Best Practices
AI-generated A mid-sized company, 120 employees. Nobody in the building can say how many AI tools are running.
ChatGPT in sales. An image generator in marketing. An assistant in accounting that someone subscribed to at some point. Every team helped itself. No policy. No ownership. No overview.
This isn’t an isolated case. This is the normal state.
This case study shows how that sprawl turned into clear AI governance in six weeks. Without switching tools. Without standstill. Without panic.
The starting point: usage yes, control no
AI had long arrived in everyday work, across several teams, with different tools. What was missing was everything around it. No approval processes. No answer to the question of which data may go into which tool. No documentation that holds up to an audit.
That isn’t just untidy. It’s a risk. Personal data ends up in external models, without a legal basis. And the EU AI Act has required AI literacy since February 2025, not only from 2027.
“We know AI is being used. But not how, where and by whom.”
That’s how it sounded at the beginning.
Governance comes from oversight, not from bans
The first reflex is often: block AI until everything is clarified. That never works. The tools are too useful, the employees too fast. A ban doesn’t create order. It creates shadow AI.
So the goal was a different one. Not to stop, but to steer. Create overview, lower risks, enable usage, empower teams. The ambition: AI should work in everyday life, not gather dust in a manual.
Six weeks, step by step
Week 1: overview. Capture all AI tools in use, clarify use cases per team, a first risk assessment. For the first time, a complete picture of AI usage was on the table, visible to management and IT.
Week 2: responsibility. Assign each tool to a risk category. Define who decides and who approves. Diffuse responsibilities became clear roles. No more grey areas.
Week 3: rules. An AI policy nobody has to read twice. What is allowed, what isn’t, and why. Aligned with the GDPR requirements, written in the language of employees, not lawyers.
Week 4: documentation. A clean, auditable structure instead of loose files on scattered drives. Traceable for internal audits and prepared for the EU AI Act.
Week 5: enablement. Train the relevant teams, with examples from their own daily work and with room for questions. The result: fewer follow-up questions, more autonomy.
Week 6: everyday operation. Fine-tune processes, hand over to internal owners, define how AI usage will evolve. AI runs. Cleanly. Structured. Without constant external supervision.
The result after six weeks
A complete AI inventory. Clear responsibilities. An understandable policy. Documentation that stands up to the GDPR and the EU AI Act. Trained teams. And not a single day of standstill in day-to-day operations.
This is exactly the core the NADOVO platform delivers: capture AI tools and shadow AI, assign risks, transfer everything into a living AI register that grows with you instead of going stale. The framework around it, from the stocktake to training, is our AI compliance consulting. And anyone who doesn’t want to carry the governance themselves afterwards hands it over to an external AI compliance officer.
What the case shows
Three things.
Structure doesn’t slow you down. It’s what makes speed possible in the first place. Those who know what’s allowed don’t keep asking and work faster.
Cleaning up early is cheaper than late. Every month of sprawl increases the number of tools, of data and of unresolved risks. Order after the fact costs more.
AI governance isn’t a major project. It’s a clear process with a defined beginning. Six weeks are enough, if you know where to start and stay consistent.
One question to close. Could you say today how many AI tools are running in your company, who uses them and what for? If not, you now know where you begin. Our quick check gives you a first impression of where you stand.
Further reading: