beyond that:
Months 4–6: Expand coverage - Cross-SaaS DLP on tools feeding AI connectors (Slack, Jira, Zendesk, Salesforce, Google Drive, SharePoint, Box) - Copilot oversharing remediation (if M365 Copilot is deployed) - Custom detection patterns for company-specific data (matter IDs, project codenames, M&A codewords)
Months 6–12: Advanced scenarios - MCP DLP for agentic workflows - Vertical use cases (healthcare PHI redaction, financial PCI enforcement) - Regulatory audit cycles (SOC 2 Type II, HITRUST, PCI DSS annual)
Ongoing: Governance of governance - Quarterly policy review as AI tools evolve - New framework adoption (ISO 42001 certification, EU AI Act Article-specific compliance) - Board-level AI risk reporting cadence
From 50+ AI governance deployments, the patterns that derail programs:
Mistake 1: Starting with Block mode. Users flood the help desk, leadership reverses the policy, program credibility collapses. Start with Audit, then Warn, then Block.
Mistake 2: Writing policy before discovery. The policy drafted in a conference room is always disconnected from actual usage. Baseline first, draft second.
Mistake 3: One-size-fits-all policies. Finance, marketing, engineering, and customer support have different AI risk profiles. Per-team policies generate less pushback and tighter control.
Mistake 4: Treating this as IT-only. AI governance needs legal, HR, comms, and business leaders. A security-only program gets less buy-in and less adoption.
Mistake 5: Measuring the wrong thing. "Number of blocks" is a lagging indicator. "Time-to-policy from new AI tool detection," "shadow AI trend," and "audit-ready framework coverage" are leading indicators.
If you want to skip the theory and see what a 90-day AI governance implementation looks like in practice — book a 15-minute demo. We'll walk through shadow AI discovery, the enforcement rollout sequence, and the evidence package, with your specific regulatory profile in mind.
Related reading: What Is AI Governance? · AI Usage Governance vs Model Governance · Best AI Governance Tools · ChatGPT Security Risks · Microsoft Copilot Security
With a modern AI governance platform, a complete implementation takes about 90 days — 15 days for discovery, 30 for policy development, 30 for enforcement rollout, 15 for evidence wiring. Platform deployment itself is under 10 minutes with Strac. The 90 days are almost entirely policy, stakeholder alignment, and rollout sequencing — not technology.
Shadow AI discovery. Before writing any policy, deploy an endpoint agent and browser extension in audit mode. Run 7–15 days to establish what AI tools your employees actually use, with what data, on what accounts. Most organizations discover 3–5× more AI usage than IT believed existed. That baseline informs every subsequent decision.
No. Deploy the tool in audit mode first, baseline actual behavior, then write the policy based on data. Organizations that write policy before deployment end up with aspirational rules disconnected from actual usage patterns, and those policies are generally unenforceable. Deploy → baseline → policy → enforce.
Typically the CISO owns technical implementation (discovery, enforcement, SIEM integration). GRC owns policy and evidence. A cross-functional AI council makes strategic decisions (which tools to sanction, policy exceptions, escalations). Some organizations appoint a Chief AI Officer to span all three. What matters is that technical enforcement actually happens — not just policy and documentation.
Leading indicators: shadow AI trend (decreasing), time-to-policy for new AI tools, percentage of users on sanctioned vs personal accounts, framework coverage for audits. Lagging indicators: incidents prevented, audit findings reduced, regulatory citations avoided. Don't over-rely on "number of blocks" — that number going up or down depends on factors beyond governance effectiveness.
Compress the 90-day plan. Deploy the platform day 1 (under 10 minutes). Run audit mode days 1–10 to establish the evidence baseline. Enable warn + block modes days 11–20 to demonstrate operational controls. Days 21–30: wire SIEM, generate the framework-mapped evidence package, rehearse the auditor walkthrough. You won't have 90 days of historical data, but you will have operational governance and evidence of a 30-day active program — which is better than most organizations going into their first AI-scoped audit.
.avif){kind=icon}
.gif)
.webp)
