The 47-page policy nobody read
A 70-person company hires a governance consultant, pays for six weeks, and receives a 47-page "Responsible AI Policy" with a maturity matrix and a RACI chart. Three months later the head of sales is still pasting customer contracts into a free chatbot, and the bookkeeper built a spreadsheet macro that emails clients on its own. The binder did exactly nothing, because nobody at a growing company has time to operate from a binder.
That's the failure mode you're hiring against. At your size you don't need an AI ethics board or a 12-month framework rollout — you need a short set of rules people actually follow, and one person whose job it is to say yes or no. The NIST AI Risk Management Framework is the right backbone here, but a good consultant uses it as a checklist of questions to answer — map what's in use, measure what could go wrong, manage it, govern who decides — not as a document to transcribe. The output should fit on a page your team will reread, not a deck they'll file.
This matters more for a company your size than for an enterprise, and the data says so. PwC's Responsible AI survey shows responsible AI only sticks when it has executive attention and operating discipline behind it. A 2,000-person firm can absorb a sprawling governance function. You can't — which means every rule you adopt has to earn its keep by being usable on a Tuesday.
The four things that should exist when they leave
Skip the philosophy. Ask the consultant to walk you through four concrete artifacts before you sign anything, and judge the engagement on whether they get built.
One: an acceptable-use sheet your team can quote from memory. Not "use AI responsibly." Specifics: customer PII and signed contracts never go into a tool without a data agreement; AI-drafted client emails get a human read before send; AI code touching billing gets reviewed. If a new hire can't summarize the rules in 30 seconds, they're too long.
Two: risk tiers, so you're not reviewing everything equally. A model that drafts internal meeting notes is low-stakes. One that decides which invoices to flag, or what a customer gets quoted, is not. Tier the workflows and reserve your scrutiny for the few that can actually hurt you — a misfire there costs real money or a real client.
Three: a control wired into the actual workflow. This is where most projects quietly fail. IBM's Institute for Business Value research ties AI returns to capabilities — trusted data, clear roles, real measurement — not to policy documents. If the governance doesn't change how someone reviews an output, where data is allowed to go, or how an exception gets escalated, it isn't governance. It's wallpaper. The test: name one thing an employee does differently this week because of the work.
Four: a named owner. One person — often a COO or ops lead at your scale, not a new hire — who owns the yes/no calls and the review cadence. Without a name attached, every rule becomes optional.
And keep the scope honest about where you are. McKinsey's State of AI shows most organizations are still early in scaling AI past experiments. A consultant who shows up trying to govern an enterprise-grade deployment you don't have is selling you the wrong size. You're governing a dozen scrappy use cases, not a platform.
How you'll know it worked — six months out
Governance you can't measure is governance you can't trust. Before the engagement ends, agree on the numbers you'll watch: how many people have actually read the use sheet, how many AI workflows you've formally approved, how many exceptions got reviewed instead of slipping through, training completion, and any incidents or near misses logged. If those numbers are all zero in month two, the work didn't land — and you should say so while the consultant is still reachable.
The single best signal costs nothing to check: did anyone get told "no" recently, and is there a record of why? A live governance model produces refusals — a workflow paused, a tool blocked, a data path closed. A dead one produces only documents. Run that check yourself a month after the consultant leaves.
If you want a sharper read on which AI workflows are worth governing first — and which are quietly creating exposure right now — start with the AI Opportunity Score, then use AI Governance and Training to set the rules and owner before you push into anything higher-risk.