Most AI governance work in People functions starts with a fear and ends with a policy nobody reads. The fear is real — bias, leakage, EU AI Act, candidate complaints, employment tribunals. The policy is real too. It exists in a Notion page nobody opens after the day it was written. In between, the actual decisions about what AI does inside the People function are being made by individuals, in private, one prompt at a time.
That is the gap. Not "do we have a policy" but "does the policy meet the work." For the policy document itself, see the AI policy blueprint. This piece is about the operating posture underneath it.
Governance is steering, not braking
The instinct, especially under regulatory pressure, is to treat governance as a brake. Slow things down. Add approvals. Require sign-off. The result is predictable: the work routes around the policy. People still use AI. They just stop telling you about it.
A governance system that works treats the question differently. It asks: where, in this function, does AI need to be in the loop? Where does it need to be only in the loop, with a human deciding? Where is it forbidden? Where is the line, and who holds it?
Steering. Not braking.
The four boundaries that matter
For a People function, there are four boundaries worth setting before anything else. They are not the whole policy. They are the spine that the rest hangs on.
1. Decisions a model never makes alone
Hiring decisions. Termination decisions. Performance ratings. Compensation calls. Reasonable adjustments and accommodations. Discipline outcomes. These are the four or five places where the consequence of a wrong call is high, the data is messy, and the bias risk is concentrated. The model can prepare, summarise, suggest, draft. The model never decides. A named human does. Always.
Write that list down. Put it at the top of the policy. Everything else is detail.
2. Data the model never sees
Health information. Disability status. Salary detail tied to identity. Grievance content. Anything covered by special category data under GDPR. Anything covered by an NDA. Anything that, if it leaked, would damage trust permanently.
The way this gets enforced is rarely "we trust people not to paste it." It is configuration. Approved tools that route to enterprise endpoints with no training. Workflows that strip identifiers before the model sees them. A short list of providers, not a long one.
3. Outputs the human must always check
Anything that goes to a candidate. Anything that goes to a regulator. Anything that goes into an employment record. Anything that becomes a written commitment. Generated content is not the artefact. The reviewed artefact is. The discipline of the review is what makes the speedup safe.
4. Logging that actually exists
If the team is using AI in the work, you should be able to answer four questions in under five minutes:
- Which workflows use a model?
- Which model, and where does it run?
- Where is the prompt and output history?
- Who is accountable for each workflow?
If you can't, you don't have governance. You have aspirations.
What good looks like inside the team
Governance lives or dies in the daily texture, not the policy doc. The People functions that get this right tend to look the same from inside.
There is a single page — usually a one-pager, not a deck — that lists every AI workflow the team uses. The owner. The model. The data it touches. Whether it is in pilot, live, or retired. It is updated by the people who run the workflows, not by a central function.
There is a regular review, monthly or quarterly. Short. The owners walk through what their workflow has done, what it nearly did wrong, what they are changing. New workflows are added. Old ones are retired. The review is boring on purpose. Boring is the goal.
There is a named person — usually the operations lead, sometimes the CPO, sometimes a senior HRBP — whose job includes "the AI is in good order." Not "the AI strategy." The order of it. The hygiene.
And there is a culture, slowly built, where surfacing a near-miss is a gift to the team, not a confession. The first time someone says "I almost let the model send that" and gets thanked instead of investigated, the system starts to actually work.
The trade you are making
Governance done well is a small tax on speed in exchange for a large reduction in tail risk. That trade is almost always worth it inside a People function, because the tail risk is not financial — it is trust. A People team that loses the trust of the company because the model said something it shouldn't have, or saw something it shouldn't have, takes years to recover.
The teams that move fastest with AI are not the ones with the loosest policies. They are the ones who decided early, in writing, what they would never let the model do — and then went hard on everything else.
Governance is the steering wheel. With it, you can drive at speed. Without it, the question of how fast you go becomes academic.
What this connects to
Auto-recommended next reads in the People Ops cluster, ranked by shared concepts and headings:
- Measuring AI value in People Ops
- People debt: what GenAI exposes, and what to do about it
- AI workspace setup for People teams (Claude, ChatGPT, Copilot)
- Designing the AI-native People team
Common questions
- Why does most People-function AI governance fail?
- It starts with a fear and ends with a policy nobody reads. The fear is real — bias, leakage, EU AI Act, candidate complaints, employment tribunals. The policy is real too, sitting in a Notion page nobody opens after the day it was written. The gap is not "do we have a policy" but "does the policy meet the work." Treated as a brake, governance gets routed around — people still use AI, they just stop telling you about it.
- What decisions should an AI model never make alone in a People function?
- Hiring decisions. Termination decisions. Performance ratings. Compensation calls. Reasonable adjustments and accommodations. Discipline outcomes. These are the places where the consequence of a wrong call is high, the data is messy, and the bias risk is concentrated. The model can prepare, summarise, suggest, draft. The model never decides. A named human does. Always.
- What data should the model never see?
- Health information. Disability status. Salary detail tied to identity. Grievance content. Anything covered by special category data under GDPR, anything covered by an NDA, anything that — if it leaked — would damage trust permanently. Enforcement is rarely "we trust people not to paste it." It is configuration: approved tools that route to enterprise endpoints with no training, workflows that strip identifiers before the model sees them, and a short list of providers rather than a long one.
- How do you tell if you actually have governance, not just aspirations?
- You should be able to answer four questions in under five minutes. Which workflows use a model? Which model, and where does it run? Where is the prompt and output history? Who is accountable for each workflow? If you can't, you don't have governance. Good practice usually looks the same from inside: a one-pager listing every AI workflow, a regular short review by the owners, a named person whose job includes "the AI is in good order," and a culture where surfacing a near-miss is a gift to the team, not a confession.
If this resonated, there's more.
Subscribe to receive new Intelligence pieces as they're published. No noise — just the work.
By subscribing you agree to our Privacy Policy. Unsubscribe any time.
