It always starts the same way. Someone discovers a tool that saves them two hours a week. They tell a colleague. Within a month, half the team is using it. By the time leadership notices, no one knows what is in the prompts, what data has been shared, or what the review standard is for AI-assisted outputs.
The mess does not happen because people are careless. It happens because there was no plan. The tools arrive faster than the norms do, and norms established under pressure are rarely the ones you would choose deliberately.
Small firms are particularly susceptible to this pattern. There is no dedicated IT function, no compliance team, no AI steering committee. The people making decisions about AI use are the same people doing the work. That is fine. It just means the governance has to come from somewhere practical, not from a corporate framework designed for a firm ten times the size.
Start with one use case
Trying to govern AI in the abstract is too vague to be useful. Pick one category of work where AI is already being used or is most likely to start. Internal documentation, research summaries, client communication drafts. One thing.
Get that use case right. Define what is acceptable, what requires a check, and what the output looks like before it leaves that person's hands. Once you have real norms for one thing, extending them to the next category is much easier.
Define the review expectation before it is needed
The worst time to decide whether an AI output needs review is after someone has already relied on it for something important.
Before anyone uses a tool for a given type of work, write down the review expectation for that type. It does not have to be elaborate. 'All client-facing drafts require a second read before they go out.' 'Research summaries used in proposals need to be fact-checked before they land in the document.' Simple, specific, written down.
The goal is to remove judgment calls from situations where the pressure to move fast will override the judgment call anyway.
Assign ownership early
Someone needs to be responsible for how AI is used inside the firm. Not in a formal sense, necessarily, but in the sense that when a question comes up, there is a clear person to ask.
This person handles tool access decisions, adjusts the review expectation when a new use case appears, and makes the call when something is unclear or potentially out of bounds. Small firms can handle all of this with one person. They just need to name one.
Without ownership, questions get answered inconsistently, and inconsistent answers become inconsistent practices. That is how informal AI use becomes your de facto governance model.
Expand deliberately
Once the first use case has clear norms and an identified owner, there will be pressure to expand. Good. But expand with intention.
Add a new use case when the previous one is running smoothly. Check that the review expectation for the new category makes sense given the data involved and the stakes of getting it wrong. Do not let expansion happen by default, where tools just quietly start being used in new contexts without anyone deciding it is appropriate.
When informal notes are not enough
For a while, informal alignment among a small team is sufficient. But there is a point where informal stops working. When the team grows. When client obligations increase. When the stakes of inconsistent AI use become meaningful.
At that point, the value of a structured governance framework is not the formality. It is the clarity. Writing things down in a consistent format forces decisions that informal conversations keep deferring. Usage rules. Review standards. Ownership. Rollout phases. All of it becomes explicit instead of assumed.
Most small firms find that this moment arrives earlier than expected.