The Minimum Viable Policy for AI: Balancing Innovation and Governance

The pace of AI innovation demands a pragmatic approach to governance. Blanket restrictions stifle progress, while a lack of policy exposes the organization to significant risk, including "shadow IT" and data breaches. The goal of a Minimal Viable Policy for AI (MVP-AI) is to enable productivity gains while establishing a clear, low-friction framework for responsible AI adoption. As Shopify CEO Tobi Lütke stated in his AI memo, "Reflexive AI usage is now a baseline expectation." We must empower our teams to meet this expectation without creating an environment of unmanaged risk. Leaders who don't embrace AI as a core competency for their teams risk stagnation, which is, as Lütke notes, "slow-motion failure".

The challenge for most organizations, however, is a classic Catch-22: How do you unlock the transformative productivity gains of AI while navigating the significant risks of data security, intellectual property, and emerging regulations like GDPR and the EU AI Act? The reflex for many is to create rigid, bureaucratic policies that become a bottleneck, pushing employees to resort to "shadow IT" and unsanctioned tools. This is the wrong approach, I'll outline a better one here.

The Problem with "Just Say No"

A strict, top-down ban on AI tools is counterproductive. Employees will find ways to use them regardless, often with their personal accounts and outside of any corporate oversight. This

"shadow IT" poses a direct threat to data security, intellectual property, and regulatory compliance (e.g., GDPR, AI Acts). It also deprives the company of valuable insights and potential productivity improvements. A more effective strategy acknowledges this reality and channels the energy of innovation into a controlled, safe environment.

The solution is not to block but to enable, with guardrails. We need a Minimum Viable AI Policy (MVP-AI).

The MVP-AI Framework: A New Policy for a New Era

An MVP-AI is a short, easily communicated document, less than three pages, that is signed off by key stakeholders and widely circulated. Its purpose is to foster an environment of controlled experimentation

💡

If you bristle at my use of the word "Policy"; Instead of a "policy," consider a "memo," a "vision," or even a "constitution" for AI use. This re-framing can align with your organisation's culture and empower teams to innovate rather than simply comply. The key is to convey a clear, simple ethos that guides decision-making and fosters trust, not just a list of rules and boilerplate.

This framework is built on three core principles:

Low-Friction Evaluation: Teams can initially evaluate new AI tools without a full IT approval cycle. A simple example: no more than 500* lines of company-specific, non-customer, or non-personal data can be used with a third-party tool. This threshold allows for rapid testing of a tool's potential without exposing sensitive information, a core concern for any CTO or engineering leader with a background in data security and compliance.
Controlled Access: All accounts for new AI tools must be created using a corporate email address, not a personal one. This simple rule provides a clear audit trail and maintains corporate oversight, mitigating the risks of unmanaged access and data sprawl. It's a foundational step in bringing shadow IT into the light.
Low-Ceremony Sharing: Pilots and findings must be registered and shared. This doesn't mean a formal 50-slide deck; it means a simple internal channel or a one-page summary. This ensures that learnings are captured and that the organization can build a collective body of knowledge, a practice essential for fostering continuous learning within large-scale, international teams.

❗

All of our data feels incredibly valuable, but is it? The truth is most of your organization's data is mundane: internal project updates, draft documents, or meeting notes. This "dull data" is perfect for safe AI experimentation. By distinguishing between sensitive and non-sensitive information, you can unlock AI's potential without paralyzing the business. This is where trust and training are important; your team will be able to tell the difference.

Post-Experiment: Scaling Success and Learning from Failure

A successful MVP-AI experiment is not the end of the journey—it's the beginning. Once a tool demonstrates clear value, the process shifts from rapid experimentation to formal integration. This is where procurement, IT, and risk management teams become crucial partners. The validated insights from your pilot provide a clear business case, transforming a speculative request into a data-backed proposal.

The formal process should be expedited. The goal is to move from to a fully integrated solution with robust security protocols. This means:

Procurement: A clear business case and initial usage data will streamline vendor negotiations.
IT Integration: Focus on technical deployment, including single-sign-on (SSO) for centralized access and user management, and API integrations for seamless workflow automation.
Risk Assessment: The initial low-risk pilot data allows for a more focused and efficient security and compliance review, ensuring the tool adheres to internal and external regulations.

Just as critical is the process for what some might call a "failed" experiment. In the context of an MVP-AI, there are no failures, only learnings. A tool that doesn't meet expectations still provides valuable insight into what doesn't work and, more importantly, why.

For these trials, the process is simple and non-punitive:

Share Learnings: Document and share the results in the same low-ceremony channel. Detail what was tried, what the outcome was, and the key takeaways. This prevents other teams from repeating the same experiment.
Tidy Up: Ensure all trial accounts are deleted and trial subscriptions are cancelled. This practice maintains good security hygiene and avoids unnecessary costs.
Move On: The process of rapid iteration means you quickly move on to the next promising tool, armed with new knowledge.

This structured approach to both success and "failure" ensures the organization remains agile, avoids wasted effort, and builds a knowledge base that drives smarter decisions. It is the hallmark of a truly data-driven, learning-oriented culture.

Source Code and the MVP-AI

Handling source code under an MVP-AI framework requires a nuanced approach, balancing the immense productivity gains of AI-driven tools with the critical need for intellectual property protection and security. The core principle remains the same: enable controlled, low-risk experimentation.

The first step is a clear distinction between internal-facing code and proprietary, customer-facing code. For general, non-proprietary code snippets—such as scripts for internal processes or a small, self-contained utility—the MVP-AI's low-friction evaluation rule can apply. A developer can experiment with a new AI assistant to refactor a routine script, provided the context shared is minimal (e.g., less than a few hundred lines of code) and contains no sensitive data or core business logic.

However, for a company's core product source code, a more stringent process is required. Instead of a blanket ban, the MVP-AI framework would define a clear path for "sandbox" experimentation. This involves:

Dedicated, Internal Tools: The best approach is to leverage internal, on-premises, or private-cloud AI models, similar to how Shopify has an internal chat.shopify.lo for its employees. This ensures that sensitive code never leaves the company's secure environment.
Proxy and Pre-Tooled Solutions: For external services, like GitHub Copilot or others, the IT team should provide a pre-configured proxy. This allows developers to use these powerful tools while the company retains control over data flow and can filter sensitive information.
Small, Insulated Pilots: When evaluating a new AI service, a small, isolated pilot project can be used. This project would involve a non-critical codebase specifically designed for testing, ensuring that no core intellectual property is exposed. The results of this pilot, including performance and any security concerns, are then shared in a low-ceremony manner to inform broader decisions.

Ultimately, the MVP-AI for source code is about de-risking the "what if" by creating a safe space for experimentation. It acknowledges that the most successful engineering teams are those that learn and adapt together, embracing new tools to achieve productivity gains.. By providing clear, actionable guidelines, you empower your engineering teams to innovate responsibly, turning a potential risk into a strategic advantage.

Why This Matters for Your Business

I've seen firsthand, across diverse sectors from healthcare to open-source software, how a thoughtful approach to technology adoption can drive massive results. Leading the technology strategy for a company with a broad product portfolio, including AI and Clinical Decision Support systems, has shown me the power of strategic innovation.

An MVP-AI framework (even as just a first step) prevents a rigid policy (and the debates to write it) from becoming a roadblock. It acknowledges that the real-world value of a tool is found through use, not through a theoretical checklist. This allows teams to get a firsthand look at a tool's potential, such as using AI for code generation, data analysis, or initial document drafting, without being paralyzed by bureaucracy.

This approach transforms the role of the technology leader from a gatekeeper into an enabler, aligning with the core organizational values of continuous learning and thriving on change. It also shifts the conversation from a blanket ban to a measured, strategic rollout.

I have spent decades building and advising companies on how to navigate complex technology landscapes and drive strategic growth. The MVP-AI framework is a direct output of that experience.

If your organization is struggling to balance the promise of AI with the practicalities of governance, let's discuss how a tailored MVP-AI framework can accelerate your progress.

Contact