Skip to content
PCCVDI
GovernanceMay 3, 2026·11 min read

The minimum viable AI governance stack for a 200-person company

You do not need a 40-person CoE. You do need a defined set of policies, controls, and review gates. Here is the lightweight governance stack that gets mid-market companies through procurement.

By PCCVDI Governance

A 200-person company does not need a 40-person AI Center of Excellence. It does need defined policy, a small set of controls, and a review gate that runs without becoming the team that says no to everything. Most mid-market companies we work with overcorrect in one of two directions: either ignoring governance until a procurement question forces a panicked rewrite, or building a process so heavy that no AI ever ships.

Below is the minimum viable governance stack we recommend. It is deliberately small, designed to be assembled in 6–10 weeks, and shaped to survive the kind of procurement and audit questions enterprise buyers actually ask in 2026.

The five components

  1. An AI policy that defines what is and is not allowed.
  2. An AI inventory that lists every model, agent, and copilot in use.
  3. A risk classification scheme that puts each system in a tier with corresponding obligations.
  4. A review gate that approves new uses, with named roles and a published SLA.
  5. An incident process for when something goes wrong.

That is the whole stack. Five components, each less than 10 pages of documentation in its mature form, none requiring net-new headcount in most organisations.

Component 1 — The AI policy

A single document, approved by the exec team, that defines:

  • What categories of AI use are allowed without review (e.g. coding copilots on non-sensitive code).
  • What categories require review before use (e.g. customer-facing copilots, models that make automated decisions).
  • What categories are prohibited (e.g. real-time biometric ID, social scoring).
  • How customer data may be used with AI (anonymisation, residency, retention).
  • The principles the organisation commits to (transparency, fairness, human oversight, accountability).

Length: 6–10 pages, written in plain language. The audience is your team, not a regulator. It will be referenced by employees, customers, and procurement teams — so it must be readable, not lawyer-bait.

Component 2 — The AI inventory

A single source of truth — a spreadsheet, an Airtable, or a row in a compliance tool — that lists every AI system in use. Each row captures:

  • System name and one-line description
  • Owner (named individual) and accountable executive
  • Risk tier (see component 3)
  • Foundation model(s) and provider
  • Data inputs and outputs, including PII status
  • Date of last review
  • Status (active, sunset, prohibited)

The inventory must be discoverable internally. The biggest predictor of governance failure is shadow AI — teams using ChatGPT/Claude/Copilot without anyone in the centre knowing. Run a quarterly survey to catch these and add them.

Component 3 — Risk classification

Adopt a four-tier scheme, mapped loosely to the EU AI Act’s structure:

  • Tier 1 — Prohibited. Social scoring, biometric mass surveillance, emotion recognition in workplace/school, exploitation of vulnerabilities. Disallowed regardless of business case.
  • Tier 2 — High risk. Automated decisioning in employment, credit, insurance, healthcare, education. Requires the full governance pack: documentation, human oversight, monitoring, audit logging, conformity assessment.
  • Tier 3 — Limited risk. Customer-facing AI, content generation, chatbots, recommendation systems. Requires transparency (users know they are interacting with AI), monitoring, and a refresh review at least annually.
  • Tier 4 — Minimal risk. Internal productivity copilots, coding assistants, spam filters, search. Approved at team level under standard data-handling policies. No central review needed.

Most of your AI use will be Tier 3 or 4. Optimise the governance load accordingly — heavy controls on Tier 2 only, light touch on Tier 4.

Component 4 — The review gate

A standing committee that meets every two weeks. Members:

  • An executive sponsor (CTO, CIO, or COO)
  • The DPO or privacy lead
  • The information security lead
  • An engineer (rotates each quarter)
  • A business representative (rotates by use case)

The committee reviews:

  • New AI use cases (Tier 2 and Tier 3) before they go live
  • Annual refresh of existing Tier 2/3 systems
  • Vendor/model changes that affect classification
  • Incidents and follow-up actions

Publish a service-level commitment: “Tier 3 reviews completed within 10 business days of submission, Tier 2 within 20.” A governance team without a published SLA becomes a bottleneck and gets routed around. With one, it becomes a service.

Component 5 — The incident process

Define what counts as an AI incident — at minimum, anything where the system produced unexpected harmful output, behaved outside policy, or was the subject of a customer or external complaint.

For each incident:

  • Triage within 4 business hours
  • Decide containment: pause, roll back, or continue with monitoring
  • Investigate root cause within 5 business days
  • Document in a register, regardless of severity
  • Review the register quarterly for patterns

The register matters more than any individual incident. It is what tells the executive sponsor — and an external auditor — that you are learning from failures rather than burying them.

The 90-day rollout

Spread the work across three months:

  • Weeks 1–3: Draft policy, inventory existing AI use, agree risk tiers.
  • Weeks 4–6: Set up the review committee, hold first sessions, publish SLAs.
  • Weeks 7–10: Roll classification across the existing inventory; identify Tier 2 systems and queue them for full review.
  • Weeks 11–13: First quarterly review of register; refine policy based on early friction.

At month 4, you have a working governance stack. Most of the documentation will need refresh annually; the inventory and incident register live forever.

What this gets you

  • Procurement responses you can actually defend
  • EU AI Act, NIST AI RMF, and ISO 42001 readiness foundations
  • Internal clarity about what is allowed and what needs review
  • A discoverable AI footprint that does not surprise the CTO
  • The minimum credible posture for enterprise customers

You can scale up from here — automated inventory discovery, integrated risk tooling, dedicated AI governance hires — when the volume justifies it. But starting heavier than this is usually a waste of organisational capacity. Starting lighter, in 2026, is a procurement risk you can no longer afford.

Subscribe

Get new articles, the moment they ship.

One email when a new PCCVDI insights post lands. No marketing sequences, no daily roundups, no shared lists. Unsubscribe in one click.

Or grab the RSS feed — same content, no email required.

Keep reading

Related articles

All insights
Ready to start

Turn one AI use case into measurable production value.

Book a 30-minute consultation. We will walk through the use case, sketch the value case, and tell you honestly whether we can help.

Book a consultationSee all services